« December 2007 | Main | February 2008 »
By Dan Cornell
I will be presenting to OWASP San Antonio tomorrow about how to use Static Analysis techniques to improve application security. More details can be found on the OWASP San Antonio page. As always the meeting is free and I hope to see folks there.
--Dan
dan _at_ denimgroup.com
By Dan Cornell
This is one of the better books I have read about software security in quite a while. It does a solid job of explaining what static analysis is and how it can be applied to software security and then provides a expansive tour of security issues that can be detected with static analysis and the patterns that lead to this detectability. Just reading through all of these examples forces the reader to come to a better understanding of how software security vulnerabilities come about in general.
When I first picked up the book I expected it to be be essentially a 500 page advertisement and user manual for Fortify's Source Code Analyzer tool. That would make sense as the authors are Brian Chess and Jacob West - Fortify's founder/Chief Scientist and manager of their Security Research Group. I don't know that I would have a problem with that because I'm a big fan of the tool, but it would have limited the audience of folks the book would have been useful for. However I was especially pleased to find that the book is a actualy a great general purpose reference for software security and static analysis that anyone wanting to write more secure code can read.
Part I (chapters 1 - 4) provides a very solid introduction to the value of software security and the theory behind static analysis and provides some really interesting material on different approaches to static analysis that can be applied to solve software security problems. This is pretty theoretical stuff, but does a great job of providing a framework for the patterns explored through the rest of the book. There is also some good material on how to integrate the use of static analysis tools into a software development process - essentially establishing who is going to run the tool, when it is going to be run and what is going to be done with the results. The first three chapters could be read by anyone interested in the topic - the fourth chapter is probably for programmers only.
Part II (chapters 5 - 8) steps through the general problems of software security that can be attacked with static analysis - primarily input validation. The bulk of this material is focused on C and C++ issues - buffer overflows, integer overflows and string formatting vulnerabilities. Even though I personally don't do a lot of C/C++ programming any more I found the material to be fascinating. If you actually are programming in C and/or C++ on a regular basis you will hopefully find the material both fascinating and immediately useful. Chapter 8 has material that applies to all environments for dealing with exceptions and error codes, resource leaks and logging.
Part III (chapters 9 - 12) looks at more specialized topics. There is good material on web applications and web services as well as some information on how to integrate cryptography into applications. Chapter 12 deals with programs at different privilege levels. Again - since I don't do a lot of system-level C and C++ programming it has been quite some time since I wrote a binary that was supposed to have setuid privileges. Regardless I found the material very interesting.
Part IV (chapters 13 and 14) is a tutorial on how to use Fortify SCA. The book comes with a CD-ROM containing a demo version of the software and you can go online to get a license key. Running through the exercises is a good way to get an idea of how modern, commercial static analysis tools work and get a feel for how they might integrate into your team's development process.
Overall I really enjoyed this book. The fact that it mixed a theoretical treatment of the material with a large number of practical examples made it very interesting. I consider myself to be pretty knowledgeable in this area and I learned some new tips and tricks from the book. More importantly - I learned some new ways to think about software security and that really has long-term value for me.
--Dan
dan _at_ denimgroup.com
By Dan Cornell
I will be presenting to OWASP San Antonio about Static Analysis Thursday January 31st. If you are in town please drop by and check it out. Full details below or on the OWASP San Antonio page.
San Antonio OWASP
Chapter: January 2008 Meeting
Topic: Static
Analysis Techniques for Testing Application Security
Presenter: Dan Cornell
Date: January 31st, 11:30am – 1:00pm
Location:
San Antonio Technology Center (Web Room)
3463 Magic Drive
San Antonio, TX 78229
http://maps.google.com/maps?f=q&hl=en&q=3463+Magic+Drive,+San+Antonio,+TX+78229
Abstract:
Static
Analysis of software refers to examining source code and other software
artifacts without executing them. This
presentation looks at how these techniques can be used to identify security
defects in applications. Approaches
examined will range from simple keyword search methods used to identify calls
to banned functions through more sophisticated data flow analysis used to
identify more complicated issues such as injection flaws. In addition, a demonstration will be given of
two freely-available static analysis tools: FindBugs for the Java platform and
FXCop for the .NET platform. Finally,
some approaches will be presented on how organizations can start using static
analysis tools as part of their development and quality assurance processes.
