SlideShare a Scribd company logo

Best of Both Worlds: Correlating Static and Dynamic Analysis Results

Download as PPTX, PDF
Jeremiah Grossman
Jeremiah Grossman

One of the only guarantees in life is that the first time you analyze a piece of software for security vulnerabilities, you're going to find them. Whether you’re using static or dynamic analysis, prioritizing defects for remediation can strain any organization. This session will demonstrate methods for integrating analysis techniques and show how a combined approach gives better results.

Related slideshows

SVB Cybersecurity Impact on Innovation Report - Overview
SVB Cybersecurity Impact on Innovation Report - OverviewSVB Cybersecurity Impact on Innovation Report - Overview
SVB Cybersecurity Impact on Innovation Report - Overview
 
Improve your security, minister tells major firms
Improve your security, minister tells major firmsImprove your security, minister tells major firms
Improve your security, minister tells major firms
 
FRISS_Insurance fraud report 2020
FRISS_Insurance fraud report 2020 FRISS_Insurance fraud report 2020
FRISS_Insurance fraud report 2020
 
1 of 43
Correlating Static and Dynamic Analysis Results Jeremiah GrossmanFounder and CTOWhiteHat SecurityJacob WestDirector, Security ResearchFortify SoftwareSession ID: AND-302
Jeremiah GrossmanTechnology R&D and industry evangelistInfoWorld's CTO Top 25 for 2007Frequent international conference speakerCo-founder of the Web Application Security ConsortiumCo-author: Cross-Site Scripting AttacksFormer Yahoo! information security officer
Jacob WestDirector, Security Research, Fortify SoftwareSecure Programming with Static AnalysisConference speaker at RSA, Black Hat, Def Con, OWASP, SANS, Web 2.0, etc.Contributor to MOPS, a C/C++ static analysis tool (UC Berkeley)
OverviewIntroductionOverview of WhiteHat dynamic analysisOverview of Fortify static analysisBenefits of a combined approachCase Study: Fortify on DemandQuestions
MotivationBetween 2005 – 2009 there were:2,064 reported data security breaches1470 million reported records compromised1No industries immune: Finance, retail, government, military, technology, healthcare, telecom, energy, manufacturing, educationToday, we rely increasing on software:114 million active Web sites in the world217 million software developers in the world 3Trillions of lines of codehttp://www.privacyrights.org/ar/ChronDataBreaches.htmhttp://www.domaintools.com/internet-statistics/http://www.forbes.com/2008/04/03/ctia-mobile-developer-tech-wire-cx_ew_0403ctia.html
Security Encompasses Many ThingsNetwork Penetration Testing
Network FirewallsHost Application Whitelists
Anti-Virus
OS HardeningSoftwareDynamic Analysis
Static AnalysisDataDatabase testing
Event monitoringSoftware SecurityDeveloped in-houseOutsourced to third-partiesPurchased from ISV (COTS)Licensed from open source community7
Primary Analysis TechniquesDynamic AnalysisAlso known as:Web app scanningPenetration testingBlack box testingBenefitsQuick and easy to get startedSimulates a hacker's point of viewDrawbacksDifficult to exercise the entire applicationLacks code-level detailsStatic AnalysisAlso known as:
Source code analysis
Binary or byte-code analysis
Benefits
