SoftwareSecurity2014/Group 11

Uit Werkplaats
< SoftwareSecurity2014
Versie door Mark Dobrinic (overleg | bijdragen) op 10 jun 2014 om 21:02 (Planning)
(wijz) ← Oudere versie | Huidige versie (wijz) | Nieuwere versie → (wijz)
Ga naar: navigatie, zoeken

Group nr. 11

Members

Name From Skype Email Phone
Marta Azevedo RU macacamarta marta.azevedo@student.ru.nl 0683412854 / 00351914880464
Tomas Novickis RU sladeinflame sladeinflame7@gmail.com 0649130754
Mark Dobrinic TU mdobrinic mdobrinic@cozmanova.com 0653501137
Kevin Valk RU kevinvalk k.valk@student.ru.nl 0631786407

Case

We work on Wordpress 3.8.1.

Topics

  • V4: Access Control Verification Requirements
  • V9: Data Protection Verification Requirements

General remarks

There was a security issue in wordpress 3.8.1 CVE-2014-0166 (fixed with hmac change) so I suggest using wordpress 3.8.1 to see if we can find this bug through fortify. (Erik: Nice idea!)

I tried, and the default fortify will not pick up this bug. (Erik: But can a tool like Fortify be expected to pick up this bug? I did not check the details of this bug, but there is a limit to what you can expect automated tools to do.)

(Kevin: No this could not be catched by automatic tools, because everything was valid except that there should be a hmac layer over the check.)

Tips and Tricks

You probably need more RAM then the default, so pass the -Xmx flag with some amount of ram. Also use the -64 flag to run in x64 mode.

sourceanalyzer -Xmx10G -64 -b wordpress-3.8.1 -clean
sourceanalyzer -Xmx10G -64 -b wordpress-3.8.1 wordpress_3.8.1
sourceanalyzer -Xmx10G -64 -b wordpress-3.8.1 -scan -f wordpress-3.8.1.fpr

Usefull links

Planning

Date Time Location Mark Tomas Marta Kevin
11-04 16:30 Skype yes yes yes yes
18-04 10:00 Skype yes yes yes yes
10-06 21:30 Skype yes yes yes
11-06 17:00 Skype

Deliverables

The log should be a chronological list of who has been doing what, with dates.
Also useful to document decisions on who will be doing what, and by when.
This should discuss the results of the code scanning, for the Verfication Requirements your group is looking at.
Describe your impressions about the tools, in capabilities, limitations, etc.
Also, did you learn anything about specific security vulnerabilities from using them?
This should give your verdict for each requirement (Pass/Fail/Don't know) with motivation, and an indication of what you did to reach this verdict.
Reflect on the whole process of doing a code review, or "Application Security Verification", in the way you did.