Securing WebApps – A Survey of Vulnerabilities & Static Analysis ToolsLewis Sykalski
SMU D.E. Software Engineering Student Lockheed Martin - Flight Simulation Engineer
OWASP 2013 Candidate List
A1 – Injection
A2 – Broken Authentication and Session Management
A3 – Cross-Site Scripting (XSS)
A4 – Insecure Direct Object References
A5 – Security Misconfiguration
A6 – Sensitive Data Exposure
A7 – Missing Function Level Access Control
A8 – Cross-Site Request Forgery (CSRF)
A9 – Using Known Vulnerable Components
A10 – Unvalidated Redirects and Forwards
Injection
Cross-Site Scripting
CSRF
Insecure Direct Object Reference
What is Static Analysis?
Static program analysis is:● an analysis method to determine whether vulnerabilities
exist by simply looking at the code in a non-dynamic (running) state.
● Usually the source code is used, however some tools allow for analysis of object code.
● most successful tools are ones that analyze the whole scope of the program in relation to a line of code as opposed to only analyzing a single line of code at a time completely independent from the rest of the program.
Dynamic Analysis?
Dynamic analysis:● analysis of the software while the webapp is
running.● could be performed in either a white box
situation where everything is known or from the black-box situation where nothing is very minimal is known.
Open Source OptionsProduct License Type Langua
gesFeatures
LAPSE+ 2 Open Source
GNU GPL
EclipsePlugin
Java Variable Traceback, Good for analysis of injection & cross-site scripting
FindBugs 2.0 3 Open Source
GNU LGPL
EclipsePlugin
Java Good for general purpose bugs, slick interface, security specific
detection under-developed
Orizon 9 Open Source
GNU GPL
Standalone
Text-based
Java, Php,C
Jsp
Report-based scheme, under-developed,
lacking nice UI, some security detection
SWAAT 8 Open SourceCustom License
StandaloneHTML Report-based
Java,C#
Nice report based detection, .NET package out-of-date, tool not
maintained. Does not necessarily focus on security problems
PMD 5 Open Source
BSD
EclipsePlugin
Java, JavaScrip
t, XML, XSL
Generic Code quality tool,High quality User Interface,
Extensible to other security-specific rule-sets
Open Source Options (cont.)
Product License
Type Languages
Features
FxCop 4 Open SourceMS-PL
VS Plugin
.NET Security-specific static analysis,
UI built into Visual Studio
RIPS 7 Open-Source
GPL
Standalone
PHP Professional user-interface,
Security-specific analysis
FlawFinder
19
Open-Source
GPL
StandaloneText-based
C++ Security-specific analysis,
Injections, Overflow, etc.Dangerous function
analysis
PreFast 20 Open-SourceMS-PL
VS Plugin
C++ General static analysis,UI built into Visual Studio
BrakeMan
21
Open-Source
MIT
StandaloneText-based
Ruby Security-specific analysisStrong following
LAPSE+
OWASP LAPSE+
● Java plug-in which integrates tightly with the Eclipse IDE (Helios+, 1.6 JRE+).
● useful for detecting & subsequently analyzing security vulnerabilities due to untrusted data injection in Java webapps.
● operates on the concept of sinks and sources, the source referring to the injection of untrusted data (e.g. perhaps a cookie, parameters from HTTP, etc) and the sink referring to the process of data modification to manipulate the behavior of the application (e.g. servlet response or HTML page).
LAPSE+
FindBugs
FindBugs:● program which uses static analysis to look for bugs
in Java code. ● relatively easy to install and purports to find all types
of bugs.● user interface, where one can filter between various
bug categories that are found, a bug review panel which will describe the bug in detail with resolution measures, and a Bug Info Panel which shows a detailed stack trace and description.
FindBugs
Orizon
OWASP Orizon:● allows one to perform a security code review over your
code making sure it fits recommendations contained into the Owasp Build Guide and the Owasp Code review Guide.
● standalone console-based tool with it's own shell engine.
● provides for certain commands which when executed allow one to model the code, crawl through all traces, and then subsequently generate a report for viewing.
Orizon
PMD
PMD:● static analysis tool for Java source code. ● identifies possible bugs, dead code, suboptimal code, high
cyclomatic complexity, and duplicate code. ● extensible rule-set capability for one to create their own rules. ● supports a vulnerability view where aforementioned problems
are displayed, and the Copy-Paste Detector (CPD) view, where one can view copy-pasted code (code that should likely be consolidated into a single logical block).
