Researchers Launch Tool To Close The Development-Testing Gap
Current vulnerability scanning tools aren't keeping pace with Web app development technology, Black Hat speakers say.
Today's vulnerability scanners and other bug-finding tools are not keeping up with the fast pace of Web application development, and this growing gap is creating opportunities for attackers, according to a group of security researchers who will discuss the problem at the Black Hat USA conference, a UBM TechWeb event in Las Vegas this week.
"We're shedding light on some areas where applications themselves--and the technologies used in them--have kind of moved on," says Nathan Hamiel, one of the speakers. "But the tools used to test and identify vulnerabilities in those applications haven't really moved on yet.
"When something new [in app development] comes out, developers want to use it, they want to integrate it, they want to be first to develop with it," Hamiel observes. "And testing tools kind of lag behind on that front."
According to Hamiel and his fellow researchers--Justin Engler, Seth Law, and Greg Fleischer, all of them consultants for FishNet Security--most automated tools today offer only a limited scope of testing. The speakers will assert that believe that applications and testing data need to be analyzed by people--not tools--to find the broadest range of impactful vulnerabilities.
"At the end of the day, tools don't find vulnerabilities. People do," Hamiel said. "[Tools] point a knowledgeable person in the right direction to identify whether or not a vulnerability exists. That's lost in translation when people are spending a lot of money on these testing tools."
Others industry experts agree.
"From login mechanism flaws, certain input validation and session management weaknesses, weak passwords, and even gotchas in application logic--there's just too much for the typical tools to uncover," Kevin Beaver, owner of the security consultancy Principle Logic, wrote recently on the topic. "Ditto with mobile devices and other complexities associated with network infrastructures."
Security testing resources are stretched so thin that organizations can only do so much manual testing, which is why semi-automated testing has become popular, the speakers said. But such automation becomes more difficult as people try to leverage the tools in unorthodox ways or write custom scripts to help them do better application inspection.
The vendors, contractors, and other outside parties with which you do business can create a serious security risk. Here's how to keep this threat in check. Also in the new, all-digital issue of Dark Reading: Why focusing solely on your own company's security ignores the bigger picture. Download it now. (Free registration required.)
Published: 2014-07-30 Cross-site scripting (XSS) vulnerability in IBM Maximo Asset Management 6.2 through 6.2.8 and 6.x and 7.x through 184.108.40.206, Maximo Asset Management 7.5 through 220.127.116.11 and 7.5.1 through 18.104.22.168 for SmartCloud Control Desk, and Maximo Asset Management 6.2 through 6.2.8 for Tivoli IT Asset Management f...
Published: 2014-07-30 Multiple cross-site scripting (XSS) vulnerabilities in IBM Maximo Asset Management 6.2 through 6.2.8, 6.x and 7.1 through 22.214.171.124, and 7.5 through 126.96.36.199; Maximo Asset Management 7.5 through 188.8.131.52 and 7.5.1 through 184.108.40.206 for SmartCloud Control Desk; and Maximo Asset Management 6.2 through 6.2.8...
Published: 2014-07-30 Unspecified vulnerability in the server in IBM Rational Software Architect Design Manager 4.0.6 allows remote authenticated users to execute arbitrary code via a crafted update site.
Published: 2014-07-30 Unspecified vulnerability in IBM Rational Software Architect Design Manager and Rational Rhapsody Design Manager 3.x and 4.x before 4.0.7 allows remote authenticated users to execute arbitrary code via a crafted ZIP archive.
Published: 2014-07-30 Innominate mGuard before 7.6.4 and 8.x before 8.0.3 does not require authentication for snapshot downloads, which allows remote attackers to obtain sensitive information via a crafted HTTPS request.