SlideShare a Scribd company logo

A Platform for Application Risk Intelligence

Checkmarx
Checkmarx

Using Source Code Understanding as a Risk Barometer: Source Code Analysis technologies have significantly evolved in recent years – making improvements in precision and accuracy with the introduction of new analysis techniques like flow analysis. This article describes this evolution and how the most advanced capabilities available today like query-based analysis and Knowledge Discovery can be leveraged to create a platform for Application Risk Intelligence (ARI) to help implement a proactive security program.

Technology
1 of 6
Download to read offline
AUFSÄTZE DuD • Datenschutz und Datensicherheit 1 | 2008 1 Maty Siman Platform for Application Risk Intelligence Using Source Code Understanding as a Risk Barometer Source Code Analysis technologies have significantly evolved in recent years - making improvements in precision and accuracy with the introduction of new analysis techniques like flow analysis. This article describes this evolution and how the most advanced capabilities available today like query-based analysis and Knowledge Discovery can be leveraged to create a platform for Application Risk Intelligence (ARI) to help implement a proactive security program. As attacks become more financially moti- vated,andasorganizationsgetbetteratse- curing their network, desktop and server infrastructure, there has been a steady shift in cyber attacks to the application level. To address these new risks, several technology markets for application secu- rity have emerged including what Gartner calls Static Application Security Testing (SAST). Can we really use Source Code Analysis (SCA) to detect vulnerabilities in a way that will give us satisfactory risk assur- ance? The answer varies; we are able to find problems with sufficient accuracy if they are manifested in commonly known sequences like a SQL injection. Many flaws however are presented in the specif- ic implementation of the applications business logic1 , and adopting the standard 1  OWASP (Open Web Application Security Proj- ect) is considered as the focal point for all applica- tion-security related information. http://www. owasp.org/index.php/Businss_logic_vulnerability analysis to handle these proprietary se- quences make the task almost impossible. The reason is that current technologies, even those employing flow analyses, are based on “black-box” implementation and thereforecanonlyhandleknownsequenc- es. A probable detection method of suspi- cious sequences can be through the iden- tification of an irregularity within a set of common sequences. Enabling detection of proprietary and stochastic sequences re- quires implementation of an open plat- form for application understanding, which not only finding basic vulnerabili- ties but also provides systematic applica- tion risk intelligence. The key enabler of such a platform is the exposure of all application building blocks like data structure and flow using an ab- stractive model common to all languages and storing the wealth of know-how in a persistent store like data base. Once the application is exposed we must provide tools to model the known and proprietary sequences as well as exposing irregulari- ties in the common sequences. In this ar- ticle, we define the required solution ele- ments. It concludes by presenting refer- ence architecture to such a platform. Exposing a common language representation Source code is inherently structured con- taining static elements like functions and variables as well as dynamic elements like control and data flow. The static elements can be modeled into a data structure re- ferred as “CodeDom” 2 . This is usually one of the first steps taken by some compilers’ frontend. CodeDom makes it possible for thecompilerto“understand”thecodeand create a byte/binary code thereof. The CodeDom is an object-oriented structure which represents the static nature of the code. It contains all elements that make the code, such as namespaces, classes, methods, data members and statements. The hierarchy of the CodeDom matches the respective scope in the code. The pro- cess of converting source code into DOM, where all the symbols are resolved is a tricky job that encompasses fine parsing and resolving details. Compilers do this job very well, as part of their frontend ac- tion, so SCA tools usually tend to rely on the intermediate code created by the com- piler as the starting point of their analysis. This method, although saving develop- ment efforts, has certain drawbacks (e.g. inability to scan code fragments and un- 2  There are several implementations of Code- Dom. The one used by Microsoft is the closest in meaning to the CodeDom developed by Checkmarx and used in this article. http://msdn.microsoft.com/ en-us/library/system.codedom.aspx Maty Siman is a technology and security expert. He founded Checkmarx in 2006 to share his innovations in appli- cation security based on experience he gained in securing intelligence systems. E-Mail: maty@checkmarx.com
2 DuD • Datenschutz und Datensicherheit 1 | 2008 AUFSÄTZE compiled code) that will be discussed be- low. Another alternative is to develop a Virtual Compiler (VC) that suits the exact needs of the Code Analysis product. After the code has been modeled, it can be stored in a persistent OODB3 (Object Ori- ented Data Base) in a query-able format. Having the code stored in an OODB shifts the view of the code from a flat represen- tation into 3D query-able and correlate- able format. It’s then easy to find interest- ing code structures on demand, efficient- ly and with full flexibility. Example It becomes easy to find dead-methods (methods that are never called). We need to write a query that looks in the database for all method declarations that do not have a matching invocation statement. The exact query will be shown in the next chapter. On top of the CodeDom, which represents static properties of the code, it is possible to compute the Data Flow Graph, Control Flow Graph and Control Dependency Graph (DFG, CFG and CDG – respective- ly). It enables tracing and understanding of the dynamic flows of the application. It can reveal for example how a specific val- ue affects the application behavior and de- termines the effect of a certain condition statement. Formal and unified modeling of these graphs, allows us to store them in the same database as the CodeDom, and enables true correlation between the two by using simple query form. Example A query can be used to conduct impact analysis, in order to understand how changing a Boolean value from True to False, affects the course of the application. Query Language Once we have a persistent OODB filled with all the code properties of a scanned application, it is possible to flexibly query4 it and search for any code sequence that’s 3  http://odbms.org 4  There were a few attempts to formalize a query language for OODB. Most notable is OQL from ODM: http://publib.boulder.ibm.com/infocenter/tivihelp/ v8r1/index.jsp?topic=/com.ibm.netcool_precision. doc/pr35se/xF1118340.html in this article we chose to use CxQL as defined by Checkmarx as it better suites code analysis techniques. either known or proprietary. The syntax of the query language shown here is simi- lar to C#, with added commands and data types, such as CxList, It represents an ar- ray of CodeDOM/Flow elements. DOM Queries To demonstrate what can be achieved us- ing a query language, we must first write a query that finds uncalled methods. Then we find all method declarations and put it in a list, finally we remove all declarations from this list that have been called with a matching method-invoke statement. // Find all Method Declaration in the code CxList MethodDeclaration = All. FindByType(typeof(MethodDecl)); // Find all Method Invocations in the code CxList MethodInvokes = All.FindBy Type(typeof(MethodInvokeExpr)); // Find the matching declarations of the // invocation we found CxList DeclarationOfInvokes = All.FindAllReferences(Method Invokes); // Get the “dead” declarations Return MethodDeclaration – DeclarationOfInvokes; Flow Queries We can take it one step further and use the DFG information and conduct an impact analysis by finding all the places which will be affected by changing the initializa- tion value of a variable called “s”. // Look for the place where “s” is declared CxList DeclaratorOfS = All.FindBy Type(typeof(Declarator)).FindBy ShortName(“s”); // Find all places which are “data-influ- enced by” // the value assigned to “s” at its declaration Return All.DataInfluencedBy (DeclaratorOfS); Thedatabasecanprovideasaresultthefull reasoning of the impact, tracing it from source to target and backward (Fig. 1). Security-Related Queries Aswehaveseen,itispossibleto“ask”the database any question about the code, ei- ther static or tracing flow properties. A subset of these questions is security related and based on commonly known security sequences. In order to find SQL Injection5 vulnerabilitieswetraceitintheapplication usingthefollowingsimplequerythatlooks for all the database-access in the code and is directly influenced by the user’s input without being sanitized properly: // Find all places where a database is ac- cessed CxList db = Find _ DB(); // Find all interactive user inputs CxList inputs = Find _ Interactive _ Inputs(); // Find places where user input is sanitized CxList sanitized = Find _ Sanitize(); // Return all database access which are // influenced by an input but not sanitized Return db.InfluencedByAndNot Sanitized(inputs, sanitized); Wecancontinuewiththesecondexample. In web applications, static variables are shared among all users that access the sys- tem simultaneously. This means that if a value of a static variable is affected by a us- er’s input, it may be overwritten by other users. This results in race condition. To trace such a sequence we can use a query that finds all the places where the static variable is influenced by the user input: // Find all static variables CxList statics = All.FindAll References(All.FindByField Attributes(Modifiers.Static)); 5  http://www.owasp.org/index.php/SQL_Injection Figure 1 | Flow-graph reasoning retrieved from database
AUFSÄTZE DuD • Datenschutz und Datensicherheit 1 | 2008 3 // Return places where static variable is as- signed // a value retrieved from user Return Find _ Interactive _ Inputs().DataInfluencingOn (statics); As said, many security-related issues are manifested in commonly known sequenc- es and modeling is therefore generic. The platform provider should supply out-of- the-box templates to discover these se- quences. This is true for other applications leveraging the open platform like: Coding standards enforcement, Quality assurance and more. Business Logic Flaws This brings us to an even more challeng- ing aspect – the Business Logic Flaws which are usually manifested in proprie- tary code sequences. The examples we saw previously are considered to be “technical vulnerabilities” since they might affect whatever the actual business is that’s served by the application i.e. a book store, bank or an internet provider. With “Busi- ness Logic Flaws” it is possible to find vul- nerabilitiesthatarespecifictothebusiness process supported or enabled by the appli- cation. Although this sets a higher chal- lenge bar, it is possible to model many of these sequences using the query language. A common functionality in shopping carts used by any online store is the abili- ty to change the quantity of items for pur- chase. In order to calculate the total amount to be paid, the system has to mul- tiply the quantity of items the user wishes to purchase with the unit price of the item. A scenario which is often overlooked occurs when a user types in a negative quantity6 of items to be purchased. In such case, when an appropriate condition is not properly set, the total amount might be drastically lower than the true value, or even negative. Usually the best way to avoid this is by simply adding in the appli- cation a condition that verifies the quanti- ty is greater than zero. In most cases such edits will prevent the risk but if the