OWASP Top 10
People ask me all the time, "Can your tool find the OWASP top 10?" It's a fair question, and I would love to give an unequivocal yes. But unfortunately the reality is a bit more complicated. A lot of items on the Top 10, a static analysis tool can pick up in a few cases, but it cannot reliably and consistently detect the issue. Marketing people may interpret this as "our tool can detect it" - but that won't help a client who has to deal with the limitations.
OWASP have just released a new 2013 Top 10; lets look at it in detail:
A1 - Injection
A3 - Cross-Site Scripting (XSS)
A10 - Unvalidated Redirects and Forwards
These items Source Patrol can detected very effectively. Without any custom configuration, it can accurately detect the vast majority of these issues, with low false positives. This is where static code analysis really adds value, because these vulnerabilities can appear throughout your code, and can be difficult to audit by hand.
A2 - Broken Authentication and Session Management
There are a lot of subtleties to doing password authentication right - nevermind certificates or single sign-on. We have a lot of experience pen testing authentication systems, and it seems every one is different. Even when a library is used, important features are still implemented in application code. This is an area where manual review will always trump an automated tool, and we do not intend Source Patrol to cover this.
A4 - Insecure Direct Object References
A7 - Missing Function Level Access Control
These are both examples of authorisation weaknesses. The application is failing to check a user has the required privileges. A difficulty for any automated tool is that it's not readily possible to say what the required privileges should be - that needs human input. Source Patrol will never be able to detect these in a fully automated way. However, we are looking at expanding the custom rules feature, to assist an auditor performing a manual review.
A5 - Security Misconfiguration
A9 - Using Components with Known Vulnerabilities
Some components, such as the web server, are completely outside the application source code. There's nothing that static analysis can do about that. But for libraries, a static analysis tool could check the versions and configuration. This is a bit away from Source Patrol's core functionality, but is something we're looking at adding in the future. In some cases, subtle misconfigurations can cause serious vulnerabilities, e.g. XML External Entity attacks.
A6 - Sensitive Data Exposure
While the title is vague, OWASP's text makes clear this issue is about poorly implemented cryptography. In most cases application code does not directly use cryptography - network and disk encryption is handled by the infrastructure. Source Patrol does not attempt to cover this issue.
A8 - Cross-Site Request Forgery (CSRF)
Just like authorisation flaws, CSRF is an issue that fully automated tools struggle to detect accurately. We are investigating a number of rules that can help a manual auditor. For example, many applications use anti-CSRF libraries that automatically protect POST requests. The challenge for an auditor is whether there are GET requests at risk of CSRF. To help deal with this, we are investigating the feasibility of a new rule "database write detected in GET request".
Source Patrol, like any static analysis tool, cannot reliably find all the OWASP Top 10. It is still a valuable part of your secure development lifecycle. By understanding the limitations of such tools, you can plan other actions to ensure all your risks are covered.
Pentest’s work is not just about finding vulnerabilities! Thanks to their ability to clearly interpret and communicate their findings, Pentest researchers play a role in educating Oracle developers about current and emerging security threats that customers will face in “real-life” deployments
Pentest offers a complete Database Security Assessment Service (DSAS) to businesses that rely on the security of the information held within their databases or have concerns relating to the security compliance of these systems.