Should I scan client side code?
In short: prioritize it with lowest priority.
When considering scans of client side code, two cases are to be considered:
Vectors restricted to the clientWith such vectors, no information or control travels between the client and server therefore attacks can exploit only information located on the client side. Since web-applications are expected not to store sensitive information on the client, no sensitive information is compromised.
To illustrate this point, consider the SAN-25 list of top 25 most critical risks, published by CWE. 23 of the risks in the list are purely server side with the other 2 being mostly server side. This means that more than 24 out of the top 25 (96%) most critical risks do not consider the client code.
Bottom line – client side code is of very little significance
Vectors originating from the client and passing on to the serverOnce inputs cross the boundary to the server, sensitive information is accessible, give rise to the requirement for substantial security measures. However, all security standards consider inputs received at the server side to be tainted. Regardless of client side sanitizations. Regardless of secure network channels (e.g. SSL). As a result, security directives require ignoring input manipulation, validation and sanitization performed on the client side. The client side code is (once again) out of the picture.
A supporting reference can be found in OWASP’s answer to the question “I'm using client side JavaScript code for checking user input. Isn't that enough?”
Bottom line – client side is of no significance
I found one interesting tool from Checkmarx. Following is the overview of the tool.
CxEnterprise Technology
Why scan source code?
In short: Because it is simpler, faster, cheaper and more accurate.
More accurateCompiled binaries are optimized for many things: CPU utilizations, memory consumption, multi-processing. One thing compiled binaries are not optimized for is static code analysis. In fact, most optimizations impair the accuracy of such analysis. CxEnterprise utilizes Checkmarx’ innovative Virtual Compiler which is optimized to a single end – providing the utmost accurate static analysis results.
SimplerWith CxEnterprise you need not retrieve every insignificant external library and build the entire project beforehand. You can scan your project by simply right clicking it in the IDE or have it scanned directly from the source code repository on a daily/weekly basis.
FasterWith no retrieval of external modules and no pre-compilation there is almost no setup time prior to the scan. Having the Virtual Compiler assuring utmost accurate results means there is no false-positives sieving time after the scan, as well. As a result, fewer people spend less time on auditing more lines of code.
CheaperSince sources need not compile properly, you can start scanning as soon as you start coding – before code changes are even considered fixes. No need for re-coding and consequent re-testing. No more deadline delays. And subsequently – your projects will cost less.
Can I scan a project that interfaces a module the sources of which I don’t have?
If short: Sure you can.
Out of the boxSince CxEnterprise utilizes its own Virtual Compiler, the code is not required to fully link. Objects declared in the “missing” module are regarded as black boxes. Therefore, data passed to an object declared in this module is considered to be influencing any data retrieved from the same object.
Customize to trace functionalitiesIt might be that you can map the functionalities certain methods in the “missing” modules serve. Functionalities such as: submitting queries to a database, retrieving input from users, converting object to numerical values, sanitizing inputs and more. In such cases you can customize CxEnterprise to consider these methods for their functionalities.
Example• Facts:Project X uses the method submit(String query) for submitting queries to a database.
The source files in which submit is declared are not included in scanned sources.
• Out of the box:Scans will complete successfully. submit will be considered as a neutral method.
• Customization:Customize CxEnterprise to consider submit as database access (takes less than a minute).
• Outcome:Any invocation of submit that receives a query influenced by un-sanitized input will be alerted on as potential SQL Injection.
No comments:
Post a Comment