I just read an awesome blog post at “Schmoilitos Way”, that describes a scenario, in which, someone ran a static analysis tool, found a vulnerability, patched it using a faulty input validation routine, and then re-ran the scan, this time telling the scanner that the validation routine clears taint input – Big Mistake!
This application had been pen-tested before. It had also been scanned using a popular commercial static analysis tool, and had gotten a clean bill of health. So, let's just say that management was a little, um, curious about why this bug was still alive and well. And by curious, I actually mean furious.
So what went wrong? After the first pen-test, the blatant directory traversal bug was "fixed" with a new validation routine that scrutinized the end of the file name. This new routine was declared a validation routine in the static analysis tool, and any subsequent data flows that passed through it were considered safe. Game over. Hooray for tools!
Last year, when IBM came out with the first edition of AppScan developer edition, it contained a new and promising technology called “String Analysis”. There was some buzz around it, but most people didn’t quite understand why they need it, and what is it good for. The scenario described in the blog post above, is a text-book example for why String Analysis is important.
String analysis removes the need to configure input sanitizers and validators when scanning your code. This is done by understanding the limitations on a certain string, and the possible value a string might have at a certain point in the program.
This basically means, that even if a developer wrote a piece of code, that performs input validation, String analysis will be able to validate this code, and see if the vulnerability still exists.
Make sure to check AppScan Source Edition’s upcoming versions, which will probably include more cutting edge technologies from IBM research.
