SoftwareSecurity2014/Group 11
Uit Werkplaats
Inhoud
Group nr. 11
Members
| Name | From | Skype | Phone | |
|---|---|---|---|---|
| Marta Azevedo | RU | macacamarta | marta.azevedo@student.ru.nl | 0683412854 / 00351914880464 |
| Tomas Novickis | RU | sladeinflame | sladeinflame7@gmail.com | 0649130754 |
| Mark Dobrinic | TU | mdobrinic | mdobrinic@cozmanova.com | 0653501137 |
| Kevin Valk | RU | kevinvalk | k.valk@student.ru.nl | 0631786407 |
Case
We work on Wordpress 3.8.1.
Topics
General remarks
There was a security issue in wordpress 3.8.1 CVE-2014-0166 (fixed with hmac change) so I suggest using wordpress 3.8.1 to see if we can find this bug through fortify. (Erik: Nice idea!)
I tried, and the default fortify will not pick up this bug. (Erik: But can a tool like Fortify be expected to pick up this bug? I did not check the details of this bug, but there is a limit to what you can expect automated tools to do.)
(Kevin: No this could not be catched by automatic tools, because everything was valid except that there should be a hmac layer over the check.)
Tips and Tricks
You probably need more RAM then the default, so pass the -Xmx flag with some amount of ram. Also use the -64 flag to run in x64 mode.
sourceanalyzer -Xmx10G -64 -b wordpress-3.8.1 -clean sourceanalyzer -Xmx10G -64 -b wordpress-3.8.1 wordpress_3.8.1 sourceanalyzer -Xmx10G -64 -b wordpress-3.8.1 -scan -f wordpress-3.8.1.fpr
Usefull links
Planning
| Date | Time | Location | Mark | Tomas | Marta | Kevin |
|---|---|---|---|---|---|---|
| 11-04 | 16:30 | Skype | yes | yes | yes | yes |
| 18-04 | 10:00 | Skype | yes | yes | yes | yes |
| 10-06 | 21:30 | Skype | yes | yes | yes | |
| 11-06 | 17:00 | Skype |
Deliverables
- The log should be a chronological list of who has been doing what, with dates.
- Also useful to document decisions on who will be doing what, and by when.
- This should discuss the results of the code scanning, for the Verfication Requirements your group is looking at.
- Describe your impressions about the tools, in capabilities, limitations, etc.
- Also, did you learn anything about specific security vulnerabilities from using them?
- This should give your verdict for each requirement (Pass/Fail/Don't know) with motivation, and an indication of what you did to reach this verdict.
- Reflect on the whole process of doing a code review, or "Application Security Verification", in the way you did.
