Re: [SC-L] What do you like better Web penetration testing or static code analysis?
[mailto:sc-l-boun...@securecoding.org] On Behalf Of Gary McGraw Sent: Thursday, April 22, 2010 2:15 PM To: Peter Neumann; Secure Code Mailing List Subject: Re: [SC-L] What do you like better Web penetration testing or static code analysis? I hereby resonate with my esteemed colleague and mentor pgn. But no puns from me. gem On 4/22/10 1:57 PM, Peter Neumann neum...@csl.sri.com wrote: Matt Parsons wrote: What do you like doing better as application security professionals, web penetration testing or static code analysis? McGovern, James F. (P+C Technology) wrote: Should a security professional have a preference when both have different value propositions? While there is overlap, a static analysis tool can find things that pen testing tools cannot. Likewise, a pen test can report on secure applications deployed insecurely which is not visible to static analysis. So, the best answer is I prefer both... Both is better than either one by itself, but I think Gary McGraw would resonate with my seemingly contrary answer: BOTH penetration testing AND static code analysis are still looking at the WRONG END of the horse AFTER it has left the DEVELOPMENT BARN. Gary and I and many others have for a very long time been advocated security architectures and development practices that greatly enhance INHERENT TRUSTWORTHINESS, long before anyone has to even think about penetration testing and static code analysis. This discussion is somewhat akin to arguments about who has the best malware detection. If system developers (past-Multics) had paid any attention to system architectures and sound system development practices, viruses and worms would be mostly a nonproblem! Please pardon my soapbox. The past survives. The archives have lives, not knives. High fives! (I strive to thrive with jive.) PGN ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates ___ ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates ___ ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates ___ ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates ___ ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates ___
Re: [SC-L] What do you like better Web penetration testing or static code analysis?
I like your point Matt. Everybody who's responded thus-far has wanted to turn this into a discussion about what's most effective or what has the most benefit, sort of like we were comparing which icky medicine to take or which overcooked vegetable to eat. Maybe they don't get any pleasure from the work itself. It sounds as though you need to change up your static analysis style. A few years back we ran competitions at BlackHat where we found we could identify and exploit vulnerabilities starting from static analysis just as quickly as from fuzzing. Here¹s an overview: http://reddevnews.com/Blogs/Desmond-File/2008/08/Iron-Chef-Competition-at-Bl ack-Hat-Cooks-Up-Security-Goodness.aspx Interviews with Charlie Miller and Sean Fay: http://blog.fortify.com/blog/2009/05/02/Iron-Chef-Interviews-Part-1-Charlie- Miller-1-2 http://blog.fortify.com/blog/2009/05/02/Iron-Chef-Interviews-Part-2-Sean-Fay Brian On 4/23/10 7:05 AM, Matt Parsons mparsons1...@gmail.com wrote: Gary, I was not stating which was better for security. I was stating what I thought was more fun. I feel that penetration testing is sexier. I find penetration testing like driving a Ferrari and static code analysis like driving a Ford Taurus. I believe with everyone else on this list that software security needs to be integrated early in the development life cycle. I have also read most of your books and agree with your findings. As you would say I don't think that penetration testing is magic security pixie dust but it is fun when you are doing it legally and ethically. My two cents. Matt Matt Parsons, MSM, CISSP 315-559-3588 Blackberry 817-294-3789 Home office Do Good and Fear No Man Fort Worth, Texas A.K.A The Keyboard Cowboy mailto:mparsons1...@gmail.com http://www.parsonsisconsulting.com http://www.o2-ounceopen.com/o2-power-users/ http://www.linkedin.com/in/parsonsconsulting http://parsonsisconsulting.blogspot.com/ http://www.vimeo.com/8939668 http://twitter.com/parsonsmatt -Original Message- From: sc-l-boun...@securecoding.org [mailto:sc-l-boun...@securecoding.org] On Behalf Of Gary McGraw Sent: Thursday, April 22, 2010 2:15 PM To: Peter Neumann; Secure Code Mailing List Subject: Re: [SC-L] What do you like better Web penetration testing or static code analysis? I hereby resonate with my esteemed colleague and mentor pgn. But no puns from me. gem On 4/22/10 1:57 PM, Peter Neumann neum...@csl.sri.com wrote: Matt Parsons wrote: What do you like doing better as application security professionals, web penetration testing or static code analysis? McGovern, James F. (P+C Technology) wrote: Should a security professional have a preference when both have different value propositions? While there is overlap, a static analysis tool can find things that pen testing tools cannot. Likewise, a pen test can report on secure applications deployed insecurely which is not visible to static analysis. So, the best answer is I prefer both... Both is better than either one by itself, but I think Gary McGraw would resonate with my seemingly contrary answer: BOTH penetration testing AND static code analysis are still looking at the WRONG END of the horse AFTER it has left the DEVELOPMENT BARN. Gary and I and many others have for a very long time been advocated security architectures and development practices that greatly enhance INHERENT TRUSTWORTHINESS, long before anyone has to even think about penetration testing and static code analysis. This discussion is somewhat akin to arguments about who has the best malware detection. If system developers (past-Multics) had paid any attention to system architectures and sound system development practices, viruses and worms would be mostly a nonproblem! Please pardon my soapbox. The past survives. The archives have lives, not knives. High fives! (I strive to thrive with jive.) PGN ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates ___ ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. Follow KRvW
Re: [SC-L] What do you like better Web penetration testing or static code analysis?