edits are neglected they can cause a fraudulent event. We can model this using a query which finds all variables called “quantity” or similar, which are influenced by user 6  It is interesting to see PayPal’s specification on this: https://cms.paypal.com/us/cgi-bin/?cmd=_ render-content&content_ID=developer/e_howto_ api_ECCustomizing input and sent directly to the database, but their value is never checked to be positive. A skeleton of such query might look like the following: // Find all variables that hold a quantity. CxList qty = All.FindByRegex (“q.t.y”); // All qunatities that are influenced by user input CxList inp _ qty =qty.Data InfluencedBy(Find _ Interactive _ Inputs()); // All Binary Expressions that compare Qty // with 0 CxList checking = All.FindBy Type(typeof(BinaryExpr). DataInfluencedBy(qty). DataInfluencedBy(All.FindBy Name(“0”)); <…cont…> <…cont…> // All DB that are set from the above Qty vars CxList db _ inp _ qty = Find _ DB(). DataInfluencedBy(inp _ qty); // Return all DB that are set user controllable // Qty which is never compared to 0 Return db _ inp _ qty -db _ inp _ qty.ControlInfluencedBy(checking); The example above, although schematic and specific to the described scenario, can be used as a template to any business case in which there is a need to make sure in- put from user is non-negative (number of students in a course, number of travelers in a flight, number of tickets to buy). Merely the Regex pattern should be changed. Another example of a business logic- flaw can be found in an online store where it is essential to maintain tenant level pri- vacy. It is imperative to find all the places where a customer might have access to other customers’ orders. Modeling it into query might look for all SQL statements Figure 2 | Class Hierarchy created by query Figure 3 | 3D Control Flow Graph of an Application
4 DuD • Datenschutz und Datensicherheit 1 | 2008 AUFSÄTZE that Select values from the “T_Orders” ta- ble, where the “Where” clause is not influ- enced by the current user ID. Again, this can be used as a template query for simi- lar business scenarios. Application Understanding The queries discussed so far were made possible thanks to the fact that code infor- mation was stored in a query-able data- base. It is also possible to take further ad- vantage of the database storage and extend the discovery to finding new vulnerabili- ties and better understanding the existing ones. Abstracting Vulnerabilities When applying a query on a code base, each result represents a single security breach or a business risk. Although it pro- vides great value to find these issues, it is possible to take it to a higher abstraction level, in such a way that the results will be presented in a graphical way and reveal the correlation between results. This ap- proach proved to be useful in better un- derstanding the code at hand, and finding the best way to fix vulnerabilities. A sample query that models the class hi- erarchy will be simply - // Look for the place where “s” is declared CxList BaseClass = All.FindBy Type(typeof(ClassDecl)); Return = All.InheritsFrom (BaseClass); And the graphical representation of the re- sults will look like a class hierarchy (Fig. 2). A more sophisticated query that re- quires 3D modeling capabilities7 models the CFG on the XY axis, and the call stack on the Z axis - the currently watched func- tion is the closest CFG, and the called functions can be seen farther in the graph. Usually CFG is modeled as 2D graph that shows the flow of a function (or an appli- 7  Some papers discuss the visualization effect of source code: [Young97] Peter Young and Malcolm Munro “A New View of Call Graphs for Visualising Code Structures” http://citeseer.ist.psu.edu/57145.html [Burd96] E.L. Burd, P.S. Chan, I.M.M. Duncan, M. Munro and P. Young, “Improving Visual Representa- tions of Code” http://www.dur.ac.uk/~dcs3py/pag- es/work/Documents/tr-10-96 cation if we deal with interprocedure CFG). Call graph is also modeled as 2D graph where each function is a vertex and function call is an edge of the graph. We can combine both graphs to a single, 3D graph so the developer can see closer the CFG of the function she is interested in, and farther away the called function, so atthesametimeshecanfocusonthefunc- tion at hand as well as have a quick glance on the called function. Taking this to debugging activities, a developer has to choose whether he wants to “Step-Over” or “Step-Into” a function call. Using this graph, the developer can virtuallydobothatthesametime–seethe called code, without losing the context of the calling function. In Fig. 3, the CFG of the application can be seen clearly, where function calls are places farther on the Z axis. Employing these graphical capabilities to the Risk Intelligence realm reveals inte- resting correlations and leads to accurate- ly identifying the „Best-Fix-Location”. Looking for SQL Injection in an open- source application led to 10 findings. Instead of taking care of the 10 individual results, modeling these into one graph Figure 4 | Example of a Vulnerabilities Relation Graph
AUFSÄTZE DuD • Datenschutz und Datensicherheit 1 | 2008 5 (Fig. 4) shows clearly how these issues re- late to each other: It can be seen that there are very few of- fending input commands in the system (marked in gray), and most of the vulne- rabilities pass through a single junction8 (stripes), which might be a good place to consider putting in place input-validation mechanisms as well as sanitizing the user data. 8  Basically, this can be found using max-flow/ min-cut algorithm: www.sce.carleton.ca/faculty/ chinneck/po/Chapter9.pdf Code Mining The fact that the code is no longer a mere text file but rather an actual information source stored in an OODB permits us to perform KDD9 (Knowledge Discovery in Databases) techniques. KDD unveils in- teresting previously unknown sequences 9  The field of KDD (Knowledge Discovery in Da- tabase) is very large. One of the most cited articles in this field: [FPSS96] U. Fayyad, G. Piatetsky-Shapiro, and P. Smyth. “The KDD process of extracting useful know- ledge from volumes of data. “ http://wang.ist.psu. edu/course/05/IST597/papers/Fayyad_1996.pdf in general and security vulnerabilities in particular. For general coding practices, it can be assumed that the majority of code devel- oped in a corporate complies with the best-coding practices defined there, and it is desired to find the places where the code doesn’t adhere to these standards. Al- though every coding standard can be eas- ily written as query, the Code Mining techniques provide a method to automat- ically define these “MetaQueries”. For example, a common good develop- ment practice is to have at least one state- ment within Catch block, and not to leave it empty. In its query form it will look for all „Catch”s in the code („All.FindByType (typeof(CatchStmt))”) and out of those, find the ones that their catch.statements. count property equals to 0. Using the Code Mining technique, the system auto- matically identifies that the property catch block in most cases in the code is not emp- ty,andflagsviolationsbymarkingtheout- of-sequence entries. A more common security-oriented ex- ample is Authentication-Bypass. After a user has successfully authenticated to the system, each subsequent page should make sure the request is through a authen- ticated user. Otherwise, a malicious user can go directly to that page without au- thenticating first, and thereby completely bypassing the authentication mechanism. This has to be done on each page that is considered as sensitive10 . Often this is done correctly, but from time to time a de- veloper neglects to put this security mea- sure in place. As demonstrated previous- ly, it is easy to formulate a query which makes sure that every sensitive page is cor- rectly prefixed with “IsAutenticated” statement. Using Code-Mining (specifi- cally, Code-Sequence-Mining), there is no need to actually write any query. The sys- tem automatically correlates between spe- cific statements (which are identified as sensitive, such as DB or file access) and the “IsAuthenticated” statement that most of the time appears previously. 10  Microsoft Hotmail suffered from this type of vulnerability in 2002, where hackers were able to by- pass security questions that users must answer be- fore resetting their password. http://seclists.org/ isn/2002/Feb/54 Figure 5 | Multiple-Tiers Application scanning example Figure 6 | Platform‚Plugins‘
6 DuD • Datenschutz und Datensicherheit 1 | 2008 AUFSÄTZE Use Case - Modular Scanning of Large Application Platform To illustrate the abilities provided by ap- plication understanding, we can better demonstrate it by describing a solution to a complex analysis problem solved by us- ing a deep understanding of the applica- tion and flows. Many modern application platforms including cloud-based offerings are multi layered including engine, plat- form and associated applications. The in- herent problem with such monolithic plat- forms is that exploring vulnerabilities within a specific application or a platform module might require full platform anal- ysis. This is not realistic especially when trying to implement a true SDLC. To en- able on demand vulnerability detection of a certain module or an application, a mod- ular scanning solution must be applied. Such a solution is impossible using con- ventional methods due to inter dependen- cies between modules. How can we lever- age application understanding as to devise the solution? We start with an example (Fig. 5). How might a SQL Injection be manifested in an application riding on a platform? Looking for SQL Injection discovers that Module1, at the application layer, connects to Module5 at the platform layer, which in turn is connected to Module7 at the en- gine layer, in such a way that input from the user at Module1 finds its way to Mod- ule7 without being cleaned properly. It is obvious that in order to find the SQL Injection, all three layers have to be scanned. However, there are many appli- cations that ride on the platform, and we do not want to scan the entire platform each time we change the application. Fur- thermore, the source of the platform is mostly unavailable to the application de- velopers. Using application understanding tech- niques we can explore the platform using “mapping” queries, and create “plugins” – the “essence” of the platform. (Fig. 6) The plug-ins keep the inter-dependencies in- formation and that will come in handy la- ter when scanning individual modules. A plug-in might include information like: function foo() in Module5 is the part of the platform’s API and it connects to Module7 that accesses a database and in- cludes no sanitation; hence it’s exposed to database manipulation. Consequently all application calls to Module5 for data base access cannot rely on the called module to be safe and should sanitize date prior to the call. After creation of plug-ins, only the indi- vidual application needs to be scanned. The system automatically solves the linka- ge between the modules and determines which of the linked modules are safe or not. Once the platform is “understood” we can safely perform modular scanning, de- tecting the vulnerabilities in a single mo- dule without losing accuracy due to inter dependencies. Reference Architecture In order to build an effective and flexible platform which enables true application understanding and risk intelligence, the developers should follow some architectu- ral principals laid out in the following re- ference architecture (Fig. 7). ▶▶ The most important principals are as follows: ™™ Conversion to Common language form ™™ Generate DOM and Flow properties ™™ Store in persistent a database ™™ Expose the abstractive model ™™ Enable data access using a formal query language ™™ Mine data using an analytical engine ™™ Supply detection queries for commonly known sequences – e.g. OWASP Top 10 ™™ Enable the addition of new query temp- lates that handle common and proprie- tary sequences ™™ Enable conversion of discovered sto- chastic sequences to detection queries Figure 7 | Reference Architecture

