Best of Both Worlds: Correlating Static and Dynamic Analysis Results
- 1. Correlating Static and Dynamic Analysis Results Jeremiah GrossmanFounder and CTOWhiteHat SecurityJacob WestDirector, Security ResearchFortify SoftwareSession ID: AND-302
- 2. Jeremiah GrossmanTechnology R&D and industry evangelistInfoWorld's CTO Top 25 for 2007Frequent international conference speakerCo-founder of the Web Application Security ConsortiumCo-author: Cross-Site Scripting AttacksFormer Yahoo! information security officer
- 3. Jacob WestDirector, Security Research, Fortify SoftwareSecure Programming with Static AnalysisConference speaker at RSA, Black Hat, Def Con, OWASP, SANS, Web 2.0, etc.Contributor to MOPS, a C/C++ static analysis tool (UC Berkeley)
- 5. MotivationBetween 2005 – 2009 there were:2,064 reported data security breaches1470 million reported records compromised1No industries immune: Finance, retail, government, military, technology, healthcare, telecom, energy, manufacturing, educationToday, we rely increasing on software:114 million active Web sites in the world217 million software developers in the world 3Trillions of lines of codehttp://www.privacyrights.org/ar/ChronDataBreaches.htmhttp://www.domaintools.com/internet-statistics/http://www.forbes.com/2008/04/03/ctia-mobile-developer-tech-wire-cx_ew_0403ctia.html
- 12. Primary Analysis TechniquesDynamic AnalysisAlso known as:Web app scanningPenetration testingBlack box testingBenefitsQuick and easy to get startedSimulates a hacker's point of viewDrawbacksDifficult to exercise the entire applicationLacks code-level detailsStatic AnalysisAlso known as:
- 19. Results require reviewDeployment OptionsSoftwareBenefitsIntegrates into SDLCTrains developersto write secure codeDrawbacksTime, expertise and resourcesSoftware-as-a-Service (SaaS)Benefits
- 26. WhiteHat SentinelSaaS-basedFull Coverage – On-going testing for business logic flaws and technical vulnerabilities – uses WASC 24 classes of attacks as reference pointUnlimited Assessments – Anytime websites changeEliminates False Positives – Security Operations Team verifies all vulnerabilities
- 27. Know Your EnemyFully Targeted Customize their own tools Focused on business logic Clever and profit driven ($$$)Directed Opportunistic Commercial / Open Source Tools Authentication scans Multi-step processes (forms)Random Opportunistic Fully automated scripts Unauthenticated scans Targets chosen indiscriminately
- 31. Vast majority of websites assessed for vulnerabilities weekly All Websites83% of websites have had a HIGH, CRITICAL, or URGENT issue
- 34. Average # of HIGH, CRITICAL, or URGENT severity vulnerabilities per website during the vulnerability assessment lifetime: 16.7
- 35. Average number of serious unresolved vulnerabilities per website: 6.5* Vulnerability severity naming convention aligns with PCI-DSS* Vulnerabilities classified according to WASC Threat ClassificationPercentage likelihood of a website having a vulnerability by severityCRITICALHIGHURGENT
- 37. Time-to-Fix15Cross-Site ScriptingInformation LeakageContent SpoofingInsufficient AuthorizationSQL InjectionPred. Res. Loc.Cross-Site Request ForgerySession FixationHTTP Response Splitting-Abuse of Functionality* Up/down arrows indicate the increase or decrease since the last report. Best-case scenario: Not all vulnerabilities have been fixed...