Brian Chess wrote: I like your point Matt. Everybody who's responded thus-far has wanted to turn this into a discussion about what's most effective or what has the most benefit, sort of like we were comparing which icky medicine to take or which overcooked vegetable to eat. Maybe they don't get any pleasure from the work itself. I take exception to that use of everybody. My response was based solely on my *preference*, which is what my understanding of Matt was originally asking. But SC-L being the mailing list of many tangents, well... And again, for the record, I *enjoy* both pen testing and static code analysis, but I _personally_ prefer doing static code analysis, if no other reason that generally allows me to work closer to the development teams where I can better suggest appropriate mitigation. Of course, my post (at least the original one) wasn't controversial enough to stir up the pot and cause it to go off in some other direction, so it may have flew past you under the radar. Not that that matters. OTOH, I don't want to be lumped into the everybody category especially when that list includes those who can't follow simple directions. ;-) Regards, -kevin -- Kevin W. Wall The most likely way for the world to be destroyed, most experts agree, is by accident. That's where we come in; we're computer professionals. We cause accidents.-- Nathaniel Borenstein, co-creator of MIME ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates ___
Re: [SC-L] What do you like better Web penetration testing or static code analysis?
Gary, I was not stating which was better for security. I was stating what I thought was more fun. I feel that penetration testing is sexier. I find penetration testing like driving a Ferrari and static code analysis like driving a Ford Taurus. I believe with everyone else on this list that software security needs to be integrated early in the development life cycle. I have also read most of your books and agree with your findings. As you would say I don't think that penetration testing is magic security pixie dust but it is fun when you are doing it legally and ethically. My two cents. Matt Matt Parsons, MSM, CISSP 315-559-3588 Blackberry 817-294-3789 Home office Do Good and Fear No Man Fort Worth, Texas A.K.A The Keyboard Cowboy mailto:mparsons1...@gmail.com http://www.parsonsisconsulting.com http://www.o2-ounceopen.com/o2-power-users/ http://www.linkedin.com/in/parsonsconsulting http://parsonsisconsulting.blogspot.com/ http://www.vimeo.com/8939668 http://twitter.com/parsonsmatt -Original Message- From: sc-l-boun...@securecoding.org [mailto:sc-l-boun...@securecoding.org] On Behalf Of Gary McGraw Sent: Thursday, April 22, 2010 2:15 PM To: Peter Neumann; Secure Code Mailing List Subject: Re: [SC-L] What do you like better Web penetration testing or static code analysis? I hereby resonate with my esteemed colleague and mentor pgn. But no puns from me. gem On 4/22/10 1:57 PM, Peter Neumann neum...@csl.sri.com wrote: Matt Parsons wrote: What do you like doing better as application security professionals, web penetration testing or static code analysis? McGovern, James F. (P+C Technology) wrote: Should a security professional have a preference when both have different value propositions? While there is overlap, a static analysis tool can find things that pen testing tools cannot. Likewise, a pen test can report on secure applications deployed insecurely which is not visible to static analysis. So, the best answer is I prefer both... Both is better than either one by itself, but I think Gary McGraw would resonate with my seemingly contrary answer: BOTH penetration testing AND static code analysis are still looking at the WRONG END of the horse AFTER it has left the DEVELOPMENT BARN. Gary and I and many others have for a very long time been advocated security architectures and development practices that greatly enhance INHERENT TRUSTWORTHINESS, long before anyone has to even think about penetration testing and static code analysis. This discussion is somewhat akin to arguments about who has the best malware detection. If system developers (past-Multics) had paid any attention to system architectures and sound system development practices, viruses and worms would be mostly a nonproblem! Please pardon my soapbox. The past survives. The archives have lives, not knives. High fives! (I strive to thrive with jive.) PGN ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates ___ ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates ___ ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates ___
Re: [SC-L] What do you like better Web penetration testing or static code analysis?