100 percent code coverage
Early in SDLC
Drawbacks
Results require reviewDeployment OptionsSoftwareBenefitsIntegrates into SDLCTrains developersto write secure codeDrawbacksTime, expertise and resourcesSoftware-as-a-Service (SaaS)Benefits
Quick and easyto get started
Less expertise required
Fewer resources used
Drawbacks
Not integrated into SDLC
Fails to reinforce security best practices in developmentDynamic Analysis10
WhiteHat SentinelSaaS-basedFull Coverage – On-going testing for business logic flaws and technical vulnerabilities – uses WASC 24 classes of attacks as reference pointUnlimited Assessments – Anytime websites changeEliminates False Positives – Security Operations Team verifies all vulnerabilities
Know Your EnemyFully Targeted Customize their own tools Focused on business logic Clever and profit driven ($$$)Directed Opportunistic Commercial / Open Source Tools Authentication scans Multi-step processes (forms)Random Opportunistic Fully automated scripts Unauthenticated scans Targets chosen indiscriminately
WhiteHat Security Statistics Report1,364 total websites
22,776 verified custom web application vulnerabilities
Data collected from January 1, 2006 to October 1, 2009
Vast majority of websites assessed for vulnerabilities weekly All Websites83% of websites have had a HIGH, CRITICAL, or URGENT issue
64% of websites currently have a HIGH, CRITICAL, or URGENT issue
61% vulnerability resolution rate with 8,902 unresolved issues remaining
Average # of HIGH, CRITICAL, or URGENT severity vulnerabilities per website during the vulnerability assessment lifetime: 16.7
Average number of serious unresolved vulnerabilities per website: 6.5* Vulnerability severity naming convention aligns with PCI-DSS* Vulnerabilities classified according to WASC Threat ClassificationPercentage likelihood of a website having a vulnerability by severityCRITICALHIGHURGENT
WhiteHat Security Top Ten14Percentage likelihood of a website having a vulnerability by class
Time-to-Fix15Cross-Site ScriptingInformation LeakageContent SpoofingInsufficient AuthorizationSQL InjectionPred. Res. Loc.Cross-Site Request ForgerySession FixationHTTP Response Splitting-Abuse of Functionality* Up/down arrows indicate the increase or decrease since the last report. Best-case scenario: Not all vulnerabilities have been fixed...
Resolution Rates16
Dynamic Analysis ChallengesCoverageURLsParametersRemediation detailsCode-level vulnerability detailsRemediation guidance
Static Analysis18
Inside a Static Analysis EngineTranslate source code into intermediate modelPerform multiple types of analysisRender results for human to review19
Critical AttributesLanguage supportUnderstands the relevant languages/dialectsCapacityAbility to gulp down millions of lines of codeRule set and analysis algorithmsRight rules and techniques to find and prioritize issuesResults managementAllow human to review resultsPrioritization of issues
Why Static Analysis is Good for SecurityFast compared to manual code reviewAnalyze code without executing itAble to contemplate many possibilities Fast compared to testingComplete, consistent coverageIntegrates into development lifecycleBrings security knowledge with itMakes review process easier for non-experts

