Year Of Security for Java – Week 25 – Use Dynamic Analysis

No Gravatar

What is it and why should I care?
Dynamic analysis is the analysis of computer software that is performed by executing programs built from that software system on a real or virtual processor. Essentially, it’s automated execution of an application.

Note: While dynamic analysis has no actual ties to security per-se, I’ll be referencing it’s use with respect to security since that’s the topic here. However, just note that these techniques are useful to solve general analysis problems, not only security. Also note dynamic analysis specifically used for security is often referred to as Dynamic Application Security Testing (or DAST) in the industry.

So, how do dynamic analysis tools do what they do? In the world of web application security (admittedly a constrained subset, but the topic of focus here), it’s building something akin to a special-purpose web browser that attempts to attack the running application by probing for vulnerabilities and detecting based on some output heuristic whether or not the attack was successful. For example, with XSS this is logically as simple as:

Step 1: Go to page with form.
Step 2: Fill in field of form with javascript alert.
Step 3: Submit form.
Step 4: If response has a javascript alert, we have an XSS vuln. 

This is certainly a simple example, and real scanners are quite complex in what they can do. However, logically this is the basic concept.

Dynamic analysis, as opposed to static analysis, has the added benefit of proof of exploitability. Many times the results of static analysis are either wrong or questioned because “well, the live system has security control X that prevents that”. In dynamic analysis, you’re generally testing the live environment, or at least the testing environment which is meant to look like the live environment. When you show someone a vulnerability found by actually exercising the deployed site, it’s hard for them to argue that it’s not exploitable.

What should I do about it?

You should use dynamic analysis as part of your development process. These types of tools are often executed in the QA and/or user/business testing environment. You should also get these going in whatever other environments you can, such as the continuous integration environment (have a task to build/deploy the site, then scan it), the integration test environment, QA, etc. The earlier you get these tools executed, the cheaper it is to resolve the issues they find.

I won’t venture into the debate about which product is better than another (especially given I currently work for a vendor), but I will say that all of them have tradeoffs (like any tool), and that you should consider the tools carefully before including them in your environment. If you want to get started (for free !!!), then I’d suggest taking a look at skipfish from some folks at Google. I’ve been told it’s pretty good, and the codebase is relatively small so you could learn about how it works pretty easily (It’s a C project by the way).

Finally, while dynamic analysis doesn’t solve the security problem, I hope I’ve shown it is a good tool to have in your tool-belt when it comes to securing your applications.

[Full Disclosure] I currently am employed by a company that provides a service related to dynamic analysis. However, I can certainly say I recommended the use of dynamic analysis before joining and will continue to in the future irrespective of my employer.


Be Sociable, Share!

Technorati Tags: