Researchers Launch Tool To Close The Development-Testing Gap
Current vulnerability scanning tools aren't keeping pace with Web app development technology, Black Hat speakers say.
Today's vulnerability scanners and other bug-finding tools are not keeping up with the fast pace of Web application development, and this growing gap is creating opportunities for attackers, according to a group of security researchers who will discuss the problem at the Black Hat USA conference, a UBM TechWeb event in Las Vegas this week.
"We're shedding light on some areas where applications themselves--and the technologies used in them--have kind of moved on," says Nathan Hamiel, one of the speakers. "But the tools used to test and identify vulnerabilities in those applications haven't really moved on yet.
"When something new [in app development] comes out, developers want to use it, they want to integrate it, they want to be first to develop with it," Hamiel observes. "And testing tools kind of lag behind on that front."
According to Hamiel and his fellow researchers--Justin Engler, Seth Law, and Greg Fleischer, all of them consultants for FishNet Security--most automated tools today offer only a limited scope of testing. The speakers will assert that believe that applications and testing data need to be analyzed by people--not tools--to find the broadest range of impactful vulnerabilities.
"At the end of the day, tools don't find vulnerabilities. People do," Hamiel said. "[Tools] point a knowledgeable person in the right direction to identify whether or not a vulnerability exists. That's lost in translation when people are spending a lot of money on these testing tools."
Others industry experts agree.
"From login mechanism flaws, certain input validation and session management weaknesses, weak passwords, and even gotchas in application logic--there's just too much for the typical tools to uncover," Kevin Beaver, owner of the security consultancy Principle Logic, wrote recently on the topic. "Ditto with mobile devices and other complexities associated with network infrastructures."
Security testing resources are stretched so thin that organizations can only do so much manual testing, which is why semi-automated testing has become popular, the speakers said. But such automation becomes more difficult as people try to leverage the tools in unorthodox ways or write custom scripts to help them do better application inspection.
The vendors, contractors, and other outside parties with which you do business can create a serious security risk. Here's how to keep this threat in check. Also in the new, all-digital issue of Dark Reading: Why focusing solely on your own company's security ignores the bigger picture. Download it now. (Free registration required.)
Dark Reading Tech Digest, Dec. 19, 2014Software-defined networking can be a net plus for security. The key: Work with the network team to implement gradually, test as you go, and take the opportunity to overhaul your security strategy.
Published: 2014-12-28 CRLF injection vulnerability in the LightProcess protocol implementation in hphp/util/light-process.cpp in Facebook HipHop Virtual Machine (HHVM) before 2.4.2 allows remote attackers to execute arbitrary commands by entering a \n (newline) character before the end of a string.
Published: 2014-12-28 Facebook HipHop Virtual Machine (HHVM) before 3.1.0 does not drop supplemental group memberships within hphp/util/capability.cpp and hphp/util/light-process.cpp, which allows remote attackers to bypass intended access restrictions by leveraging group permissions for a file or directory.
Published: 2014-12-28 The mcrypt_create_iv function in hphp/runtime/ext/mcrypt/ext_mcrypt.cpp in Facebook HipHop Virtual Machine (HHVM) before 3.3.0 does not seed the random number generator, which makes it easier for remote attackers to defeat cryptographic protection mechanisms by leveraging the use of a single initial...
Published: 2014-12-28 Integer overflow in the string_chunk_split function in hphp/runtime/base/zend-string.cpp in Facebook HipHop Virtual Machine (HHVM) before 3.3.0 allows remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via crafted arguments to the chunk_split ...
Published: 2014-12-28 The HashContext class in hphp/runtime/ext/ext_hash.cpp in Facebook HipHop Virtual Machine (HHVM) before 3.3.0 incorrectly expects that a certain key string uses '\0' for termination, which allows remote attackers to obtain sensitive information by leveraging read access beyond the end of the string,...