Most software security people that I talk to that advocate static analysis and pen testing see it as one part of the overall solution. It is a part of the solution that software producers can get started on rather easily to open their eyes that they need secure architectures and better development practices. The biggest problem I face when dealing with our customers is the developers already think they have written secure code. It is only after you demonstrate on their own code that they have exploitable vulnerabilities will anything be done to remedy the situation. This is why static analysis and pen testing are an important part of driving software security to the masses of developers. -Chris -Original Message- From: sc-l-boun...@securecoding.org [mailto:sc-l-boun...@securecoding.org] On Behalf Of Gary McGraw Sent: Thursday, April 22, 2010 3:15 PM To: Peter Neumann; Secure Code Mailing List Subject: Re: [SC-L] What do you like better Web penetration testing or static code analysis? I hereby resonate with my esteemed colleague and mentor pgn. But no puns from me. gem On 4/22/10 1:57 PM, Peter Neumann neum...@csl.sri.com wrote: Matt Parsons wrote: What do you like doing better as application security professionals, web penetration testing or static code analysis? McGovern, James F. (P+C Technology) wrote: Should a security professional have a preference when both have different value propositions? While there is overlap, a static analysis tool can find things that pen testing tools cannot. Likewise, a pen test can report on secure applications deployed insecurely which is not visible to static analysis. So, the best answer is I prefer both... Both is better than either one by itself, but I think Gary McGraw would resonate with my seemingly contrary answer: BOTH penetration testing AND static code analysis are still looking at the WRONG END of the horse AFTER it has left the DEVELOPMENT BARN. Gary and I and many others have for a very long time been advocated security architectures and development practices that greatly enhance INHERENT TRUSTWORTHINESS, long before anyone has to even think about penetration testing and static code analysis. This discussion is somewhat akin to arguments about who has the best malware detection. If system developers (past-Multics) had paid any attention to system architectures and sound system development practices, viruses and worms would be mostly a nonproblem! Please pardon my soapbox. The past survives. The archives have lives, not knives. High fives! (I strive to thrive with jive.) PGN ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates ___ ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates ___ ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates ___
Re: [SC-L] What do you like better Web penetration testing or static code analysis?
Matt Parsons wrote: What do you like doing better as application security professionals, web penetration testing or static code analysis? McGovern, James F. (P+C Technology) wrote: Should a security professional have a preference when both have different value propositions? While there is overlap, a static analysis tool can find things that pen testing tools cannot. Likewise, a pen test can report on secure applications deployed insecurely which is not visible to static analysis. So, the best answer is I prefer both... While I realize that both are necessary and each have their own pros and cons, my personal preference is to do static code analysis, especially if it involves old-fashioned manual code inspections. The reason for that I like getting closer to the source code. Maybe that's just because it seems like I'm getting back to my development roots. (I worked as a developer for the first half of my career.) I find the advantages of dealing with source code is that you are able to spot the exact problem as well as offer more specific fixes. And working at the source code level gives me more opportunities to work closely with the development teams where I am able to explain to them in terms of their own code what is going on and how a vulnerability can be fixed. When approaching vulnerabilities from a pen testing level, I find all to often that the developers do not believe that there is anything wrong or if they do, they don't believe that it is serious enough that it needs to be fixed. (For instance, it is not uncommon that when developers are presented with results from a pen test that show that they have non-persistent (reflective) XSS vulnerabilities present, that I get the response Yeah, but that's not going to happen. First you would have to get a authenticated user to click on that link and they would never do that. Apparently they don't believe that those doing phishing ever catch any victims.) However, when I'm dealing with source code, that objection generally does not come up...perhaps because I can show them right then and there how to remediate the issue. -kevin -- Kevin W. Wall The most likely way for the world to be destroyed, most experts agree, is by accident. That's where we come in; we're computer professionals. We cause accidents.-- Nathaniel Borenstein, co-creator of MIME ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates ___
Re: [SC-L] What do you like better Web penetration testing or static code analysis?
What do you like doing better as application security professionals, web penetration testing or static code analysis? I offered my thoughts in today's blog. http://parsonsisconsulting.blogspot.com/2010/04/what-do-you-like-better-secu re-code.html Matt Parsons, MSM, CISSP 315-559-3588 Blackberry 817-294-3789 Home office Do Good and Fear No Man Fort Worth, Texas A.K.A The Keyboard Cowboy mailto:mparsons1...@gmail.com mailto:mparsons1...@gmail.com http://www.parsonsisconsulting.com http://www.parsonsisconsulting.com http://www.o2-ounceopen.com/o2-power-users/ http://www.o2-ounceopen.com/o2-power-users/ http://www.linkedin.com/in/parsonsconsulting http://www.linkedin.com/in/parsonsconsulting http://parsonsisconsulting.blogspot.com/ http://parsonsisconsulting.blogspot.com/ http://www.vimeo.com/8939668 http://www.vimeo.com/8939668 0_0_0_0_250_281_csupload_6117291 untitled image003.jpgimage004.jpg___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates ___
