Researchers Launch Tool To Close The Development-Testing Gap
Current vulnerability scanning tools aren't keeping pace with Web app development technology, Black Hat speakers say.
Today's vulnerability scanners and other bug-finding tools are not keeping up with the fast pace of Web application development, and this growing gap is creating opportunities for attackers, according to a group of security researchers who will discuss the problem at the Black Hat USA conference, a UBM TechWeb event in Las Vegas this week.
"We're shedding light on some areas where applications themselves--and the technologies used in them--have kind of moved on," says Nathan Hamiel, one of the speakers. "But the tools used to test and identify vulnerabilities in those applications haven't really moved on yet.
"When something new [in app development] comes out, developers want to use it, they want to integrate it, they want to be first to develop with it," Hamiel observes. "And testing tools kind of lag behind on that front."
According to Hamiel and his fellow researchers--Justin Engler, Seth Law, and Greg Fleischer, all of them consultants for FishNet Security--most automated tools today offer only a limited scope of testing. The speakers will assert that believe that applications and testing data need to be analyzed by people--not tools--to find the broadest range of impactful vulnerabilities.
"At the end of the day, tools don't find vulnerabilities. People do," Hamiel said. "[Tools] point a knowledgeable person in the right direction to identify whether or not a vulnerability exists. That's lost in translation when people are spending a lot of money on these testing tools."
Others industry experts agree.
"From login mechanism flaws, certain input validation and session management weaknesses, weak passwords, and even gotchas in application logic--there's just too much for the typical tools to uncover," Kevin Beaver, owner of the security consultancy Principle Logic, wrote recently on the topic. "Ditto with mobile devices and other complexities associated with network infrastructures."
Security testing resources are stretched so thin that organizations can only do so much manual testing, which is why semi-automated testing has become popular, the speakers said. But such automation becomes more difficult as people try to leverage the tools in unorthodox ways or write custom scripts to help them do better application inspection.
The vendors, contractors, and other outside parties with which you do business can create a serious security risk. Here's how to keep this threat in check. Also in the new, all-digital issue of Dark Reading: Why focusing solely on your own company's security ignores the bigger picture. Download it now. (Free registration required.)
Published: 2015-02-27 The seg_write_packet function in libavformat/segment.c in ffmpeg 2.1.4 and earlier does not free the correct memory location, which allows remote attackers to cause a denial of service ("invalid memory handler") and possibly execute arbitrary code via a crafted video that triggers a use after free.
Published: 2015-02-27 The dns-sync module before 0.1.1 for node.js allows context-dependent attackers to execute arbitrary commands via shell metacharacters in the first argument to the resolve API function.
Published: 2015-02-27 Cross-site scripting (XSS) vulnerability in Unified Web Interaction Manager in Cisco Unified Web and E-Mail Interaction Manager allows remote attackers to inject arbitrary web script or HTML via vectors related to a POST request, aka Bug ID CSCus74184.
Published: 2015-02-27 Unquoted Windows search path vulnerability in Toshiba Bluetooth Stack for Windows before 9.10.32(T) and Service Station before 2.2.14 allows local users to gain privileges via a Trojan horse application with a name composed of an initial substring of a path that contains a space character.
How can security professionals better engage with their peers, both in person and online? In this Dark Reading Radio show, we will talk to leaders at some of the security industry’s professional organizations about how security pros can get more involved – with their colleagues in the same industry, with their peers in other industries, and with the IT security community as a whole.