Recommended

Automated server-side model for recognition of security vulnerabilities in sc...
Automated server-side model for recognition of security vulnerabilities in sc...Automated server-side model for recognition of security vulnerabilities in sc...
Automated server-side model for recognition of security vulnerabilities in sc...IJECEIAES
 
Finding Zero-Days Before The Attackers: A Fortune 500 Red Team Case Study
Finding Zero-Days Before The Attackers: A Fortune 500 Red Team Case StudyFinding Zero-Days Before The Attackers: A Fortune 500 Red Team Case Study
Finding Zero-Days Before The Attackers: A Fortune 500 Red Team Case StudyDevOps.com
 
A Survey of Symbolic Execution Tools
A Survey of Symbolic Execution ToolsA Survey of Symbolic Execution Tools
A Survey of Symbolic Execution ToolsCSCJournals
 
A26001006
A26001006A26001006
A26001006IJERA Editor
 
Aspect Oriented Programming Through C#.NET
Aspect Oriented Programming Through C#.NETAspect Oriented Programming Through C#.NET
Aspect Oriented Programming Through C#.NETWaqas Tariq
 
SOURCE CODE ANALYSIS TO REMOVE SECURITY VULNERABILITIES IN JAVA SOCKET PROGR...
SOURCE CODE ANALYSIS TO REMOVE SECURITY VULNERABILITIES IN JAVA SOCKET PROGR...SOURCE CODE ANALYSIS TO REMOVE SECURITY VULNERABILITIES IN JAVA SOCKET PROGR...
SOURCE CODE ANALYSIS TO REMOVE SECURITY VULNERABILITIES IN JAVA SOCKET PROGR...IJNSA Journal
 
Aspect-Oriented Programming and Depedency Injection
Aspect-Oriented Programming and Depedency InjectionAspect-Oriented Programming and Depedency Injection
Aspect-Oriented Programming and Depedency InjectionRobert Lemke
 
Introduction to programming using c
Introduction to programming using cIntroduction to programming using c
Introduction to programming using cReham Maher El-Safarini
 

Recommended

Automated server-side model for recognition of security vulnerabilities in sc...
Automated server-side model for recognition of security vulnerabilities in sc...Automated server-side model for recognition of security vulnerabilities in sc...
Automated server-side model for recognition of security vulnerabilities in sc...IJECEIAES
 
Finding Zero-Days Before The Attackers: A Fortune 500 Red Team Case Study
Finding Zero-Days Before The Attackers: A Fortune 500 Red Team Case StudyFinding Zero-Days Before The Attackers: A Fortune 500 Red Team Case Study
Finding Zero-Days Before The Attackers: A Fortune 500 Red Team Case StudyDevOps.com
 
A Survey of Symbolic Execution Tools
A Survey of Symbolic Execution ToolsA Survey of Symbolic Execution Tools
A Survey of Symbolic Execution ToolsCSCJournals
 
A26001006
A26001006A26001006
A26001006IJERA Editor
 
Aspect Oriented Programming Through C#.NET
Aspect Oriented Programming Through C#.NETAspect Oriented Programming Through C#.NET
Aspect Oriented Programming Through C#.NETWaqas Tariq
 
SOURCE CODE ANALYSIS TO REMOVE SECURITY VULNERABILITIES IN JAVA SOCKET PROGR...
SOURCE CODE ANALYSIS TO REMOVE SECURITY VULNERABILITIES IN JAVA SOCKET PROGR...SOURCE CODE ANALYSIS TO REMOVE SECURITY VULNERABILITIES IN JAVA SOCKET PROGR...
SOURCE CODE ANALYSIS TO REMOVE SECURITY VULNERABILITIES IN JAVA SOCKET PROGR...IJNSA Journal
 
Aspect-Oriented Programming and Depedency Injection
Aspect-Oriented Programming and Depedency InjectionAspect-Oriented Programming and Depedency Injection
Aspect-Oriented Programming and Depedency InjectionRobert Lemke
 
Introduction to programming using c
Introduction to programming using cIntroduction to programming using c
Introduction to programming using cReham Maher El-Safarini
 
Blackhat Europe 2009 - Detecting Certified Pre Owned Software
Blackhat Europe 2009 - Detecting Certified Pre Owned SoftwareBlackhat Europe 2009 - Detecting Certified Pre Owned Software
Blackhat Europe 2009 - Detecting Certified Pre Owned SoftwareTyler Shields
 
Designing Secure Systems Using AORDD Methodologies in UML System Models
Designing Secure Systems Using AORDD Methodologies in UML System ModelsDesigning Secure Systems Using AORDD Methodologies in UML System Models
Designing Secure Systems Using AORDD Methodologies in UML System ModelsIOSR Journals
 
Routine Detection Of Web Application Defence Flaws
Routine Detection Of Web Application Defence FlawsRoutine Detection Of Web Application Defence Flaws
Routine Detection Of Web Application Defence FlawsIJTET Journal
 
Detection of vulnerabilities in programs with the help of code analyzers
Detection of vulnerabilities in programs with the help of code analyzersDetection of vulnerabilities in programs with the help of code analyzers
Detection of vulnerabilities in programs with the help of code analyzersPVS-Studio
 
Prevention of SQL Injection Attacks having XML Database
Prevention of SQL Injection Attacks having XML DatabasePrevention of SQL Injection Attacks having XML Database
Prevention of SQL Injection Attacks having XML DatabaseIOSR Journals
 
Detection of Android Third Party Libraries based attacks
Detection of Android Third Party Libraries based attacksDetection of Android Third Party Libraries based attacks
Detection of Android Third Party Libraries based attacksAmina WADDIZ
 
Model-based Analysis of Large Scale Software Repositories
Model-based Analysis of Large Scale Software RepositoriesModel-based Analysis of Large Scale Software Repositories
Model-based Analysis of Large Scale Software RepositoriesMarkus Scheidgen
 
A Novel Approach for Code Clone Detection Using Hybrid Technique
A Novel Approach for Code Clone Detection Using Hybrid TechniqueA Novel Approach for Code Clone Detection Using Hybrid Technique
A Novel Approach for Code Clone Detection Using Hybrid TechniqueINFOGAIN PUBLICATION
 
Reference Representation in Large Metamodel-based Datasets
Reference Representation in Large Metamodel-based DatasetsReference Representation in Large Metamodel-based Datasets
Reference Representation in Large Metamodel-based DatasetsMarkus Scheidgen
 
ASPECT ORIENTED PROGRAMING(aop)
ASPECT ORIENTED PROGRAMING(aop)ASPECT ORIENTED PROGRAMING(aop)
ASPECT ORIENTED PROGRAMING(aop)kvsrteja
 
Simple Obfuscation Tool for Software Protection
Simple Obfuscation Tool for Software ProtectionSimple Obfuscation Tool for Software Protection
Simple Obfuscation Tool for Software ProtectionQUESTJOURNAL
 
How to do code review and use analysis tool in software development
How to do code review and use analysis tool in software developmentHow to do code review and use analysis tool in software development
How to do code review and use analysis tool in software developmentMitosis Technology
 
Amost 2011 keynote
Amost 2011 keynoteAmost 2011 keynote
Amost 2011 keynoteWolfgang Grieskamp
 