More Related Content

Best of Both Worlds: Correlating Static and Dynamic Analysis Results

  • 1. Correlating Static and Dynamic Analysis Results Jeremiah GrossmanFounder and CTOWhiteHat SecurityJacob WestDirector, Security ResearchFortify SoftwareSession ID: AND-302
  • 2. Jeremiah GrossmanTechnology R&D and industry evangelistInfoWorld's CTO Top 25 for 2007Frequent international conference speakerCo-founder of the Web Application Security ConsortiumCo-author: Cross-Site Scripting AttacksFormer Yahoo! information security officer
  • 3. Jacob WestDirector, Security Research, Fortify SoftwareSecure Programming with Static AnalysisConference speaker at RSA, Black Hat, Def Con, OWASP, SANS, Web 2.0, etc.Contributor to MOPS, a C/C++ static analysis tool (UC Berkeley)
  • 4. OverviewIntroductionOverview of WhiteHat dynamic analysisOverview of Fortify static analysisBenefits of a combined approachCase Study: Fortify on DemandQuestions
  • 5. MotivationBetween 2005 – 2009 there were:2,064 reported data security breaches1470 million reported records compromised1No industries immune: Finance, retail, government, military, technology, healthcare, telecom, energy, manufacturing, educationToday, we rely increasing on software:114 million active Web sites in the world217 million software developers in the world 3Trillions of lines of codehttp://www.privacyrights.org/ar/ChronDataBreaches.htmhttp://www.domaintools.com/internet-statistics/http://www.forbes.com/2008/04/03/ctia-mobile-developer-tech-wire-cx_ew_0403ctia.html
  • 6. Security Encompasses Many ThingsNetwork Penetration Testing
  • 7. Network FirewallsHost Application Whitelists
  • 11. Event monitoringSoftware SecurityDeveloped in-houseOutsourced to third-partiesPurchased from ISV (COTS)Licensed from open source community7
  • 12. Primary Analysis TechniquesDynamic AnalysisAlso known as:Web app scanningPenetration testingBlack box testingBenefitsQuick and easy to get startedSimulates a hacker's point of viewDrawbacksDifficult to exercise the entire applicationLacks code-level detailsStatic AnalysisAlso known as:
  • 16. 100 percent code coverage
  • 19. Results require reviewDeployment OptionsSoftwareBenefitsIntegrates into SDLCTrains developersto write secure codeDrawbacksTime, expertise and resourcesSoftware-as-a-Service (SaaS)Benefits
  • 20. Quick and easyto get started
  • 25. Fails to reinforce security best practices in developmentDynamic Analysis10
  • 26. WhiteHat SentinelSaaS-basedFull Coverage – On-going testing for business logic flaws and technical vulnerabilities – uses WASC 24 classes of attacks as reference pointUnlimited Assessments – Anytime websites changeEliminates False Positives – Security Operations Team verifies all vulnerabilities
  • 27. Know Your EnemyFully Targeted Customize their own tools Focused on business logic Clever and profit driven ($$$)Directed Opportunistic Commercial / Open Source Tools Authentication scans Multi-step processes (forms)Random Opportunistic Fully automated scripts Unauthenticated scans Targets chosen indiscriminately
  • 28. WhiteHat Security Statistics Report1,364 total websites
  • 29. 22,776 verified custom web application vulnerabilities
  • 30. Data collected from January 1, 2006 to October 1, 2009
  • 31. Vast majority of websites assessed for vulnerabilities weekly All Websites83% of websites have had a HIGH, CRITICAL, or URGENT issue
  • 32. 64% of websites currently have a HIGH, CRITICAL, or URGENT issue
  • 33. 61% vulnerability resolution rate with 8,902 unresolved issues remaining
  • 34. Average # of HIGH, CRITICAL, or URGENT severity vulnerabilities per website during the vulnerability assessment lifetime: 16.7
  • 35. Average number of serious unresolved vulnerabilities per website: 6.5* Vulnerability severity naming convention aligns with PCI-DSS* Vulnerabilities classified according to WASC Threat ClassificationPercentage likelihood of a website having a vulnerability by severityCRITICALHIGHURGENT
  • 36. WhiteHat Security Top Ten14Percentage likelihood of a website having a vulnerability by class
  • 37. Time-to-Fix15Cross-Site ScriptingInformation LeakageContent SpoofingInsufficient AuthorizationSQL InjectionPred. Res. Loc.Cross-Site Request ForgerySession FixationHTTP Response Splitting-Abuse of Functionality* Up/down arrows indicate the increase or decrease since the last report. Best-case scenario: Not all vulnerabilities have been fixed...
  • 39. Dynamic Analysis ChallengesCoverageURLsParametersRemediation detailsCode-level vulnerability detailsRemediation guidance
  • 41. Inside a Static Analysis EngineTranslate source code into intermediate modelPerform multiple types of analysisRender results for human to review19
  • 42. Critical AttributesLanguage supportUnderstands the relevant languages/dialectsCapacityAbility to gulp down millions of lines of codeRule set and analysis algorithmsRight rules and techniques to find and prioritize issuesResults managementAllow human to review resultsPrioritization of issues
