Hulp
Deze pagina aan uw boek toevoegen
Boek weergeven (27 pagina's)
Pagina's suggererenSoftwareSecurity2013/Group 42/Reflection
Uit Werkplaats
Feedback on the assignment
- In order to successfully participate in the group, in-depth knowledge of PHP, HTTP and web vulnerabilities is required. This was not an obstacle for us but we believe it should be noted anyway. We could, admittedly, not think of a way of changing the assignment such that it does not occur.
- It is extremely hard to divide the codebase in such a way that every group member gets an equal share of work. This is, among other causes, due to the difference in code quality and the fact that the core functionality has to be known to every group member. In our opinion it would be better to use Fortify to analyze the source code and then divide the possible issues among the group members for verification.
- A list of properties, pros and cons for each source code analyzer would have been helpful. In the current situation the choice on which analyzer to pick either depends on quite a bit of work getting familiar with all the tools or luck.
- Some guidelines on how to tackle a huge codebase like mediawiki would have been helpful. Alternatively some smaller web applications could have been listed. (Erik:I don't think there are any guidelines on how to deal with huge codebases, unfortunately. Still, Mediawiki clearly is very large and we'de better use some smaller examples for the project next year)
- ASVS gives, to our opinion, a complete general guideline on how a secure application should be coded. Unfortunately many of these general aspects do not apply to PHP (Erik: Such as? Buffer overflows are not an issue in PHP, but I can't think opf anything else.) and there are some things that do not apply in general but do apply to PHP, e.g. the fact that you can access partial code by requesting scripts directly or being able to set global variables with older PHP versions or newer ones with
register_globals = Onset (Erik: What would specific verification requiremen for such a PHP feature look like? Would this not be covered by some exisiting verification requirement - so that only a more specialised version for PHP could (should?) be given?).
Benefits
- It was a very nice experience learning how security bugs in large applications are found in practice. Although we have only scratched the surface, it has been quite educative.
- ASVS and the code analysis tools gave us quite a bit of insight in where possible security vulnerabilities may arise. Although most of the concepts were known to us, it is still satisfying to see that we have a complete view on how to prevent security vulnerabilities from arising.
- Fortify is undoubtedly an extremely powerful tool for this task. We'd find it very interesting to learn more about how the underlying algorithms work.
