Researchers Launch Tool To Close The Development-Testing Gap
Current vulnerability scanning tools aren't keeping pace with Web app development technology, Black Hat speakers say.
Today's vulnerability scanners and other bug-finding tools are not keeping up with the fast pace of Web application development, and this growing gap is creating opportunities for attackers, according to a group of security researchers who will discuss the problem at the Black Hat USA conference, a UBM TechWeb event in Las Vegas this week.
"We're shedding light on some areas where applications themselves--and the technologies used in them--have kind of moved on," says Nathan Hamiel, one of the speakers. "But the tools used to test and identify vulnerabilities in those applications haven't really moved on yet.
"When something new [in app development] comes out, developers want to use it, they want to integrate it, they want to be first to develop with it," Hamiel observes. "And testing tools kind of lag behind on that front."
According to Hamiel and his fellow researchers--Justin Engler, Seth Law, and Greg Fleischer, all of them consultants for FishNet Security--most automated tools today offer only a limited scope of testing. The speakers will assert that believe that applications and testing data need to be analyzed by people--not tools--to find the broadest range of impactful vulnerabilities.
"At the end of the day, tools don't find vulnerabilities. People do," Hamiel said. "[Tools] point a knowledgeable person in the right direction to identify whether or not a vulnerability exists. That's lost in translation when people are spending a lot of money on these testing tools."
Others industry experts agree.
"From login mechanism flaws, certain input validation and session management weaknesses, weak passwords, and even gotchas in application logic--there's just too much for the typical tools to uncover," Kevin Beaver, owner of the security consultancy Principle Logic, wrote recently on the topic. "Ditto with mobile devices and other complexities associated with network infrastructures."
Security testing resources are stretched so thin that organizations can only do so much manual testing, which is why semi-automated testing has become popular, the speakers said. But such automation becomes more difficult as people try to leverage the tools in unorthodox ways or write custom scripts to help them do better application inspection.
The vendors, contractors, and other outside parties with which you do business can create a serious security risk. Here's how to keep this threat in check. Also in the new, all-digital issue of Dark Reading: Why focusing solely on your own company's security ignores the bigger picture. Download it now. (Free registration required.)
Published: 2014-08-20 EMC RSA Archer GRC Platform 5.x before 5.5 SP1 allows remote attackers to trigger the download of arbitrary code, and consequently change the product's functionality, via unspecified vectors.
Published: 2014-08-20 Multiple cross-site scripting (XSS) vulnerabilities in EMC Documentum WebTop before 6.7 SP1 P28 and 6.7 SP2 before P14 allow remote attackers to inject arbitrary web script or HTML via the (1) startat or (2) entryId parameter.
Published: 2014-08-20 EMC Documentum D2 3.1 before P24, 3.1SP1 before P02, 4.0 before P11, 4.1 before P16, and 4.2 before P05 does not properly restrict tickets provided by D2GetAdminTicketMethod and D2RefreshCacheMethod, which allows remote authenticated users to gain privileges via a request for a superuser ticket.