SoftwareSecurity2014/Group 12/Code Scanning Reflection

Uit Werkplaats
< SoftwareSecurity2014‎ | Group 12
Versie door Erik Poll (overleg | bijdragen) op 10 jun 2014 om 17:04 (Reflection on Fortify)
(wijz) ← Oudere versie | Huidige versie (wijz) | Nieuwere versie → (wijz)
Ga naar: navigatie, zoeken

Reflection on Fortify

When we ran Fortify we got 1047 issues, luckily everything was nicely sorted in categories helping us to focus on the issues that where important for V5. (Erik: From your discussion of the code scanning results, it is not that clear to me that many warnings point to input validation issues. Does Fortify only produce some of these warning when proper input validation is missing? Eg I can imgaine that a static analyser complains about thing regardless of whether inpu validation happens.) The scanning of source code helps software developers or security engineers to find patterns that represent vulnerabilities. However, static analysis is not sufficient to establish security, since vulnerabilities may reside in e.g., the design of the application. It is remarkable that a file upload vulnerability is not detected by the Fortify application. As http://www.cvedetails.com/cve/CVE-2013-5576/ explains, a malicious outsider may `upload files with dangerous extensions'. The underlying root cause is the lack of proper input validation. Fortify spots a lot of errors, however, it is often unclear if the error is a false positive or a true error. It requires a lot of knowledge of the joomla framework to make a clear judgement about any of the errors. At this stage this doesn't help us a lot but gives us an indicator where to search when we are going into phase 2. It is also confusing that the same piece of code can produce multiple issues.

Reflection on Rats

Rats is an open source software auditing tool developed and maintained by Secure Software. It is a simple command line tool for scanning C, C++, Python, PHP and Perl source code and detecting common security issues. As its name implies, the tool performs only a rough analysis of source code; it only does lexical scanning. Vulnerabilities are found by detecting keywords in the source code. This will cause many false positives since the semantics are not checked. Functions can be used in a very safe way, but still be marked as unsafe by Rats. Despite this, Rats greatly assists the process of manual inspection.