[Webappsec] Tacking A Difficult Problem - Need Expert Advice

[Tim]

Hello Bubba Gump,

> 1000+ unique Cross Site Scripting vulnerabilities
> 300+ unique SQL Injection vulnerabilities
> 400+ unique HTTP Response Splitting vulnerabilities
>
> All of these issues were valid, not false positives.

That's a heck of a lot of vulnerabilities, if what you say is accurate.

> Do we have any other good options to get to a clean scan in such a short
> timeframe?  Is there any type of global solution that could be applied at
> either the web server or network level that would mitigate all or most of
> these issues, without requiring a massive programming effort?

The only time I've come across an application with even anywhere near
         
that ballpark in numbers of vulnerabilities was when the application was
completely full of copy-and-paste pages and scripts.  So, the first few
pages written were full of holes, and every copy/paste added to the
mess.  Not just insecure programming, but bad programming practice in
general.

I am a firm believer in writing secure applications, and not trying to
band-aid the situation by putting some sort of magic SQL-injection/XSS
filter in front of it.  With the numbers you describe, your best bet
                   
might be to develop secure libraries which contain much of the
functionality of the application and eliminate all of those
copy-and-pastes (I assume this is likely how this app was developed as
well).  So, it will require a huge rewrite of much of the app, possibly
dramatically reducing it in size, but may still be faster than trying to
patch thousands of instances of the same vulnerability in different
pages.  Does that make sense?  Correct me if I'm wrong in my assumption.

tim