Comments on: Static Application Vulnerability Testing: Binary Scanning vs Source Code Scanning http://www.webadminblog.com/index.php/2010/07/22/static-application-vulnerability-testing-binary-scanning-vs-source-code-scanning/ Real Web Admins. Real World Experience. Mon, 06 Feb 2012 14:28:57 +0000 hourly 1 http://wordpress.org/?v=3.3.1 By: Tony Czarnik http://www.webadminblog.com/index.php/2010/07/22/static-application-vulnerability-testing-binary-scanning-vs-source-code-scanning/comment-page-1/#comment-694 Tony Czarnik Thu, 13 Jan 2011 12:42:24 +0000 http://www.webadminblog.com/?p=474#comment-694 I've worked for a SSCA (source) vendor and now my security firm partners with a SBCA (binary) vendor. A partial list of advantages using binary analysis include: testing the same code the attacker sees, testing the entire software supply chain and greater accuracy (less FPs and less FNs). If you are a developer that is knowledgeable about appsec, are doing agile and have an SSCA plug-in to your IDE, cool, but most developers are security novices at best and although you may not care about your company's COTS vendor security, your management cares alot since PCI, HIPAA etc do and when your PII gets breached bad things happen and all employees feel the pain. I’ve worked for a SSCA (source) vendor and now my security firm partners with a SBCA (binary) vendor. A partial list of advantages using binary analysis include: testing the same code the attacker sees, testing the entire software supply chain and greater accuracy (less FPs and less FNs). If you are a developer that is knowledgeable about appsec, are doing agile and have an SSCA plug-in to your IDE, cool, but most developers are security novices at best and although you may not care about your company’s COTS vendor security, your management cares alot since PCI, HIPAA etc do and when your PII gets breached bad things happen and all employees feel the pain.

]]> By: John Sapp http://www.webadminblog.com/index.php/2010/07/22/static-application-vulnerability-testing-binary-scanning-vs-source-code-scanning/comment-page-1/#comment-655 John Sapp Mon, 23 Aug 2010 03:12:50 +0000 http://www.webadminblog.com/?p=474#comment-655 My thought is that static binary analysis is better utilized during the QA stage as this would allow feature/functionality testing and security testing to be performed concurrently with no impact to schedule. Additionally, the independent validation is a great way to ensure that developers are not bypassing security requirements. When time is a factor, security takes a backseat to feature/functionality so developers will end up ditching anything that gets in the way, which means those expensive tools will not get used and the Total Cost of Ownership and value proposition are washed away. Next, I would suggest reading the following documents for some additional perspective on static binary: "What You See Is Not What You eXecute" http://www.cs.wisc.edu/wpis/papers/wysinwyx05.pdf "Some Bad News and Some Good News" http://msdn.microsoft.com/en-us/library/ms972826 My thought is that static binary analysis is better utilized during the QA stage as this would allow feature/functionality testing and security testing to be performed concurrently with no impact to schedule. Additionally, the independent validation is a great way to ensure that developers are not bypassing security requirements.

When time is a factor, security takes a backseat to feature/functionality so developers will end up ditching anything that gets in the way, which means those expensive tools will not get used and the Total Cost of Ownership and value proposition are washed away.

Next, I would suggest reading the following documents for some additional perspective on static binary:

“What You See Is Not What You eXecute” http://www.cs.wisc.edu/wpis/papers/wysinwyx05.pdf

“Some Bad News and Some Good News” http://msdn.microsoft.com/en-us/library/ms972826

]]> By: Josh http://www.webadminblog.com/index.php/2010/07/22/static-application-vulnerability-testing-binary-scanning-vs-source-code-scanning/comment-page-1/#comment-653 Josh Thu, 22 Jul 2010 21:30:49 +0000 http://www.webadminblog.com/?p=474#comment-653 After talking with one of my developers this afternoon about this, a couple of corrections. First, it sounds like at least in the Java world that this service is likely decompiling binaries into Java byte code and not pure assembly though the sales guy did say "assembly". Second, I'll withdraw my cynicism of the capability for the service to determine the line number of a vulnerability from said assembly (or byte) code. It turns out that by adding a debug flag you are able to get down to a line number from the disassembled code. So if you're using debug for production code, this would likely work as advertised. I guess we'll call that category a draw. After talking with one of my developers this afternoon about this, a couple of corrections. First, it sounds like at least in the Java world that this service is likely decompiling binaries into Java byte code and not pure assembly though the sales guy did say “assembly”. Second, I’ll withdraw my cynicism of the capability for the service to determine the line number of a vulnerability from said assembly (or byte) code. It turns out that by adding a debug flag you are able to get down to a line number from the disassembled code. So if you’re using debug for production code, this would likely work as advertised. I guess we’ll call that category a draw.

]]>