Dailydave mailing list archives

Re: bugs are bad.

From: foofus () foofus net
Date: Tue, 1 Aug 2006 13:18:58 -0500

On Mon, Jul 31, 2006 at 01:52:43PM -0500, John Lampe wrote:

It would seem that a better methodology for app pen-testing would be to 
do the code audit and pen-test in conjunction.  The code audit gives you 
the attack vectors that *should* work, and the pen-test becomes nothing 
more than a validation for the code audit.


Hear, hear!

When I do application security reviews, I typically structure them
this way.  The pen-test remains, however, slightly more than a 
validation of the code audit.  

It's important to remember that the code doesn't run in a vacuum,
and neither is the source code equal to the app.  Code runs (often
in a compiled form) on a particular system(s), in a specific network
environment, etc.  Interactions between these various strata can
often expose an app to attack.  

For example, I once reviewed a web app where the developers had
bungled their change-to-production processes and accidentally 
exported their CVS tree to their web servers (in both test and
production, alas).  Source code review told be that the code had
problems, but only tinkering with the app could tell me that 
anybody who wanted could also do their own source code review.  :)

I agree that in most cases an app pen-test is insufficient as a
barometer of security, and that the depth and thoroughness of
code review are essential.  At the same time, though, the pen-
test can sometimes discover weaknesses in the app that are not
evident in the code: problems inherited from flaws in third-
party components, problems created by poor administrative tactics,
problems created by foolish users, and trust relationships between
the code and the underlying technologis on which it is built.

Consider the "shatter" class of attacks, for example: they 
don't exploit a weakness in the application's code, per se, but
rather a vulnerability that arises from the way in which the
operating system interacts with user interface components that 
the code exposes.

--Foofus.


_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
http://lists.immunitysec.com/mailman/listinfo/dailydave

Current thread:

bugs are bad. Dave Aitel (Jul 31)
- Re: bugs are bad. Jared DeMott (Jul 31)
  - Re: bugs are bad. Matthew Franz (Aug 01)
    - Message not available
    - Re: bugs are bad. Matthew Franz (Aug 01)
    - Re: bugs are bad. John Lampe (Aug 01)
    - Re: bugs are bad. foofus (Aug 01)
    - Re: bugs are bad. John Lampe (Aug 01)
    - Re: bugs are bad. John Lampe (Aug 01)
- Re: bugs are bad. Kevin Johnson (Jul 31)