Tuesday, June 16, 2015

OWASP #4 Continues to Laugh at Automated Scanners

I was thinking back to 2006 when I was new to the world of Application Security.  Someone on our consulting team arranged a call with a vendor called Secure Software, Inc.  They were a company with a code scanning product called CodeAssure, but they were probably best known for a freeware tool called Rough Auditing Tool for Security ("RATS").  The company was bought by Fortify in 2007 and their products essentially died off. 

On the call I wanted to better understand how this magical CodeAssure product worked.  For example, how could it recognize Insecure Direct Object Reference in a web application?  (Actually, that term wasn't even coined yet.  Back then it was called Broken Access Control. Come to think of it, I like that name better.)  Anyway, I described some of the vulnerabilities I was seeing during my application pen testing where I could edit numerical parameters in the URL or the HTTP request body and gain access to another user's data.

For a moment, there was dead silence on the call.  It was one of those times when nobody on their side knew how to answer and they were all hoping that one of their teammates would step up and offer an intelligent response.  In the end there was no intelligent response, only dancing around the question as sales people often do.  I was a little naive back then to ask the question in the first place.  I should have known their product could do absolutely nothing to identify this type of vulnerability. 

SAST scanning tools can't be relied upon to identify insecure direct object references.  But hey, the same is true for dynamic scanners.  DAST tools aren't human and aren't smart enough to know that if you change acct_id=100011 in a URL to acct_id=100012 and you get back a valid response with another person's data that it's a big freaking problem.  The exploitability rating of this flaw is off the chart.  Almost anyone can perform the attack and it is still happening today.  Even big companies that pay attention to security like Citibank can succumb

The bottom line in my opinion is that you can't use one security testing technique and have confidence that your apps are secure.  Multiple testing approaches are needed for the best assurance.  Obviously, cost is a factor here, but for your most business-critical applications, I would use SAST, DAST, and manual pen testing.  Techniques like IAST and RASP are making strides and have much promise as well.  Both of these are going to require development teams to be more involved (and accountable) for application security however.