RE: Fail Open Authentication and Parameter Injection

Hi everybody,
I have to agree with Jeff. We have been doing security code review for almost three years and although this services looks like a very expensive and consuming process, you would not doubt when seeing the results of a code review.

As you know the application is the first point of contact with the end users and it's amazing to see how programmers of important companies forget to remove very sensitive information from within the source code, unauthorized connections to personal devices, bad words/information about the company, personal information, deprecated methods or functions with regards to the programming language, fixed connections to databases, LDAP servers, etc. that can be seen when decompiling binary files, extra functionality than only is activated when the programmer enters "certain" information, etc, etc.

It's really amazing what you can find when reviewing the applications' source code line by line. I think all depends on the security needs every company has.

To tell you the true, I prefer to expect the unexpected and be paranoid, that way I have sweet dreams.

Regards,
Manuel

-----Original Message-----
From: Jeff Williams @ Aspect [mailto:jeff.williams@aspectsecurity.com] Sent: Martes, 25 de Marzo de 2003 03:32 p.m. To: Mads Rasmussen; webappsec@securityfocus.com Subject: Re: Fail Open Authentication and Parameter Injection

Mads wrote:
> > If you don't absolutely trust the developers who wrote your code and
you
> > haven't reviewed it, you're taking an insane risk.

I don't understand why people think code reviews are so time consuming and expensive. Whether you're pentesting or code reviewing, the goal is to find security holes in the software as quickly as possible. Yes, you can "complete" a penetration test in a short amount of time. But what did you really learn? That some (very) small subset of the possible attacks either works or doesn't work?

Do you need help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

I'm convinced that reviewing/searching/scanning the *code* is far more cost-effective than external scanning or penetration testing. You can complete a code review quickly too. You keep the standard short and don't search too hard. In the end, I believe you'll find more of the most important security holes faster by looking at the code.

Imagine that you need to verify that an application implements a business rule without a security flaw. No matter what, you have to figure out how it 'ought' to work. Once you've done that, how are you going to verify it? If you choose to pentest, someone will bang on the site from the outside and attempt to make it malfunction (they also have to detect that it broke, which ain't trivial). If you choose to review the code, you can identify where the rule is implemented, analyze the code, and make findings.

I'll put my money into code review every time.

--Jeff

Jeff Williams
Aspect Security, Inc.
http://www.aspectsecurity.com Received on Tue Mar 25 17:42:03 2003