Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Black Hat USA
July 31 - August 5, 2021
Las Vegas, NV, USA
SecTor
November 4 - October 30, 2021
Toronto, ON, Canada
Black Hat Europe
November 8-11, 2021
Virtual Event
10/5/2016
02:00 PM
Black Hat Staff
Black Hat Staff
Event Updates
50%
50%

Black Hat Europe 2016 Sponsor Content:
Whats In Your Armoury For Discovering Software Vulnerabilities?

The process of locating, identifying and targeting software vulnerabilities has changed beyond measure in the last 20 years. Automated tools are a huge factor in this and have made the whole process a lot easier, yet subtle and esoteric weaknesses are beginning to creep into software - and they aren't easy to spot.

You can’t picture what a house looks like if all you have to go on is a single brick. You have to look at how the bricks work together and how the house is able to stand upright. To glean the best picture, you also need to know what’s inside the house and what surrounds it. Similarly, in order to gain a full and thorough understanding of the security vulnerabilities in software, it’s important to understand the environment in which the target software will run, the third parties that it depends on, and how every aspect works together, from the source code to the way it handles errors while running.

Gaining a comprehensive understanding of every security vulnerability in a piece of software, and how to mitigate them, requires a vast understanding of what software risks can occur and how they manifest themselves as vulnerabilities. Implementing multiple software analysis techniques can help to make this process easier.

 

5 Approaches 

Manual program analysis. Historically, this was the method researchers would use to look for flaws in software and using a review of software code to understand which parts are vulnerable is still a popular approach today. Researchers can focus on vulnerabilities that will have a high probability of exploitation as opposed to those which result in crashes. At times it’s easy to spot a problem, however, some issues can only be identified by researchers who have an in-depth understanding about one specific program. This is where the automated analysis comes in. 

Dynamic analysis. This involves software testing performed while a program is executing, usually through an automated tool. Here researchers can observe how a program runs and responds to different inputs, for example, causing certain actions to fail by inputting malformed data. Overall this is a solid way to find vulnerabilities as it measures the state of the program in real-time and helps discover vulnerabilities that are extremely difficult to detect by other methods. 

Statistic code analysis. This is another great technique for finding vulnerabilities that does not require execution of a program. Like other methods, researchers can perform an analysis on source code, but it’s important they choose tools that have a deep understanding of programming language syntax, complier and target architecture. But no matter how intelligent the tool is, if the researcher is looking at a fresh code base that has never been exposed to static analysis tools, she will need to prepare for a load of vulnerabilities, many of which may be false positives. 

Static software composition analysis. This looks at the composition of software and dependent third-party components. Although this method can be tricky (as third-party components can themselves be made of third-party software), static analysis techniques are able to find out what libraries are used by looking at package manager metadata or proprietary databases. It is cross-referenced with vulnerability databases such as NIST NVD in order to identify which libraries pose a security risk. This can help to identify weak links and indicators of how these can be exploited. 

Fuzzing. Fuzzing is a popular detection system for researchers. This method of vulnerability discovery uses purpose-built software or hardware to generate and submit test cases into target software. High-profile vulnerabilities are being discovered by more sophisticated fuzzers. The technique has a come a long way in a short time and promises to continue to push the boundaries of vulnerability discovery. 

From the vantage point of the applied end of the security industry, this is a high-level view of the state of software vulnerability discovery in 2016. While much progress has been made in the last 20 or so years, there is still much to be done around enhancing consistency, coverage, automation and vulnerability discovery techniques. 

You can find out more on this topic here.

 

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Edge-DRsplash-10-edge-articles
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
News
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
Commentary
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Enterprise Cybersecurity Plans in a Post-Pandemic World
Download the Enterprise Cybersecurity Plans in a Post-Pandemic World report to understand how security leaders are maintaining pace with pandemic-related challenges, and where there is room for improvement.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-39339
PUBLISHED: 2021-09-22
The Telefication WordPress plugin is vulnerable to Open Proxy and Server-Side Request Forgery via the ~/bypass.php file due to a user-supplied URL request value that gets called by a curl requests. This affects versions up to, and including, 1.8.0.
CVE-2021-38153
PUBLISHED: 2021-09-22
Some components in Apache Kafka use `Arrays.equals` to validate a password or key, which is vulnerable to timing attacks that make brute force attacks for such credentials more likely to be successful. Users should upgrade to 2.8.1 or higher, or 3.0.0 or higher where this vulnerability has been fixe...
CVE-2021-31819
PUBLISHED: 2021-09-22
In Halibut versions prior to 4.4.7 there is a deserialisation vulnerability that could allow remote code execution on systems that already trust each other based on certificate verification.
CVE-2021-38112
PUBLISHED: 2021-09-22
In the Amazon AWS WorkSpaces client before 3.1.9 on Windows, argument injection in the workspaces:// URI handler can lead to remote code execution because of the Chromium Embedded Framework (CEF) --gpu-launcher argument.
CVE-2021-41382
PUBLISHED: 2021-09-22
Plastic SCM before 10.0.16.5622 mishandles the WebAdmin server management interface.