slides - Lyle School of Engineering

Download Report

Transcript slides - Lyle School of Engineering

Securing WebApps – A Survey of Vulnerabilities & Static Analysis Tools
Lewis Sykalski
SMU D.E. Software Engineering Student
Lockheed Martin - Flight Simulation Engineer
[email protected]
OWASP 2013 Candidate List
A1 – Injection
A2 – Broken Authentication and Session Management
A3 – Cross-Site Scripting (XSS)
A4 – Insecure Direct Object References
A5 – Security Misconfiguration
A6 – Sensitive Data Exposure
A7 – Missing Function Level Access Control
A8 – Cross-Site Request Forgery (CSRF)
A9 – Using Known Vulnerable Components
A10 – Unvalidated Redirects and Forwards
Injection
Cross-Site Scripting
CSRF
Insecure Direct Object Reference
What is Static Analysis?
Static program analysis is:
●
●
●
an analysis method to determine whether
vulnerabilities exist by simply looking at the
code in a non-dynamic (running) state.
Usually the source code is used, however
some tools allow for analysis of object code.
most successful tools are ones that analyze
the whole scope of the program in relation to a
line of code as opposed to only analyzing a
single line of code at a time completely
independent from the rest of the program.
Dynamic Analysis?
Dynamic analysis:
●
●
analysis of the software while the webapp is
running.
could be performed in either a white box
situation where everything is known or from
the black-box situation where nothing is very
minimal is known.
Open Source Options
Product
License
Type
Langua Features
ges
LAPSE+ 2
Open
Source
GNU GPL
Eclipse
Plugin
Java
Variable Traceback, Good for
analysis of injection & cross-site
scripting
FindBugs 2.0 3
Open
Source
GNU LGPL
Eclipse
Plugin
Java
Good for general purpose bugs, slick
interface, security specific detection
under-developed
Orizon 9
Open
Source
GNU GPL
Standalo
ne
Textbased
Java,
Php,C
Jsp
Report-based scheme, underdeveloped,
lacking nice UI, some security
detection
SWAAT 8
Open
Source
Custom
License
Standalo
neHTML
Reportbased
Java,
C#
Nice report based detection, .NET
package out-of-date, tool not
maintained. Does not necessarily
focus on security problems
PMD 5
Open
Source
BSD
Eclipse
Plugin
Java,
JavaScrip
t, XML,
XSL
Generic Code quality tool,
High quality User Interface,
Extensible to other security-specific
rule-sets
Open Source Options (cont.)
Product
Licens
e
Type
FxCop 4
Open
Source
MS-PL
VS
Plugin
.NET
Security-specific static
analysis,
UI built into Visual Studio
RIPS 7
OpenSource
GPL
Stand
alone
PHP
Professional userinterface,
Security-specific analysis
FlawFinder
OpenSource
GPL
Stand
alone
Textbased
C++
Security-specific analysis,
Injections, Overflow, etc.
Dangerous function
analysis
PreFast 20
OpenSource
MS-PL
VS
Plugin
C++
General static analysis,
UI built into Visual Studio
BrakeMan
OpenSource
MIT
Stand
alone
Textbased
Ruby
Security-specific analysis
Strong following
19
21
Langu Features
ages
LAPSE+
OWASP LAPSE+
●
●
●
Java plug-in which integrates tightly with the Eclipse IDE (Helios+,
1.6 JRE+).
useful for detecting & subsequently analyzing security vulnerabilities
due to untrusted data injection in Java webapps.
operates on the concept of sinks and sources, the source referring
to the injection of untrusted data (e.g. perhaps a cookie, parameters
from HTTP, etc) and the sink referring to the process of data
modification to manipulate the behavior of the application (e.g.
servlet response or HTML page).
LAPSE+
FindBugs
FindBugs:
●
●
●
program which uses static analysis to look for
bugs in Java code.
relatively easy to install and purports to find all
types of bugs.
user interface, where one can filter between
various bug categories that are found, a bug
review panel which will describe the bug in
detail with resolution measures, and a Bug Info
Panel which shows a detailed stack trace and
description.
FindBugs
Orizon
OWASP Orizon:
●
●
●
allows one to perform a security code review
over your code making sure it fits
recommendations contained into the Owasp
Build Guide and the Owasp Code review
Guide.
standalone console-based tool with it's own
shell engine.
provides for certain commands which when
executed allow one to model the code, crawl
through all traces, and then subsequently
Orizon
PMD
PMD:
●
●
●
●
●
static analysis tool for Java source code.
identifies possible bugs, dead code, suboptimal code,
high cyclomatic complexity, and duplicate code.
extensible rule-set capability for one to create their own
rules.
supports a vulnerability view where aforementioned
problems are displayed, and the Copy-Paste Detector
(CPD) view, where one can view copy-pasted code (code
that should likely be consolidated into a single logical
block).
GDS PMD Secure Coding Ruleset
PMD
PMD
PMD
FlawFinder
Flawfinder:
●
●
●
a tool that works on C++ source-code.
console-based and specifically targets security
vulnerabilities.
works by using a built-in database of C/C++
functions with well-documented security
problems, such “as buffer overflow risks (e.g.,
strcpy(), strcat(), gets(), sprintf(), and the
scanf() family), format string problems
([v][f]printf(), [v]snprintf(), and syslog()), race
conditions (such as access(), chown(), chgrp(),
FlawFinder
RIPS
RIPS:
●
●
●
●
written in PHP and for PHP specifically to find
vulnerabilities..
can create a program model of the source
code.
can detect vulnerable functions (sinks) that
can be
utilized by malicious user-input.
Additionally an audit framework is provided for
further analysis in an IDE-style visual userinterface.
claims to detect XSS, SQL Injection, LFI/RFI,
RIPS
Commercial Tools
Commercial
Standal
one
20 different
languages
Professional user interface,
Security-specific detection/focus,
Coverity 16
Commercial
Standal
one
C++, Java,
C#
Professional user interface,
Security-specific detection/focus
Insight 17
Commercial
Standal
one
C++, Java,
C#
IDE & static code analyzer,
Generic quality detection/focus
Parasoft 18
Commercial
Standal
one
C++, Java,
.NET
IDE & static code analyzer,
Security specific detection/focus
Veracode 14
Commercial
Standal
one
C++, Java,
C#
Professional User Interface,
Security Specific detection/focus
IBM
Security
AppScan 15
Commercial
Standal
one
C++, Java,
C#,
Objective C
Professional User Interface, Centralized
security scanning, data consolidation
Checkmarx
Commercial
Standal
one
15
languages
Professional User Interface,
Security Specific detection/focus
CodeSecur
e 12
Commercial
Standal
one
10
languages
Professional User Interface,
Security Specific detection/focus
CodeSonar
Commercial
Standa
Java, C++
General defect, Some security-specific &
threading checkings
Fortify 10
13
11
References
1 OWASP Top-10:
https://www.owasp.org/index.p
hp/Top_10_2013-Top_10
2. LAPSE+:
http://evalues.es/downloads/o
wasp/LapsePlus_Tutorial.pdf
References (cont.)
12. Amorize CodeSecure:
http://www.armorize.com/code
secure/
13. CheckMarx:
http://www.checkmarx.com/tec
hnology/static-code-analysis-