Coverage Is Key: Static Analysis Can Only Scan What It Sees

I was looking over some automated static analysis scan results at a client site a couple of weeks ago and was amazed to see that – in a couple-ten-thousand lines of applications code – they had managed not to introduce any vulnerabilities that the scanner could find. Impressive! Or was it?

 

Upon a little further inspection we noticed that the scanner had not been provided with any of the front-end web pages that pretty much make up all of the application’s significant attack surface. No attack surface means the scanner is not going to find any source functions. No source functions means it is pretty tough to find links between sources and sinks. The end result: no significant checking was being done for SQL injection or Cross-Site Scripting (XSS) and those are two of the bigger issues you would expect your automatic static analysis tools to find for you.

 

Automated scanning tools are great but they can only scan what you give them. Any scanning process must include sanity checks to make sure the scanners are getting proper coverage. Otherwise scan results will likely present a falsely rosy view of the security state of the application.

 

Contact us for help maximizing the value of your code scanning efforts.

 

–Dan

dan _at_ denimgroup.com

@danielcornell

Posted via email from Denim Group’s Posterous

About Dan Cornell

A globally recognized application security expert, Dan Cornell holds over 15 years of experience architecting, developing and securing web-based software systems. As the Chief Technology Officer and a Principal at Denim Group, Ltd., he leads the technology team to help Fortune 500 companies and government organizations integrate security throughout the development process. He is also the original creator of ThreadFix, Denim Group's industry leading application vulnerability management platform.
More Posts by Dan Cornell

Categories: Uncategorized

One Response to “Coverage Is Key: Static Analysis Can Only Scan What It Sees”

  1. Charlie B

    I totally agree. I think a lot of folks mis-configure security scanners and get incorrect results. The one issue you mention is an interesting one, since it should be solved by any scanner using a web crawler to discover new content.

    In any case, a combination of easy scanner setup and a web crawler is key for any security scanner being run by a non-expert. Too bad it’s so hard to learn it all!

Leave a Reply

Your email address will not be published. Required fields are marked *