Evaluating android antimalware against transformation attacks
Evaluating android antimalware against transformation attacksEvaluating android antimalware against transformation attacks
Evaluating android antimalware against transformation attacksIAEME Publication
 
Devoid Web Application From SQL Injection Attack
Devoid Web Application From SQL Injection AttackDevoid Web Application From SQL Injection Attack
Devoid Web Application From SQL Injection AttackIJRESJOURNAL
 
Dot net-interview-questions-and-answers part i
Dot net-interview-questions-and-answers part iDot net-interview-questions-and-answers part i
Dot net-interview-questions-and-answers part iRakesh Joshi
 
Dot net-interview-questions-and-answers part i
Dot net-interview-questions-and-answers part iDot net-interview-questions-and-answers part i
Dot net-interview-questions-and-answers part iRakesh Joshi
 
Metamodeling vs Metaprogramming, A Case Study on Developing Client Libraries ...
Metamodeling vs Metaprogramming, A Case Study on Developing Client Libraries ...Metamodeling vs Metaprogramming, A Case Study on Developing Client Libraries ...
Metamodeling vs Metaprogramming, A Case Study on Developing Client Libraries ...Markus Scheidgen
 
A survey of cloud based secured web application
A survey of cloud based secured web applicationA survey of cloud based secured web application
A survey of cloud based secured web applicationIAEME Publication
 
.Net framework
.Net framework.Net framework
.Net frameworkRaghu nath
 
20100309 03 - Vulnerability analysis (McCabe)
20100309 03 - Vulnerability analysis (McCabe)20100309 03 - Vulnerability analysis (McCabe)
20100309 03 - Vulnerability analysis (McCabe)LeClubQualiteLogicielle
 
Standardizing Source Code Security Audits
Standardizing Source Code Security AuditsStandardizing Source Code Security Audits
Standardizing Source Code Security Auditsijseajournal
 

More Related Content

What's hot

Blackhat Europe 2009 - Detecting Certified Pre Owned Software
Blackhat Europe 2009 - Detecting Certified Pre Owned SoftwareBlackhat Europe 2009 - Detecting Certified Pre Owned Software
Blackhat Europe 2009 - Detecting Certified Pre Owned SoftwareTyler Shields
 
Designing Secure Systems Using AORDD Methodologies in UML System Models
Designing Secure Systems Using AORDD Methodologies in UML System ModelsDesigning Secure Systems Using AORDD Methodologies in UML System Models
Designing Secure Systems Using AORDD Methodologies in UML System ModelsIOSR Journals
 
Routine Detection Of Web Application Defence Flaws
Routine Detection Of Web Application Defence FlawsRoutine Detection Of Web Application Defence Flaws
Routine Detection Of Web Application Defence FlawsIJTET Journal
 
Detection of vulnerabilities in programs with the help of code analyzers
Detection of vulnerabilities in programs with the help of code analyzersDetection of vulnerabilities in programs with the help of code analyzers
Detection of vulnerabilities in programs with the help of code analyzersPVS-Studio
 
Prevention of SQL Injection Attacks having XML Database
Prevention of SQL Injection Attacks having XML DatabasePrevention of SQL Injection Attacks having XML Database
Prevention of SQL Injection Attacks having XML DatabaseIOSR Journals
 
Detection of Android Third Party Libraries based attacks
Detection of Android Third Party Libraries based attacksDetection of Android Third Party Libraries based attacks
Detection of Android Third Party Libraries based attacksAmina WADDIZ
 
Model-based Analysis of Large Scale Software Repositories
Model-based Analysis of Large Scale Software RepositoriesModel-based Analysis of Large Scale Software Repositories
Model-based Analysis of Large Scale Software RepositoriesMarkus Scheidgen
 
A Novel Approach for Code Clone Detection Using Hybrid Technique
A Novel Approach for Code Clone Detection Using Hybrid TechniqueA Novel Approach for Code Clone Detection Using Hybrid Technique
A Novel Approach for Code Clone Detection Using Hybrid TechniqueINFOGAIN PUBLICATION
 
Reference Representation in Large Metamodel-based Datasets
Reference Representation in Large Metamodel-based DatasetsReference Representation in Large Metamodel-based Datasets
Reference Representation in Large Metamodel-based DatasetsMarkus Scheidgen
 
ASPECT ORIENTED PROGRAMING(aop)
ASPECT ORIENTED PROGRAMING(aop)ASPECT ORIENTED PROGRAMING(aop)
ASPECT ORIENTED PROGRAMING(aop)kvsrteja
 
Simple Obfuscation Tool for Software Protection
Simple Obfuscation Tool for Software ProtectionSimple Obfuscation Tool for Software Protection
Simple Obfuscation Tool for Software ProtectionQUESTJOURNAL
 
How to do code review and use analysis tool in software development
How to do code review and use analysis tool in software developmentHow to do code review and use analysis tool in software development
How to do code review and use analysis tool in software developmentMitosis Technology
 
Evaluating android antimalware against transformation attacks
Evaluating android antimalware against transformation attacksEvaluating android antimalware against transformation attacks
Evaluating android antimalware against transformation attacksIAEME Publication
 
Devoid Web Application From SQL Injection Attack
Devoid Web Application From SQL Injection AttackDevoid Web Application From SQL Injection Attack
Devoid Web Application From SQL Injection AttackIJRESJOURNAL
 
Dot net-interview-questions-and-answers part i
Dot net-interview-questions-and-answers part iDot net-interview-questions-and-answers part i
Dot net-interview-questions-and-answers part iRakesh Joshi
 
Dot net-interview-questions-and-answers part i
Dot net-interview-questions-and-answers part iDot net-interview-questions-and-answers part i
Dot net-interview-questions-and-answers part iRakesh Joshi
 
Metamodeling vs Metaprogramming, A Case Study on Developing Client Libraries ...
Metamodeling vs Metaprogramming, A Case Study on Developing Client Libraries ...Metamodeling vs Metaprogramming, A Case Study on Developing Client Libraries ...
Metamodeling vs Metaprogramming, A Case Study on Developing Client Libraries ...Markus Scheidgen
 
A survey of cloud based secured web application
A survey of cloud based secured web applicationA survey of cloud based secured web application
A survey of cloud based secured web applicationIAEME Publication
 
.Net framework
.Net framework.Net framework
.Net frameworkRaghu nath
 

What's hot (20)

Blackhat Europe 2009 - Detecting Certified Pre Owned Software
Blackhat Europe 2009 - Detecting Certified Pre Owned SoftwareBlackhat Europe 2009 - Detecting Certified Pre Owned Software
Blackhat Europe 2009 - Detecting Certified Pre Owned Software
 
Designing Secure Systems Using AORDD Methodologies in UML System Models
Designing Secure Systems Using AORDD Methodologies in UML System ModelsDesigning Secure Systems Using AORDD Methodologies in UML System Models
Designing Secure Systems Using AORDD Methodologies in UML System Models
 
Routine Detection Of Web Application Defence Flaws
Routine Detection Of Web Application Defence FlawsRoutine Detection Of Web Application Defence Flaws
Routine Detection Of Web Application Defence Flaws
 
Detection of vulnerabilities in programs with the help of code analyzers
Detection of vulnerabilities in programs with the help of code analyzersDetection of vulnerabilities in programs with the help of code analyzers
Detection of vulnerabilities in programs with the help of code analyzers
 
Prevention of SQL Injection Attacks having XML Database
Prevention of SQL Injection Attacks having XML DatabasePrevention of SQL Injection Attacks having XML Database
Prevention of SQL Injection Attacks having XML Database
 
Detection of Android Third Party Libraries based attacks
Detection of Android Third Party Libraries based attacksDetection of Android Third Party Libraries based attacks
Detection of Android Third Party Libraries based attacks
 
Model-based Analysis of Large Scale Software Repositories
Model-based Analysis of Large Scale Software RepositoriesModel-based Analysis of Large Scale Software Repositories
Model-based Analysis of Large Scale Software Repositories
 
A Novel Approach for Code Clone Detection Using Hybrid Technique
A Novel Approach for Code Clone Detection Using Hybrid TechniqueA Novel Approach for Code Clone Detection Using Hybrid Technique
A Novel Approach for Code Clone Detection Using Hybrid Technique
 
Reference Representation in Large Metamodel-based Datasets
Reference Representation in Large Metamodel-based DatasetsReference Representation in Large Metamodel-based Datasets
Reference Representation in Large Metamodel-based Datasets
 
ASPECT ORIENTED PROGRAMING(aop)
ASPECT ORIENTED PROGRAMING(aop)ASPECT ORIENTED PROGRAMING(aop)
ASPECT ORIENTED PROGRAMING(aop)
 
Simple Obfuscation Tool for Software Protection
Simple Obfuscation Tool for Software ProtectionSimple Obfuscation Tool for Software Protection
Simple Obfuscation Tool for Software Protection
 
How to do code review and use analysis tool in software development
How to do code review and use analysis tool in software developmentHow to do code review and use analysis tool in software development
How to do code review and use analysis tool in software development
 
Amost 2011 keynote
Amost 2011 keynoteAmost 2011 keynote
Amost 2011 keynote
 
Evaluating android antimalware against transformation attacks
Evaluating android antimalware against transformation attacksEvaluating android antimalware against transformation attacks
Evaluating android antimalware against transformation attacks
 
Devoid Web Application From SQL Injection Attack
Devoid Web Application From SQL Injection AttackDevoid Web Application From SQL Injection Attack
Devoid Web Application From SQL Injection Attack
 
Dot net-interview-questions-and-answers part i
Dot net-interview-questions-and-answers part iDot net-interview-questions-and-answers part i
Dot net-interview-questions-and-answers part i
 
Dot net-interview-questions-and-answers part i
Dot net-interview-questions-and-answers part iDot net-interview-questions-and-answers part i
Dot net-interview-questions-and-answers part i
 
Metamodeling vs Metaprogramming, A Case Study on Developing Client Libraries ...
Metamodeling vs Metaprogramming, A Case Study on Developing Client Libraries ...Metamodeling vs Metaprogramming, A Case Study on Developing Client Libraries ...
Metamodeling vs Metaprogramming, A Case Study on Developing Client Libraries ...
 
