[Owasp-o2-platform] Why doesn't SAST have better Framework support (for example Spring MVC)?

Benson Wu bensonwu at gmail.com
Sun Oct 23 09:51:18 EDT 2011


My two cents: It seems most SAST heavily leverage tainted flow analysis to
find security vulnerabilities, then would need to follow every propagation
from input sources to output sinks or vice versa depending top-down or
bottom-up approach. Frameworks are extra efforts either users or vendors
need to pay, and more and more frameworks are coming out to ease application
development, it could be a challenge for SAST to keep up-to-date. For
example playing PHP Zend, Cake, and lately Codeigniter with SAST could be a
big pain.
2011-10-23 下午8:13 於 "dinis cruz" <dinis.cruz at owasp.org> 寫道:

> Sure, and AppScan Source also has some support for Spring MVC config files.
> Those are good steps on the right direction, but still a far cry from what
> is needed. Yes, there are cases where Fortify/Ounce works ok, but those are
> rare and very dependent on how the app was coded.
>
> Look at the JPetStore's O2 analysis scripts, namely how much it took to map
> the controllers and command classes (and that is a simple app).
>
> Andre (CCed) I believe that you're now at Fortify working on Framework
> support,right? If so, can you share some info on Fortify's Framework and
> Spring MVC support?
>
> Dinis Cruz
>
> On 23 Oct 2011, at 12:07, "Alvaro Muñoz" <alvaro.picapau at gmail.com> wrote:
>
> Thats not exactly true. In the case of Fortify, its completly capable to
> follow data flow in frameworks like spring that use configuration files to
> define how the data flows. Actually I have use it recently with good
> results.
>
> Saludos,
> Alvaro
>
> Sent from my mobile device.  Please excuse my brevity, poor grammar, typos,
> etc.
>
> El 23/10/2011, a las 01:03, dinis cruz <dinis.cruz at owasp.org> escribió:
>
> I received this question today, and before I answered it, I was wondering
> if you guys wanted to have a go at it first:
>
> *"...I was reading over some of your blog entries, that made me thinks
> about the current state of SAST regarding the current frameworks.*
> *I've been aware for a long time that SAST do not handle properly
> framework-level information. In the case of Spring MVC, the tools just don't
> get the data flow, etc.*
> *
> *
> *Since you worked at Ounce before, do you know any particular reason why
> they didn't want to fo into that direction? I mean, this is a solvable
> problem (you somewhat show how to do that in O2). Even if they would need
> to implement new front-ends, this is still a very important task to be done
> if they wanted to compete directly with Fortify (especially since F. doesn't
> get it either)....*
>
> For reference here are some of my previous Framework (i.e.Spring MVC)
> related posts:
>
>    - Current O2 support for analyzing Spring MVC<http://diniscruz.blogspot.com/2011/07/current-o2-support-for-analyzing-spring.html>
>
>    - What needs to be done to map Static Analysis Traces from Controllers
>    and Views<http://diniscruz.blogspot.com/2011/07/what-needs-to-be-done-to-map-static.html>
>
>    - http://o2platform.wordpress.com/category/java/spring-mvc/ (numbers of
>    code samples at O2's blog)
>    - In this (longish presentation) I also talk about some of
>    the challenges that we have in supporting frameworks:
>    http://www.slideshare.net/DinisCruz/owasp-o2-platform-november-2010
>
> What do you think?
>
> Dinis Cruz
>
> Blog: http://diniscruz.blogspot.com
> Twitter: http://twitter.com/DinisCruz
> Web: http://www.owasp.org/index.php/O2
>
> _______________________________________________
> Owasp-o2-platform mailing list
> Owasp-o2-platform at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-o2-platform
>
>
> _______________________________________________
> Owasp-o2-platform mailing list
> Owasp-o2-platform at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-o2-platform
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-o2-platform/attachments/20111023/3268058c/attachment-0001.html 


More information about the Owasp-o2-platform mailing list