- 41. Inside a Static Analysis EngineTranslate source code into intermediate modelPerform multiple types of analysisRender results for human to review19
- 42. Critical AttributesLanguage supportUnderstands the relevant languages/dialectsCapacityAbility to gulp down millions of lines of codeRule set and analysis algorithmsRight rules and techniques to find and prioritize issuesResults managementAllow human to review resultsPrioritization of issues
- 43. Why Static Analysis is Good for SecurityFast compared to manual code reviewAnalyze code without executing itAble to contemplate many possibilities Fast compared to testingComplete, consistent coverageIntegrates into development lifecycleBrings security knowledge with itMakes review process easier for non-experts
- 44. Two Ways to Use the Tools#1 Analyze completed programsLarge number of resultsMost people have to start hereGood motivator#2 Analyze as you write codeRun as part of buildNightly/weekly/milestoneFix as you go
- 45. Static Analysis ChallengesCompleted programsAre not written with security in mindContain multiple paradigms and technologiesExemplify varying developer skill and techniquesWhich causes static analysis to produceLarge numbers of issuesWidely varying issuesIssues that are difficult to triageUntil Stage #2, prioritization is hugely important
- 47. Prioritizing Analysis Resultsrisk = impact · likelihoodImpact: negative outcome resulting from a vulnerability Likelihood: probability that the impact will come to pass
- 48. Axes Represent Risk(Whitepaper Prioritizing Static Analysis Results at www.fortify.com)HighHigh Impact /Low LikelihoodCriticalHigh Impact /High LikelihoodImpactMediumLow Impact /High LikelihoodLowLow Impact /Low LikelihoodLikelihood
- 49. Fortify Priority OrderCritical – Critical issues have high impact and high likelihood. Critical issues are easy to discover and exploit and result in large asset damage. High – High-priority issues have high impact and low likelihood. High-priority issues are often difficult to discover and exploit, but can result in large asset damage. Medium – Medium-priority issues have low impact and high likelihood. Medium-priority issues are easy to discover or exploit, but often result in small asset damage. Low – Low-priority issues have low impact and low likelihood. Low-priority issues can be difficult to discover and exploit and typically result in small asset damage.
- 51. GoalsExpanded dynamic coverageIdentify valid URLsList parameters accessed under each URLCorrelating static and dynamic resultsRemediation details for dynamic issuesPrioritization of static issuesEqualityExistenceProximity
- 52. Expanded Dynamic CoverageList valid URLs/riches/FindLocations.action /riches/pages/FindLocations.jsp/riches/auth/oper/SendMessage.action /riches/pages/oper/SendMessage.jsp /riches/pages/oper/InvalidEmail.jsp/riches/login/Error.action /riches/login/error.jsp/riches/auth/oper/Admin.action /riches/pages/oper/Admin.jsp/riches/login/Register.action /riches/login/Register.jsp/riches/auth/Transfer.action /riches/pages/Transfer.jsp/riches/auth/PerformCheck.action /riches/pages/PerformCheck.jsp...web.xml- Action extension (e.g. .action)context.xml- Root context (e.g. /riches)struts.config Action mappings
- 54. Action resultsExpanded Dynamic CoverageList parameters for each URL/riches/FindLocations.action/riches/auth/oper/SendMessage.action severity, subject, body, to/riches/login/Error.action/riches/auth/oper/Admin.action addresses, auth/riches/login/Register.action/riches/auth/Transfer.action accounts/riches/auth/PerformCheck.actionaddr, acct, account, memo, name, amount/riches/ShowLocations.action zip, state, address, type, locations, city/riches/login/Login.action
- 55. Correlation: EqualityFind static and dynamic issues at same URLRemediation details for dynamic issuesImproved prioritization for static issuesdynamicSQL InjectionprogramstaticSQL injection
- 59. Correlation: Proximity (sink)Find dynamic SQL Injection, XSS, … issues at URLPrioritize static issues in same category and filedynamicSQL injectionprogramsource 1source 2 2 static SQL injectionissues
- 63. Static Analysis of RWORWO produces 64 high-impact static issues 26 critical-priority issues (high likelihood)38 high-priority issues (low likelihood)Mapped 21 static issues to URLs33% of high impact issues73% of high impact issues that involve web inputRemaining 43 aren’t surprising14 resource leaks in model code6 unsafe configuration values23 “other issues”, including database and file system inputs
- 66. ApplyUse static analysis to assess and improve completeness of dynamic testsUse dynamic analysis to narrow down static analysis results to those that are exploitableDon’t stop there – use the combined view of the program under test to better inform auditing and remediation activities (existence and proximity)43