A survey of cloud based secured web application
A survey of cloud based secured web applicationA survey of cloud based secured web application
A survey of cloud based secured web application
 
.Net framework
.Net framework.Net framework
.Net framework
 

Similar to A Platform for Application Risk Intelligence

20100309 03 - Vulnerability analysis (McCabe)
20100309 03 - Vulnerability analysis (McCabe)20100309 03 - Vulnerability analysis (McCabe)
20100309 03 - Vulnerability analysis (McCabe)LeClubQualiteLogicielle
 
Standardizing Source Code Security Audits
Standardizing Source Code Security AuditsStandardizing Source Code Security Audits
Standardizing Source Code Security Auditsijseajournal
 
Application Security Guide for Beginners
Application Security Guide for Beginners Application Security Guide for Beginners
Application Security Guide for Beginners Checkmarx
 
Software Reverse Engineering in a Security Context
Software Reverse Engineering in a Security ContextSoftware Reverse Engineering in a Security Context
Software Reverse Engineering in a Security ContextLokendra Rawat
 
Unveiling Advanced Persistence Techniques Through Application Shimming and Co...
Unveiling Advanced Persistence Techniques Through Application Shimming and Co...Unveiling Advanced Persistence Techniques Through Application Shimming and Co...
Unveiling Advanced Persistence Techniques Through Application Shimming and Co...IJCNCJournal
 
Unveiling Advanced Persistence Techniques Through Application Shimming and Co...
Unveiling Advanced Persistence Techniques Through Application Shimming and Co...Unveiling Advanced Persistence Techniques Through Application Shimming and Co...
Unveiling Advanced Persistence Techniques Through Application Shimming and Co...IJCNCJournal
 
csmalware_malware
csmalware_malwarecsmalware_malware
csmalware_malwareJoshua Saxe
 
Addressing New Challenges in Software Protection for .NET
Addressing New Challenges in Software Protection for .NETAddressing New Challenges in Software Protection for .NET
Addressing New Challenges in Software Protection for .NETLicensingLive! - SafeNet
 
SOURCE CODE ANALYSIS TO REMOVE SECURITY VULNERABILITIES IN JAVA SOCKET PROGRA...
SOURCE CODE ANALYSIS TO REMOVE SECURITY VULNERABILITIES IN JAVA SOCKET PROGRA...SOURCE CODE ANALYSIS TO REMOVE SECURITY VULNERABILITIES IN JAVA SOCKET PROGRA...
SOURCE CODE ANALYSIS TO REMOVE SECURITY VULNERABILITIES IN JAVA SOCKET PROGRA...IJNSA Journal
 
Source Code vs. Binary Code Analysis
Source Code vs. Binary Code AnalysisSource Code vs. Binary Code Analysis
Source Code vs. Binary Code AnalysisCheckmarx
 
A taxonomy of obfuscating transformations
A taxonomy of obfuscating transformationsA taxonomy of obfuscating transformations
A taxonomy of obfuscating transformationsemanuele_nl
 
SynapseIndia dotnet web development architecture module
SynapseIndia dotnet web development architecture moduleSynapseIndia dotnet web development architecture module
SynapseIndia dotnet web development architecture moduleSynapseindiappsdevelopment
 
OWASP Secure Coding Quick Reference Guide
OWASP Secure Coding Quick Reference GuideOWASP Secure Coding Quick Reference Guide
OWASP Secure Coding Quick Reference GuideAryan G
 
Security Best Practices
Security Best PracticesSecurity Best Practices
Security Best PracticesClint Edmonson
 
Defensive coding practices is one of the most critical proactive s
Defensive coding practices is one of the most critical proactive sDefensive coding practices is one of the most critical proactive s
Defensive coding practices is one of the most critical proactive sLinaCovington707
 
Web Application Testing for Today’s Biggest and Emerging Threats
Web Application Testing for Today’s Biggest and Emerging ThreatsWeb Application Testing for Today’s Biggest and Emerging Threats
Web Application Testing for Today’s Biggest and Emerging ThreatsAlan Kan
 
Moxa white paper---Using Sample Code to Develop Embedded Applications
Moxa white paper---Using Sample Code to Develop Embedded ApplicationsMoxa white paper---Using Sample Code to Develop Embedded Applications
Moxa white paper---Using Sample Code to Develop Embedded ApplicationsDigital River
 
WIRELESS COMPUTING AND IT ECOSYSTEMS
WIRELESS COMPUTING AND IT ECOSYSTEMSWIRELESS COMPUTING AND IT ECOSYSTEMS
WIRELESS COMPUTING AND IT ECOSYSTEMScscpconf
 

Similar to A Platform for Application Risk Intelligence (20)

20100309 03 - Vulnerability analysis (McCabe)
20100309 03 - Vulnerability analysis (McCabe)20100309 03 - Vulnerability analysis (McCabe)
20100309 03 - Vulnerability analysis (McCabe)
 
Standardizing Source Code Security Audits
Standardizing Source Code Security AuditsStandardizing Source Code Security Audits
Standardizing Source Code Security Audits
 
Application Security Guide for Beginners
Application Security Guide for Beginners Application Security Guide for Beginners
Application Security Guide for Beginners
 
Software Reverse Engineering in a Security Context
Software Reverse Engineering in a Security ContextSoftware Reverse Engineering in a Security Context
Software Reverse Engineering in a Security Context
 
Unveiling Advanced Persistence Techniques Through Application Shimming and Co...
Unveiling Advanced Persistence Techniques Through Application Shimming and Co...Unveiling Advanced Persistence Techniques Through Application Shimming and Co...
Unveiling Advanced Persistence Techniques Through Application Shimming and Co...
 
Unveiling Advanced Persistence Techniques Through Application Shimming and Co...
Unveiling Advanced Persistence Techniques Through Application Shimming and Co...Unveiling Advanced Persistence Techniques Through Application Shimming and Co...
Unveiling Advanced Persistence Techniques Through Application Shimming and Co...
 
csmalware_malware
csmalware_malwarecsmalware_malware
csmalware_malware
 
Addressing New Challenges in Software Protection for .NET
Addressing New Challenges in Software Protection for .NETAddressing New Challenges in Software Protection for .NET
Addressing New Challenges in Software Protection for .NET
 
SOURCE CODE ANALYSIS TO REMOVE SECURITY VULNERABILITIES IN JAVA SOCKET PROGRA...
SOURCE CODE ANALYSIS TO REMOVE SECURITY VULNERABILITIES IN JAVA SOCKET PROGRA...SOURCE CODE ANALYSIS TO REMOVE SECURITY VULNERABILITIES IN JAVA SOCKET PROGRA...
SOURCE CODE ANALYSIS TO REMOVE SECURITY VULNERABILITIES IN JAVA SOCKET PROGRA...
 
