David Spark here reporting for Tripwire at the 2010 RSA Conference in San Francisco.
Jeremiah Grossman, CTO and Founder of WhiteHat Security and Jacob West, Director of Security Research at Fortify both spoke to the process of dynamic and static analysis of your applications for building security into your software (Watch my video interview with both of them after the presentation, “Where is your software most vulnerable?”). That in a nutshell is WhiteHat Security’s focus. Jeremiah pointed out that while most of a company’s budget goes to applications, we spend the least amount of money securing those applications.
To secure an application during a development, a combination of dynamic and static analysis is necessary. There are benefits and drawbacks to both processes.
Dynamic analysis is the process of testing software at runtime. It’s also known as Web app scanning, penetration testing, and black box testing. The benefits of dynamic analysis is it’s quick and easy to get started and it simulates a hacker’s point of view. The drawbacks is it’s difficult to exercise the entire application and get code-level details, meaning if you do find a vulnerability you can’t find the specific line of code that’s causing the problem.
Static analysis is the process of analyzing your source code and binary or byte code. Benefits is you get 100 percent code coverage. You don’t get that with dynamic analysis. The other benefit is you can do this early in the software development life cycle (SDLC). The drawbacks is it’s extremely comprehensive. You get a mountain of data and that requires review.
Correlating dynamic and static analysis will save time and money during your analysis when building code and applications, and when you’re seeking and fixing vulnerabilities.
WhiteHat Security provides these three tips:
Use static analysis to assess and improve completeness of dynamic tests.
Use dynamic analysis to narrow down static analysis results to those that are exploitable.
Use the combined view of the program under test to better inform auditing and remediation activities
Know your different types of attackers
You don’t want to just protect your software, you want to understand your three different kinds of attacks, and secure against those techniques and motivations. The three types of attackers are:
- Fully automated scripts
- Unauthenticated scans
- Targets chosen indiscriminately
- Commercial/Open source tools
- Authentication scans
- Multi-step processes
- Customize their own tools
- Focused on business logic
- Clever and profit driven
WhiteHat studies reveal that 83 percent of websites have had a high, critical, or urgent issue. 64 percent of websites currently have a high, critical, or urgent issue. Not only do you want to be able to reveal vulnerabilities quickly, but you also want to fix that vulnerability quickly. When you get hit, it takes weeks to months to fix a vulnerability. That’s because it’s proprietary software. You can’t just download a patch from Microsoft to solve your problem. It can be a big hit to your business development as you’ll have to take a developers off a revenue generating application to fix the vulnerability.
Check out more of Tripwire’s coverage from the 2010 RSA Conference in San Francisco.