|
Source Code Analyzers
Early source code analyzers overwhelmed users with so many false positives that they lost their value. In recent months, however, they have gotten a lot more intelligent.
Although the false positive rate is still high, it is no longer overwhelming. Source code analyzers, like those from Fortify and Ounce Labs, are becoming trusted tools of application development teams and being embedded into application development tools. Source code scanners have their greatest value when developers use them before delivering code.
Smart software buyers write into their procurement documents that the developers are required to run multiple source code analyzers and deliver the results prior to delivery. Developers generally abhor demonstrating incompetence, so they usually fix the flaws before delivering the test results.
Web Application Vulnerability Scanners
The most common errors in Web applications--cross-site scripting and SQL injection--are very hard for source code analyzers to reliably identify. Web application vulnerability scanners, like the ones from SPI Dynamics and Watchfire (AppScan), have offered a powerful defense from their first deployment. They simulate the activities of attackers using a vast array of tests. Although not perfect, they provide great confidence to senior executives asking whether a new Web application is ready to be deployed.
Like code analyzers, Web vulnerability scanning should be required prior to accepting software from any vendor. Make the vendor test and deliver the reports before delivery is taken.
Web Application Firewalls
An alternative approach to protecting Web apps is to scan the data coming to those apps for things like character strings often used in SQL injection or cross-site scripting attacks. Web application firewalls have a huge job in trying to keep up with new attacks in different languages. They are an important part of defense in depth, but should not be relied upon alone.
|