● GDS PMD Secure Coding Ruleset
PMD
PMD
PMD
FlawFinder
Flawfinder:● a tool that works on C++ source-code. ● console-based and specifically targets security vulnerabilities. ● works by using a built-in database of C/C++ functions with well-
documented security problems, such “as buffer overflow risks (e.g., strcpy(), strcat(), gets(), sprintf(), and the scanf() family), format string problems ([v][f]printf(), [v]snprintf(), and syslog()), race conditions (such as access(), chown(), chgrp(), chmod(), tmpfile(), tmpnam(), tempnam(), and mktemp()), potential shell metacharacter dangers (most of the exec() family, system(), popen()), and poor random number acquisition (such as random())”. 19
FlawFinder
RIPS
RIPS:● written in PHP and for PHP specifically to find
vulnerabilities..● can create a program model of the source code. ● can detect vulnerable functions (sinks) that can be
utilized by malicious user-input. Additionally an audit framework is provided for further analysis in an IDE-style visual user-interface.
● claims to detect XSS, SQL Injection, LFI/RFI, and RCE vulnerabilities.
RIPS
Commercial Tools
Fortify 10
Commercial Standalone
20 differentlanguages
Professional user interface,Security-specific detection/focus,
Coverity 16 Commercial Standalone
C++, Java, C#
Professional user interface,Security-specific detection/focus
Insight 17 Commercial Standalone
C++, Java, C#
IDE & static code analyzer, Generic quality detection/focus
Parasoft 18 Commercial Standalone
C++, Java, .NET
IDE & static code analyzer,Security specific detection/focus
Veracode 14 Commercial Standalone
C++, Java, C#
Professional User Interface,Security Specific detection/focus
IBM Security
AppScan 15
Commercial Standalone
C++, Java, C#,
Objective C
Professional User Interface, Centralized security scanning, data consolidation
Checkmarx
13
Commercial Standalone
15 languages
Professional User Interface,Security Specific detection/focus
CodeSecure 12
Commercial Standalone
10 languages
Professional User Interface,Security Specific detection/focus
CodeSonar
11
Commercial Standa Java, C++ General defect, Some security-specific & threading checkings
References
1 OWASP Top-10: https://www.owasp.org/index.php/Top_10_2013-Top_10
2. LAPSE+: http://evalues.es/downloads/owasp/LapsePlus_Tutorial.pdf
3. FindBugs: http://findbugs.sourceforge.net/
4. FxCop: http://msdn.microsoft.com/en-us/library/bb429476(VS.80).aspx
5. PMD: http://pmd.sourceforge.net/
6. RATS: https://www.fortify.com/ssa-elements/threat-intelligence/rats.html
7. RIPS: http://rips-scanner.sourceforge.net/
8. SWAAT: https://www.owasp.org/index.php/Category:OWASP_SWAAT_Project
9. Orizon: http://www.owasp.org/index.php/Category:OWASP_Orizon_Project
10. HP Fortify: http://www8.hp.com/us/en/software-solutions/software.html?compURI=1338812#.UXvVjxzREQc
11. CodeSonar: http://www.grammatech.com/codesonar
References (cont.)
12. Amorize CodeSecure: http://www.armorize.com/codesecure/
13. CheckMarx: http://www.checkmarx.com/technology/static-code-analysis-sca/
14. Veracode: http://www.veracode.com/
15. IBM Security AppScan: http://www-01.ibm.com/software/rational/products/appscan/source/
16. Coverity: http://www.coverity.com/products/static-analysis.html
17. Klocwork Insight: http://www.klocwork.com/products/insight.asp
18. Parasoft Static Analysis: http://www.parasoft.com/jsp/capabilities/static_analysis.jsp?itemId=547
19. FlawFinder: http://www.dwheeler.com/flawfinder/
20. PreFast: http://msdn.microsoft.com/en-us/library/ms933794.aspx
21. BrakeMan: http://brakemanscanner.org/
22. PMD GDS Ruleset: https://github.com/GDSSecurity/GDSPMDSECRULES
23. PMD Rulesets http://pmd.sourceforge.net/pmd-5.0.3/rules/index.html#Security_Code_Guidelines