Guaranteed NO False Positives: Static Analysis Edition

December 15, 2009
Dan Cornell

Since everyone seemed to be so excited about our new web application scanner technology that guarantees no false positives, I’m sure everyone will be equally excited about the new Static Analysis Edition.  This is just as simple to use as the dynamic scanning tool we released yesterday – just point the scanner to the directory that the application code lives in and it will scan the application for vulnerabilities but the results will inclue NO FALSE POSITIVES.  Couldn’t be easier…

Here’s the code.  All yours, under an Apache 2.0 license.  Just like the web scanner edition.

package com.denimgroup.nofalsepositives;

 

import java.io.File;

import java.util.ArrayList;

 

publicclass StaticAnalyzer

{

     publicstaticvoid main(String[] args)

     {

           ArrayList vulnerabilities = new ArrayList();

          

           String sDirToScan;

           File dirToScan = null;

          

           long scanStart;

           long scanEnd;

          

           //   Must at least enter a URL for the site to scan

           if(args.length < 1) {

                usage();

                System.exit(1);

           }

          

           //   Make sure the file path is valid

          

           sDirToScan = args[0];

           dirToScan = new File(sDirToScan);

           if (!dirToScan.isDirectory()) {

                System.out.println(“Provided path was not a directory.  Unable to scan.”);

                System.exit(2);

           }

          

           //   Kick off the scan

          

           scanStart = System.currentTimeMillis();

           System.out.println(String.format(“Starting scan of %s at %d”, dirToScan.toString(), scanStart));

          

           //   Finalize scan and report findings

          

           scanEnd = System.currentTimeMillis();

           System.out.println(String.format(“Finished scan of %s at %d”, dirToScan.toString(), scanEnd));

 

           System.out.println(String.format(“Found %d vulnerabilities with NO false positives”, vulnerabilities.size()));

     }

    

     publicstaticvoid usage()

     {

           System.out.println(“usage: java com.denimgroup.nofalsepositives.StaticAnalyzer <BASE_DIR>”);

     }

}

Another facetious post!  Based on some Twitter chatter yesterday I’ll bet folks can’t wait for our NO False Positives Web Application Firewall.  That one will probably be a shell script that uses netcat.  And we can run it in the Cloud if we need to.  Buzzword buzzword buzword!

The use of static analysis tools is an incredibly powerful way to identify potential vulnerabilities in code, but no tool is perfect.  Automated scans are a portion of an application assessment – not the entirety of one if you really want a realistic evaluation of your security posture.  Tuning the default ruleset and crafting framework- and application-specific rules allows you to extract so much more value from your static analysis tools.  And manual review is required to look for business logic issues such as problems with authentication, authorization, etc.

Contact us if you would like help performing thorough application assessments or crafting a sensible application security program for your organization.

–Dan

dan _at_ denimgroup.com

@danielcornell

Posted via email from Denim Group’s Posterous

About Dan Cornell

Dan Cornell Web Resolution

A globally recognized application security expert, Dan Cornell holds over 15 years of experience architecting, developing and securing web-based software systems. As the Chief Technology Officer and a Principal at Denim Group, Ltd., he leads the technology team to help Fortune 500 companies and government organizations integrate security throughout the development process. He is also the original creator of ThreadFix, Denim Group's industry leading application vulnerability management platform.
More Posts by Dan Cornell

Categories: Uncategorized

Leave a Reply

Your email address will not be published. Required fields are marked *