Web application security - the fast guide 1.1 | Page 178
Chapter 9 - Secure Application Development
P a g e | 178
Examples about the security static analysis tools (FindBugs) and (OWASP
LAPSE+) for java , (FXCop) for .NET and (PHP security scanner) for PHP.
As for binary codes there are analyzers that allow analyzing compiled libraries
and detect vulnerabilities through pattern recognition and disassembly which
will provide extra check of vulnerabilities created by the compiler itself on
compiling.
Examples about those tools (BugScam) for .exe and .DLL files, Code surfer (x86
executables (and C and C++ source)), IDA pro for windows and Linux executables,
SAST web service, CAT.NET and BAP.
9.3.5 Black box scanning:
Unlike static code analysis black box approach depends on analyzing the HTTP
response instead of source code which can represent an advantage for attackers
because to victim is like black box for them. Black box analysis can be passive or
active where passive tools depends on watching HTTP traffic while the
application is used in time where active tools generate their own requests.
We have mentioned lot of tools that can be used in black box scanning in the
(Attack Tools) chapter like (Burp, Paros,Web Scarab, Rat prox) for passive
scanning and (Acunentix vulnerability scanner, HP web inspect, IBM Rational
App scan) for active scanning.
9.3.6 Plan to response, the worst might happen:
No matter what you do to secure your application through the development life
cycle you still need to plan the unexpected and unwanted scenarios.
The main purpose of response planning is to achieve a set of goals:
- Minimize loss.
- Mitigate the weaknesses that were exploited.
- Restore services and processes.
- Reduce the risk that can occur from future incidents.
Response planning includes specifying:
- Who: who is going to respond hence the response team.
- How: by mean of specifying the process of response.
- When: specify the triggers of response.
- Tools and equipment: specify any needed equipment and tools to
response and recover.
- Investigation: know exactly what happened and the related risk and loss.
- Managing mitigation: classification, prioritization, team assignment.
- Recovery: all tasks to return the train on the track and make sure it stays
there.