  • 43. Why Static Analysis is Good for SecurityFast compared to manual code reviewAnalyze code without executing itAble to contemplate many possibilities Fast compared to testingComplete, consistent coverageIntegrates into development lifecycleBrings security knowledge with itMakes review process easier for non-experts
  • 44. Two Ways to Use the Tools#1 Analyze completed programsLarge number of resultsMost people have to start hereGood motivator#2 Analyze as you write codeRun as part of buildNightly/weekly/milestoneFix as you go
  • 45. Static Analysis ChallengesCompleted programsAre not written with security in mindContain multiple paradigms and technologiesExemplify varying developer skill and techniquesWhich causes static analysis to produceLarge numbers of issuesWidely varying issuesIssues that are difficult to triageUntil Stage #2, prioritization is hugely important
  • 47. Prioritizing Analysis Resultsrisk = impact · likelihoodImpact: negative outcome resulting from a vulnerability Likelihood: probability that the impact will come to pass
  • 48. Axes Represent Risk(Whitepaper Prioritizing Static Analysis Results at www.fortify.com)HighHigh Impact /Low LikelihoodCriticalHigh Impact /High LikelihoodImpactMediumLow Impact /High LikelihoodLowLow Impact /Low LikelihoodLikelihood
  • 49. Fortify Priority OrderCritical – Critical issues have high impact and high likelihood. Critical issues are easy to discover and exploit and result in large asset damage. High – High-priority issues have high impact and low likelihood. High-priority issues are often difficult to discover and exploit, but can result in large asset damage. Medium – Medium-priority issues have low impact and high likelihood. Medium-priority issues are easy to discover or exploit, but often result in small asset damage. Low – Low-priority issues have low impact and low likelihood. Low-priority issues can be difficult to discover and exploit and typically result in small asset damage.
  • 51. GoalsExpanded dynamic coverageIdentify valid URLsList parameters accessed under each URLCorrelating static and dynamic resultsRemediation details for dynamic issuesPrioritization of static issuesEqualityExistenceProximity
  • 52. Expanded Dynamic CoverageList valid URLs/riches/FindLocations.action /riches/pages/FindLocations.jsp/riches/auth/oper/SendMessage.action /riches/pages/oper/SendMessage.jsp /riches/pages/oper/InvalidEmail.jsp/riches/login/Error.action /riches/login/error.jsp/riches/auth/oper/Admin.action /riches/pages/oper/Admin.jsp/riches/login/Register.action /riches/login/Register.jsp/riches/auth/Transfer.action /riches/pages/Transfer.jsp/riches/auth/PerformCheck.action /riches/pages/PerformCheck.jsp...web.xml- Action extension (e.g. .action)context.xml- Root context (e.g. /riches)struts.config Action mappings
  • 54. Action resultsExpanded Dynamic CoverageList parameters for each URL/riches/FindLocations.action/riches/auth/oper/SendMessage.action severity, subject, body, to/riches/login/Error.action/riches/auth/oper/Admin.action addresses, auth/riches/login/Register.action/riches/auth/Transfer.action accounts/riches/auth/PerformCheck.actionaddr, acct, account, memo, name, amount/riches/ShowLocations.action zip, state, address, type, locations, city/riches/login/Login.action
  • 55. Correlation: EqualityFind static and dynamic issues at same URLRemediation details for dynamic issuesImproved prioritization for static issuesdynamicSQL InjectionprogramstaticSQL injection
  • 57. Correlation: ExistenceFind dynamic Session Fixation, CSRF, ... issuesPrioritize static issues in same categorydynamicCSRFprogramstaticCSRF staticCSRF
  • 58. Correlation: Proximity (source)Find dynamic SQL InjectionPrioritize static issues with same sourcedynamicSQL injectionprogramstaticlog forgingstatic SQL injection
  • 59. Correlation: Proximity (sink)Find dynamic SQL Injection, XSS, … issues at URLPrioritize static issues in same category and filedynamicSQL injectionprogramsource 1source 2 2 static SQL injectionissues
  • 60. Case Study: Fortify on Demand37
  • 61. Fortify on DemandSaaS-based Software Security Testing Fortify on DemandStatic AnalysisDynamic Analysis
  • 63. Static Analysis of RWORWO produces 64 high-impact static issues 26 critical-priority issues (high likelihood)38 high-priority issues (low likelihood)Mapped 21 static issues to URLs33% of high impact issues73% of high impact issues that involve web inputRemaining 43 aren’t surprising14 resource leaks in model code6 unsafe configuration values23 “other issues”, including database and file system inputs
  • 66. ApplyUse static analysis to assess and improve completeness of dynamic testsUse dynamic analysis to narrow down static analysis results to those that are exploitableDon’t stop there – use the combined view of the program under test to better inform auditing and remediation activities (existence and proximity)43