Documentation
DocumentationDocumentation
Documentation
 
Source Code vs. Binary Code Analysis
Source Code vs. Binary Code AnalysisSource Code vs. Binary Code Analysis
Source Code vs. Binary Code Analysis
 
A taxonomy of obfuscating transformations
A taxonomy of obfuscating transformationsA taxonomy of obfuscating transformations
A taxonomy of obfuscating transformations
 
SynapseIndia dotnet web development architecture module
SynapseIndia dotnet web development architecture moduleSynapseIndia dotnet web development architecture module
SynapseIndia dotnet web development architecture module
 
OWASP Secure Coding Quick Reference Guide
OWASP Secure Coding Quick Reference GuideOWASP Secure Coding Quick Reference Guide
OWASP Secure Coding Quick Reference Guide
 
A035401010
A035401010A035401010
A035401010
 
Security Best Practices
Security Best PracticesSecurity Best Practices
Security Best Practices
 
Defensive coding practices is one of the most critical proactive s
Defensive coding practices is one of the most critical proactive sDefensive coding practices is one of the most critical proactive s
Defensive coding practices is one of the most critical proactive s
 
Web Application Testing for Today’s Biggest and Emerging Threats
Web Application Testing for Today’s Biggest and Emerging ThreatsWeb Application Testing for Today’s Biggest and Emerging Threats
Web Application Testing for Today’s Biggest and Emerging Threats
 
Moxa white paper---Using Sample Code to Develop Embedded Applications
Moxa white paper---Using Sample Code to Develop Embedded ApplicationsMoxa white paper---Using Sample Code to Develop Embedded Applications
Moxa white paper---Using Sample Code to Develop Embedded Applications
 
WIRELESS COMPUTING AND IT ECOSYSTEMS
WIRELESS COMPUTING AND IT ECOSYSTEMSWIRELESS COMPUTING AND IT ECOSYSTEMS
WIRELESS COMPUTING AND IT ECOSYSTEMS
 

More from Checkmarx

The Web AppSec How-To: The Defender's Toolbox
The Web AppSec How-To: The Defender's ToolboxThe Web AppSec How-To: The Defender's Toolbox
The Web AppSec How-To: The Defender's ToolboxCheckmarx
 
10 Tips to Keep Your Software a Step Ahead of the Hackers
10 Tips to Keep Your Software a Step Ahead of the Hackers10 Tips to Keep Your Software a Step Ahead of the Hackers
10 Tips to Keep Your Software a Step Ahead of the HackersCheckmarx
 
The 5 Biggest Benefits of Source Code Analysis
The 5 Biggest Benefits of Source Code AnalysisThe 5 Biggest Benefits of Source Code Analysis
The 5 Biggest Benefits of Source Code AnalysisCheckmarx
 
How Virtual Compilation Transforms Static Code Analysis
How Virtual Compilation Transforms Static Code AnalysisHow Virtual Compilation Transforms Static Code Analysis
How Virtual Compilation Transforms Static Code AnalysisCheckmarx
 
A Successful SAST Tool Implementation
A Successful SAST Tool ImplementationA Successful SAST Tool Implementation
A Successful SAST Tool ImplementationCheckmarx
 
DevOps & Security: Here & Now
DevOps & Security: Here & NowDevOps & Security: Here & Now
DevOps & Security: Here & NowCheckmarx
 
AppSec How-To: Achieving Security in DevOps
AppSec How-To: Achieving Security in DevOpsAppSec How-To: Achieving Security in DevOps
AppSec How-To: Achieving Security in DevOpsCheckmarx
 
The App Sec How-To: Choosing a SAST Tool
The App Sec How-To: Choosing a SAST ToolThe App Sec How-To: Choosing a SAST Tool
The App Sec How-To: Choosing a SAST ToolCheckmarx
 
The Security State of The Most Popular WordPress Plug-Ins
The Security State of The Most Popular WordPress Plug-InsThe Security State of The Most Popular WordPress Plug-Ins
The Security State of The Most Popular WordPress Plug-InsCheckmarx
 
10 Steps To Secure Agile Development
10 Steps To Secure Agile Development10 Steps To Secure Agile Development
10 Steps To Secure Agile DevelopmentCheckmarx
 
Graph Visualization - OWASP NYC Chapter
Graph Visualization - OWASP NYC ChapterGraph Visualization - OWASP NYC Chapter
Graph Visualization - OWASP NYC ChapterCheckmarx
 
Happy New Year!
Happy New Year!Happy New Year!
Happy New Year!Checkmarx
 

More from Checkmarx (12)

The Web AppSec How-To: The Defender's Toolbox
The Web AppSec How-To: The Defender's ToolboxThe Web AppSec How-To: The Defender's Toolbox
The Web AppSec How-To: The Defender's Toolbox
 
10 Tips to Keep Your Software a Step Ahead of the Hackers
10 Tips to Keep Your Software a Step Ahead of the Hackers10 Tips to Keep Your Software a Step Ahead of the Hackers
10 Tips to Keep Your Software a Step Ahead of the Hackers
 
The 5 Biggest Benefits of Source Code Analysis
The 5 Biggest Benefits of Source Code AnalysisThe 5 Biggest Benefits of Source Code Analysis
The 5 Biggest Benefits of Source Code Analysis
 
How Virtual Compilation Transforms Static Code Analysis
How Virtual Compilation Transforms Static Code AnalysisHow Virtual Compilation Transforms Static Code Analysis
How Virtual Compilation Transforms Static Code Analysis
 
A Successful SAST Tool Implementation
A Successful SAST Tool ImplementationA Successful SAST Tool Implementation
A Successful SAST Tool Implementation
 
DevOps & Security: Here & Now
DevOps & Security: Here & NowDevOps & Security: Here & Now
DevOps & Security: Here & Now
 
AppSec How-To: Achieving Security in DevOps
AppSec How-To: Achieving Security in DevOpsAppSec How-To: Achieving Security in DevOps
AppSec How-To: Achieving Security in DevOps
 
The App Sec How-To: Choosing a SAST Tool
The App Sec How-To: Choosing a SAST ToolThe App Sec How-To: Choosing a SAST Tool
The App Sec How-To: Choosing a SAST Tool
 
The Security State of The Most Popular WordPress Plug-Ins
The Security State of The Most Popular WordPress Plug-InsThe Security State of The Most Popular WordPress Plug-Ins
The Security State of The Most Popular WordPress Plug-Ins
 
10 Steps To Secure Agile Development
10 Steps To Secure Agile Development10 Steps To Secure Agile Development
10 Steps To Secure Agile Development
 
Graph Visualization - OWASP NYC Chapter
Graph Visualization - OWASP NYC ChapterGraph Visualization - OWASP NYC Chapter
Graph Visualization - OWASP NYC Chapter
 
Happy New Year!
Happy New Year!Happy New Year!
Happy New Year!
 

Recently uploaded

WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brandgvaughan
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Mark Simos
 
The Future of Software Development - Devin AI Innovative Approach.pdf
The Future of Software Development - Devin AI Innovative Approach.pdfThe Future of Software Development - Devin AI Innovative Approach.pdf
The Future of Software Development - Devin AI Innovative Approach.pdfSeasiaInfotech2
 
Training state-of-the-art general text embedding
Training state-of-the-art general text embeddingTraining state-of-the-art general text embedding
Training state-of-the-art general text embeddingZilliz
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):comworks
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024Stephanie Beckett
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenHervé Boutemy
 
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyAlfredo García Lavilla
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfAddepto
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationSlibray Presentation
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii SoldatenkoFwdays
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticscarlostorres15106
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...Fwdays
 
Vector Databases 101 - An introduction to the world of Vector Databases
Vector Databases 101 - An introduction to the world of Vector DatabasesVector Databases 101 - An introduction to the world of Vector Databases
Vector Databases 101 - An introduction to the world of Vector DatabasesZilliz
 
My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024The Digital Insurer
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Mattias Andersson
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupFlorian Wilhelm
 

Recently uploaded (20)

WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brand
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
 
The Future of Software Development - Devin AI Innovative Approach.pdf
The Future of Software Development - Devin AI Innovative Approach.pdfThe Future of Software Development - Devin AI Innovative Approach.pdf
The Future of Software Development - Devin AI Innovative Approach.pdf
 
Training state-of-the-art general text embedding
Training state-of-the-art general text embeddingTraining state-of-the-art general text embedding
Training state-of-the-art general text embedding
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):
 
DMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special EditionDMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special Edition
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache Maven
 
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easy
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdf
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck Presentation
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
 
Vector Databases 101 - An introduction to the world of Vector Databases
Vector Databases 101 - An introduction to the world of Vector DatabasesVector Databases 101 - An introduction to the world of Vector Databases
Vector Databases 101 - An introduction to the world of Vector Databases
 
