Thursday, February 08, 2007

Automated Detection for Patterns of Insecurities

While there're lots of pros and cons to consider when it comes to automated source code scanning, Fortify's pricey automated source code analysis tool has the potential to prevent the most common vulnerabilities while the software's still in the development phrase. Recently, they've added 34 new categories of vulnerabilities to their product :

"Thanks to this effort, Fortify Software continues to lead the industry by identifying over 150 categories of vulnerabilities in software.
The updated Secure Coding Rulepacks include: * Increased breadth: 34 new distinct vulnerability categories. * Enhanced support for .NET: 24 new vulnerability categories and coverage for five new third-party libraries, including the Microsoft Enterprise Library. * Expanded JSP support: Coverage for popular tag libraries, including JSTL and Apache Struts, for enhanced protection from cross-site scripting and SQL injection attacks. * Detection of persistent Cross-Site Scripting vulnerabilities: Fortify SCA now detects one of the most common and difficult to identify forms of cross-site scripting, which occurs when malicious data from an attacker is stored in a database and later included in dynamic content sent to a victim.
"

But how come small to middle size application vendors aren't really considering the use of such automated scanning tools? Overempowerment and trust in their developers' abilities? Not at all. The problem is the lack of incentives for them to do so, but what they're missing is a flow of soft dollars -- a PR boost -- if they were to communicate the efforts undertaken to ship their products audited, and hopefully, products free of brain-damaging bugs.

In respect to the relatively immature market segment for software auditing, Fortify is perfectly positioned to even start fuzzing applications for their customers enjoying their almost pioneer advantage. Or even better, perhaps their customers should consider the concept for themselves. All rest is the endless full disclosure debate, researchers pushing for accountability, and vendors -- legally -- thinking they're on war with them, fighting back however they can. You may also find a related post on how prevalence of XSS vulnerabilities by Michael Sutton informative, and the following posts worth the read as well.

The bottom line question - Can Source Code Auditing Software Identify Common Vulnerabilities? It sure can, but never let a scanner do a developer's job or forward secure coding practices to a third-party.

No comments:

Post a Comment