Fwd: Announcement: Releasing CORE GRASP for PHP. An open source, dynamic web application protection system.

[ken at krvw.com (Kenneth Van Wyk)]

FYI, I saw the following tool release announcement over on bugtraq,  
and thought it might be of interest to some of you here.  I know the  
terms "PHP" and "security" in the same sentence often are met with  
laughter here, but what the heck.  If the tool helps a few PHP  
developers write PHP apps that are hardened against SQL injection  
attacks, then why not.

Cheers,

Ken van Wyk
SC-L Moderator

Begin forwarded message:

> From: Ezequiel Gutesman <egutesman at coresecurity.com>
> Date: August 22, 2007 12:26:55 PM EDT
> To: bugtraq at securityfocus.com
> Subject: Announcement: Releasing CORE GRASP for PHP. An open  
> source, dynamic web application protection system.
>
> CORE GRASP for PHP is a web-application protection software aimed at
> detecting and blocking injection vulnerabilities and privacy  
> violations.
> As mentioned during its presentation at Black Hat USA 2007, GRASP is
> being released as open source under the Apache 2.0 license and can be
> obtained from http://gasp.coresecurity.com/.
>
> The present implementation protects PHP 5.2.3 against SQL-injection
> attacks for the MySQL engine, it can be installed with almost the same
> effort as the PHP engine, both in Unix and Windows systems, and
> protection is immediate with any PHP web application running in the
> protected server.
>
> CORE GRASP works by enhancing the PHP execution engine (VM) to permit
> byte-level taint tracking and analysis for all the user-controlled or
> otherwise untrustable variables of the web application. Tainted bytes
> are then tracked and their taint marks propagated throughout the web
> application's runtime. Whenever the web application tries to interact
> with an DB backend using SQL statements that contain tainted bytes,
> GRASP analyzes the statment and detects and prevents attacks or  
> abnormal
> actions.
>
> CORE GRASP was developed by CoreLabs, the research unit of Core  
> Security
> Technologies. At CoreLabs, we plan to improve the tool and include new
> protections shortly. However, the invitation to collaborate with the
> project is open. If you would like to collaborate, please go to the
> GRASP website and subscribe to our mailing list.
>
> Project home: http://grasp.coresecurity.com/
> Documentation, presentation and papers:
> http://grasp.coresecurity.com/index.php?m=doc
> Download: http://grasp.coresecurity.com/index.php?m=dld

-----
Kenneth R. van Wyk
KRvW Associates, LLC
http://www.KRvW.com




-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 2454 bytes
Desc: not available
Url : http://krvw.com/pipermail/sc-l/attachments/20070823/b38f6e87/attachment.bin