My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project Setup
 

A Platform for Application Risk Intelligence

  • 1. AUFSÄTZE DuD • Datenschutz und Datensicherheit 1 | 2008 1 Maty Siman Platform for Application Risk Intelligence Using Source Code Understanding as a Risk Barometer Source Code Analysis technologies have significantly evolved in recent years - making improvements in precision and accuracy with the introduction of new analysis techniques like flow analysis. This article describes this evolution and how the most advanced capabilities available today like query-based analysis and Knowledge Discovery can be leveraged to create a platform for Application Risk Intelligence (ARI) to help implement a proactive security program. As attacks become more financially moti- vated,andasorganizationsgetbetteratse- curing their network, desktop and server infrastructure, there has been a steady shift in cyber attacks to the application level. To address these new risks, several technology markets for application secu- rity have emerged including what Gartner calls Static Application Security Testing (SAST). Can we really use Source Code Analysis (SCA) to detect vulnerabilities in a way that will give us satisfactory risk assur- ance? The answer varies; we are able to find problems with sufficient accuracy if they are manifested in commonly known sequences like a SQL injection. Many flaws however are presented in the specif- ic implementation of the applications business logic1 , and adopting the standard 1  OWASP (Open Web Application Security Proj- ect) is considered as the focal point for all applica- tion-security related information. http://www. owasp.org/index.php/Businss_logic_vulnerability analysis to handle these proprietary se- quences make the task almost impossible. The reason is that current technologies, even those employing flow analyses, are based on “black-box” implementation and thereforecanonlyhandleknownsequenc- es. A probable detection method of suspi- cious sequences can be through the iden- tification of an irregularity within a set of common sequences. Enabling detection of proprietary and stochastic sequences re- quires implementation of an open plat- form for application understanding, which not only finding basic vulnerabili- ties but also provides systematic applica- tion risk intelligence. The key enabler of such a platform is the exposure of all application building blocks like data structure and flow using an ab- stractive model common to all languages and storing the wealth of know-how in a persistent store like data base. Once the application is exposed we must provide tools to model the known and proprietary sequences as well as exposing irregulari- ties in the common sequences. In this ar- ticle, we define the required solution ele- ments. It concludes by presenting refer- ence architecture to such a platform. Exposing a common language representation Source code is inherently structured con- taining static elements like functions and variables as well as dynamic elements like control and data flow. The static elements can be modeled into a data structure re- ferred as “CodeDom” 2 . This is usually one of the first steps taken by some compilers’ frontend. CodeDom makes it possible for thecompilerto“understand”thecodeand create a byte/binary code thereof. The CodeDom is an object-oriented structure which represents the static nature of the code. It contains all elements that make the code, such as namespaces, classes, methods, data members and statements. The hierarchy of the CodeDom matches the respective scope in the code. The pro- cess of converting source code into DOM, where all the symbols are resolved is a tricky job that encompasses fine parsing and resolving details. Compilers do this job very well, as part of their frontend ac- tion, so SCA tools usually tend to rely on the intermediate code created by the com- piler as the starting point of their analysis. This method, although saving develop- ment efforts, has certain drawbacks (e.g. inability to scan code fragments and un- 2  There are several implementations of Code- Dom. The one used by Microsoft is the closest in meaning to the CodeDom developed by Checkmarx and used in this article. http://msdn.microsoft.com/ en-us/library/system.codedom.aspx Maty Siman is a technology and security expert. He founded Checkmarx in 2006 to share his innovations in appli- cation security based on experience he gained in securing intelligence systems. E-Mail: maty@checkmarx.com
  • 2. 2 DuD • Datenschutz und Datensicherheit 1 | 2008 AUFSÄTZE compiled code) that will be discussed be- low. Another alternative is to develop a Virtual Compiler (VC) that suits the exact needs of the Code Analysis product. After the code has been modeled, it can be stored in a persistent OODB3 (Object Ori- ented Data Base) in a query-able format. Having the code stored in an OODB shifts the view of the code from a flat represen- tation into 3D query-able and correlate- able format. It’s then easy to find interest- ing code structures on demand, efficient- ly and with full flexibility. Example It becomes easy to find dead-methods (methods that are never called). We need to write a query that looks in the database for all method declarations that do not have a matching invocation statement. The exact query will be shown in the next chapter. On top of the CodeDom, which represents static properties of the code, it is possible to compute the Data Flow Graph, Control Flow Graph and Control Dependency Graph (DFG, CFG and CDG – respective- ly). It enables tracing and understanding of the dynamic flows of the application. It can reveal for example how a specific val- ue affects the application behavior and de- termines the effect of a certain condition statement. Formal and unified modeling of these graphs, allows us to store them in the same database as the CodeDom, and enables true correlation between the two by using simple query form. Example A query can be used to conduct impact analysis, in order to understand how changing a Boolean value from True to False, affects the course of the application. Query Language Once we have a persistent OODB filled with all the code properties of a scanned application, it is possible to flexibly query4 it and search for any code sequence that’s 3  http://odbms.org 4  There were a few attempts to formalize a query language for OODB. Most notable is OQL from ODM: http://publib.boulder.ibm.com/infocenter/tivihelp/ v8r1/index.jsp?topic=/com.ibm.netcool_precision. doc/pr35se/xF1118340.html in this article we chose to use CxQL as defined by Checkmarx as it better suites code analysis techniques. either known or proprietary. The syntax of the query language shown here is simi- lar to C#, with added commands and data types, such as CxList, It represents an ar- ray of CodeDOM/Flow elements. DOM Queries To demonstrate what can be achieved us- ing a query language, we must first write a query that finds uncalled methods. Then we find all method declarations and put it in a list, finally we remove all declarations from this list that have been called with a matching method-invoke statement. // Find all Method Declaration in the code CxList MethodDeclaration = All. FindByType(typeof(MethodDecl)); // Find all Method Invocations in the code CxList MethodInvokes = All.FindBy Type(typeof(MethodInvokeExpr)); // Find the matching declarations of the // invocation we found CxList DeclarationOfInvokes = All.FindAllReferences(Method Invokes); // Get the “dead” declarations Return MethodDeclaration – DeclarationOfInvokes; Flow Queries We can take it one step further and use the DFG information and conduct an impact analysis by finding all the places which will be affected by changing the initializa- tion value of a variable called “s”. // Look for the place where “s” is declared CxList DeclaratorOfS = All.FindBy Type(typeof(Declarator)).FindBy ShortName(“s”); // Find all places which are “data-influ- enced by” // the value assigned to “s” at its declaration Return All.DataInfluencedBy (DeclaratorOfS); Thedatabasecanprovideasaresultthefull reasoning of the impact, tracing it from source to target and backward (Fig. 1). Security-Related Queries Aswehaveseen,itispossibleto“ask”the database any question about the code, ei- ther static or tracing flow properties. A subset of these questions is security related and based on commonly known security sequences. In order to find SQL Injection5 vulnerabilitieswetraceitintheapplication usingthefollowingsimplequerythatlooks for all the database-access in the code and is directly influenced by the user’s input without being sanitized properly: // Find all places where a database is ac- cessed CxList db = Find _ DB(); // Find all interactive user inputs CxList inputs = Find _ Interactive _ Inputs(); // Find places where user input is sanitized CxList sanitized = Find _ Sanitize(); // Return all database access which are // influenced by an input but not sanitized Return db.InfluencedByAndNot Sanitized(inputs, sanitized); Wecancontinuewiththesecondexample. In web applications, static variables are shared among all users that access the sys- tem simultaneously. This means that if a value of a static variable is affected by a us- er’s input, it may be overwritten by other users. This results in race condition. To trace such a sequence we can use a query that finds all the places where the static variable is influenced by the user input: // Find all static variables CxList statics = All.FindAll References(All.FindByField Attributes(Modifiers.Static)); 5  http://www.owasp.org/index.php/SQL_Injection Figure 1 | Flow-graph reasoning retrieved from database
  • 3. AUFSÄTZE DuD • Datenschutz und Datensicherheit 1 | 2008 3 // Return places where static variable is as- signed // a value retrieved from user Return Find _ Interactive _ Inputs().DataInfluencingOn (statics); As said, many security-related issues are manifested in commonly known sequenc- es and modeling is therefore generic. The platform provider should supply out-of- the-box templates to discover these se- quences. This is true for other applications leveraging the open platform like: Coding standards enforcement, Quality assurance and more. Business Logic Flaws This brings us to an even more challeng- ing aspect – the Business Logic Flaws which are usually manifested in proprie- tary code sequences. The examples we saw previously are considered to be “technical vulnerabilities” since they might affect whatever the actual business is that’s served by the application i.e. a book store, bank or an internet provider. With “Busi- ness Logic Flaws” it is possible to find vul- nerabilitiesthatarespecifictothebusiness process supported or enabled by the appli- cation. Although this sets a higher chal- lenge bar, it is possible to model many of these sequences using the query language. A common functionality in shopping carts used by any online store is the abili- ty to change the quantity of items for pur- chase. In order to calculate the total amount to be paid, the system has to mul- tiply the quantity of items the user wishes to purchase with the unit price of the item. A scenario which is often overlooked occurs when a user types in a negative quantity6 of items to be purchased. In such case, when an appropriate condition is not properly set, the total amount might be drastically lower than the true value, or even negative. Usually the best way to avoid this is by simply adding in the appli- cation a condition that verifies the quanti- ty is greater than zero. In most cases such edits will prevent the risk but if the edits are neglected they can cause a fraudulent event. We can model this using a query which finds all variables called “quantity” or similar, which are influenced by user 6  It is interesting to see PayPal’s specification on this: https://cms.paypal.com/us/cgi-bin/?cmd=_ render-content&content_ID=developer/e_howto_ api_ECCustomizing input and sent directly to the database, but their value is never checked to be positive. A skeleton of such query might look like the following: // Find all variables that hold a quantity. CxList qty = All.FindByRegex (“q.t.y”); // All qunatities that are influenced by user input CxList inp _ qty =qty.Data InfluencedBy(Find _ Interactive _ Inputs()); // All Binary Expressions that compare Qty // with 0 CxList checking = All.FindBy Type(typeof(BinaryExpr). DataInfluencedBy(qty). DataInfluencedBy(All.FindBy Name(“0”)); <…cont…> <…cont…> // All DB that are set from the above Qty vars CxList db _ inp _ qty = Find _ DB(). DataInfluencedBy(inp _ qty); // Return all DB that are set user controllable // Qty which is never compared to 0 Return db _ inp _ qty -db _ inp _ qty.ControlInfluencedBy(checking); The example above, although schematic and specific to the described scenario, can be used as a template to any business case in which there is a need to make sure in- put from user is non-negative (number of students in a course, number of travelers in a flight, number of tickets to buy). Merely the Regex pattern should be changed. Another example of a business logic- flaw can be found in an online store where it is essential to maintain tenant level pri- vacy. It is imperative to find all the places where a customer might have access to other customers’ orders. Modeling it into query might look for all SQL statements Figure 2 | Class Hierarchy created by query Figure 3 | 3D Control Flow Graph of an Application