Sodas and
snacks will be provided. Feel free to
bring a brown-bag lunch.
Please RSVP:
E-mail owasprsvp _at_ denimgroup.com or call (210) 572-4400.
Denim Group has been growing rapidly in the last few months. We'd like to introduce four team members who have joined us since November.
A.T. F., Project Coordinator
A.T. joins Denim Group after
working five years with the Southwest Research Institute as an analyst,
research analyst and project manager. At Denim Group, A.T. will work
directly with the development team, executive directors and clients to
ensure smooth project operation. He has a Bachelor of Science degree in
Computer Science from Trinity University and is currently completing a
Master's degree in Computer Science from UTSA.
Jason P., Consultant
Prior
to joining Denim Group, Jason was a research analyst in the Automation
and Data Systems Division at Southwest Research Institute. He joins
Denim Group as a consultant specializing in .NET development. Jason has
a Bachelor's degree in Computer Science from UT Austin. He is currently
completing his Master of Business Administration degree at UTSA.
Peter S., Consultant
Peter
joins Denim Group as a consultant specializing in Java development.
Before Denim Group, Peter worked as a java programmer/analyst for
Accenture and was a Communications Officer in the United States Air
Force. He has a Bachelor of Business Administration in Management
Information Systems degree from Texas A&M University.
Stephen M., Consultant
With
over ten years of software development experience, Stephen joins Denim
Group as a consultant specializing in Flash/Flex development and UI
design. Stephen previously worked as the web development manager for
New Century Graphics, a web designer and application developer at Image
Networks and as a freelance web and print designer. He has a Bachelor's
degree from UTSA with majors in English and Philosophy.
By Dan Cornell
We just rolled out the updated Denim Group portal running on Microsoft's Sharepoint 2007 Server. We have been using SharePoint 2003 for the last couple of years and rely on it for a lot of our business functions. We have also implemented it for a number of our clients. However, one thing we have always been aggravated about with SharePoint 2003 was the quality of the search functionality. That is why it was so amusing to see this quote in an ad on Microsoft's SharePoint site:
I never found a single document using the prior search feature. Now I find 80 percent of what I'm looking for. - Mary Kay
Wow - when did Microsoft get so focused on truth in advertising? That quote is pretty accurate - the previous search capabilities in SharePoint were pretty terrible. And in the new version they work reasonably well. However, if I were Microsoft I don't know if I would want to emphasize that:
In any case we're super-happy with the new Microsoft Office SharePoint 2007 implementation of our corporate portal/intranet. The new workflow features are fantastic and the Web 2.0 / social networking capabilities (blogs, wikis, etc) are great in a fast-growing organization. However, that user "testimonial" amused me quite a bit when I saw it. Reminiscent of high-quality movie lines like "Volvo. They're boxy, but they're good."
--Dan
dan _at_ denimgroup.com
By Dan Cornell
I saw this article over on AccountingWeb about how social networking sites are increasingly becoming vectors for identity theft and other attacks. Echoing something we have discussed on this blog before, they noted that having a lot of information about yourself online has drawbacks - specifically allowing identity thieves (and CIA) to collect it in support of their identity theft attempts. Also, social networking sites can host links to malware.
In the article they mention one attack where clicking on a MySpace friend request results in a pop up windows that is supposed to look like a Windows Update window. I was particularly amused by McAfee's somewhat silly suggestion "One way to guard against such attacks is to minimize your browser. If the dialogue box disappears, it is probably an impostor." Now that is some useful, general purpose online security advice! If we can't teach people to look for lock icons when the browser is talking over HTTPS, I don't think we'll be able to train them to make decisions based on which windows minimize at various times.
If you recall, more attacks on and via social networking sites was one of my Top 5 predictions for 2008. Barely a week after that post we're already seeing some confirmation. Making predictions is easy!
--Dan
dan _at_ denimgroup.com