  • 4. 4 DuD • Datenschutz und Datensicherheit 1 | 2008 AUFSÄTZE that Select values from the “T_Orders” ta- ble, where the “Where” clause is not influ- enced by the current user ID. Again, this can be used as a template query for simi- lar business scenarios. Application Understanding The queries discussed so far were made possible thanks to the fact that code infor- mation was stored in a query-able data- base. It is also possible to take further ad- vantage of the database storage and extend the discovery to finding new vulnerabili- ties and better understanding the existing ones. Abstracting Vulnerabilities When applying a query on a code base, each result represents a single security breach or a business risk. Although it pro- vides great value to find these issues, it is possible to take it to a higher abstraction level, in such a way that the results will be presented in a graphical way and reveal the correlation between results. This ap- proach proved to be useful in better un- derstanding the code at hand, and finding the best way to fix vulnerabilities. A sample query that models the class hi- erarchy will be simply - // Look for the place where “s” is declared CxList BaseClass = All.FindBy Type(typeof(ClassDecl)); Return = All.InheritsFrom (BaseClass); And the graphical representation of the re- sults will look like a class hierarchy (Fig. 2). A more sophisticated query that re- quires 3D modeling capabilities7 models the CFG on the XY axis, and the call stack on the Z axis - the currently watched func- tion is the closest CFG, and the called functions can be seen farther in the graph. Usually CFG is modeled as 2D graph that shows the flow of a function (or an appli- 7  Some papers discuss the visualization effect of source code: [Young97] Peter Young and Malcolm Munro “A New View of Call Graphs for Visualising Code Structures” http://citeseer.ist.psu.edu/57145.html [Burd96] E.L. Burd, P.S. Chan, I.M.M. Duncan, M. Munro and P. Young, “Improving Visual Representa- tions of Code” http://www.dur.ac.uk/~dcs3py/pag- es/work/Documents/tr-10-96 cation if we deal with interprocedure CFG). Call graph is also modeled as 2D graph where each function is a vertex and function call is an edge of the graph. We can combine both graphs to a single, 3D graph so the developer can see closer the CFG of the function she is interested in, and farther away the called function, so atthesametimeshecanfocusonthefunc- tion at hand as well as have a quick glance on the called function. Taking this to debugging activities, a developer has to choose whether he wants to “Step-Over” or “Step-Into” a function call. Using this graph, the developer can virtuallydobothatthesametime–seethe called code, without losing the context of the calling function. In Fig. 3, the CFG of the application can be seen clearly, where function calls are places farther on the Z axis. Employing these graphical capabilities to the Risk Intelligence realm reveals inte- resting correlations and leads to accurate- ly identifying the „Best-Fix-Location”. Looking for SQL Injection in an open- source application led to 10 findings. Instead of taking care of the 10 individual results, modeling these into one graph Figure 4 | Example of a Vulnerabilities Relation Graph
  • 5. AUFSÄTZE DuD • Datenschutz und Datensicherheit 1 | 2008 5 (Fig. 4) shows clearly how these issues re- late to each other: It can be seen that there are very few of- fending input commands in the system (marked in gray), and most of the vulne- rabilities pass through a single junction8 (stripes), which might be a good place to consider putting in place input-validation mechanisms as well as sanitizing the user data. 8  Basically, this can be found using max-flow/ min-cut algorithm: www.sce.carleton.ca/faculty/ chinneck/po/Chapter9.pdf Code Mining The fact that the code is no longer a mere text file but rather an actual information source stored in an OODB permits us to perform KDD9 (Knowledge Discovery in Databases) techniques. KDD unveils in- teresting previously unknown sequences 9  The field of KDD (Knowledge Discovery in Da- tabase) is very large. One of the most cited articles in this field: [FPSS96] U. Fayyad, G. Piatetsky-Shapiro, and P. Smyth. “The KDD process of extracting useful know- ledge from volumes of data. “ http://wang.ist.psu. edu/course/05/IST597/papers/Fayyad_1996.pdf in general and security vulnerabilities in particular. For general coding practices, it can be assumed that the majority of code devel- oped in a corporate complies with the best-coding practices defined there, and it is desired to find the places where the code doesn’t adhere to these standards. Al- though every coding standard can be eas- ily written as query, the Code Mining techniques provide a method to automat- ically define these “MetaQueries”. For example, a common good develop- ment practice is to have at least one state- ment within Catch block, and not to leave it empty. In its query form it will look for all „Catch”s in the code („All.FindByType (typeof(CatchStmt))”) and out of those, find the ones that their catch.statements. count property equals to 0. Using the Code Mining technique, the system auto- matically identifies that the property catch block in most cases in the code is not emp- ty,andflagsviolationsbymarkingtheout- of-sequence entries. A more common security-oriented ex- ample is Authentication-Bypass. After a user has successfully authenticated to the system, each subsequent page should make sure the request is through a authen- ticated user. Otherwise, a malicious user can go directly to that page without au- thenticating first, and thereby completely bypassing the authentication mechanism. This has to be done on each page that is considered as sensitive10 . Often this is done correctly, but from time to time a de- veloper neglects to put this security mea- sure in place. As demonstrated previous- ly, it is easy to formulate a query which makes sure that every sensitive page is cor- rectly prefixed with “IsAutenticated” statement. Using Code-Mining (specifi- cally, Code-Sequence-Mining), there is no need to actually write any query. The sys- tem automatically correlates between spe- cific statements (which are identified as sensitive, such as DB or file access) and the “IsAuthenticated” statement that most of the time appears previously. 10  Microsoft Hotmail suffered from this type of vulnerability in 2002, where hackers were able to by- pass security questions that users must answer be- fore resetting their password. http://seclists.org/ isn/2002/Feb/54 Figure 5 | Multiple-Tiers Application scanning example Figure 6 | Platform‚Plugins‘
  • 6. 6 DuD • Datenschutz und Datensicherheit 1 | 2008 AUFSÄTZE Use Case - Modular Scanning of Large Application Platform To illustrate the abilities provided by ap- plication understanding, we can better demonstrate it by describing a solution to a complex analysis problem solved by us- ing a deep understanding of the applica- tion and flows. Many modern application platforms including cloud-based offerings are multi layered including engine, plat- form and associated applications. The in- herent problem with such monolithic plat- forms is that exploring vulnerabilities within a specific application or a platform module might require full platform anal- ysis. This is not realistic especially when trying to implement a true SDLC. To en- able on demand vulnerability detection of a certain module or an application, a mod- ular scanning solution must be applied. Such a solution is impossible using con- ventional methods due to inter dependen- cies between modules. How can we lever- age application understanding as to devise the solution? We start with an example (Fig. 5). How might a SQL Injection be manifested in an application riding on a platform? Looking for SQL Injection discovers that Module1, at the application layer, connects to Module5 at the platform layer, which in turn is connected to Module7 at the en- gine layer, in such a way that input from the user at Module1 finds its way to Mod- ule7 without being cleaned properly. It is obvious that in order to find the SQL Injection, all three layers have to be scanned. However, there are many appli- cations that ride on the platform, and we do not want to scan the entire platform each time we change the application. Fur- thermore, the source of the platform is mostly unavailable to the application de- velopers. Using application understanding tech- niques we can explore the platform using “mapping” queries, and create “plugins” – the “essence” of the platform. (Fig. 6) The plug-ins keep the inter-dependencies in- formation and that will come in handy la- ter when scanning individual modules. A plug-in might include information like: function foo() in Module5 is the part of the platform’s API and it connects to Module7 that accesses a database and in- cludes no sanitation; hence it’s exposed to database manipulation. Consequently all application calls to Module5 for data base access cannot rely on the called module to be safe and should sanitize date prior to the call. After creation of plug-ins, only the indi- vidual application needs to be scanned. The system automatically solves the linka- ge between the modules and determines which of the linked modules are safe or not. Once the platform is “understood” we can safely perform modular scanning, de- tecting the vulnerabilities in a single mo- dule without losing accuracy due to inter dependencies. Reference Architecture In order to build an effective and flexible platform which enables true application understanding and risk intelligence, the developers should follow some architectu- ral principals laid out in the following re- ference architecture (Fig. 7). ▶▶ The most important principals are as follows: ™™ Conversion to Common language form ™™ Generate DOM and Flow properties ™™ Store in persistent a database ™™ Expose the abstractive model ™™ Enable data access using a formal query language ™™ Mine data using an analytical engine ™™ Supply detection queries for commonly known sequences – e.g. OWASP Top 10 ™™ Enable the addition of new query temp- lates that handle common and proprie- tary sequences ™™ Enable conversion of discovered sto- chastic sequences to detection queries Figure 7 | Reference Architecture