Jeff Williams

Contrast Security
+ Follow
since Nov 11, 2014
Merit badge: grant badges
For More
Cows and Likes
Cows
Total received
5
In last 30 days
0
Total given
0
Likes
Total received
0
Received in last 30 days
0
Total given
0
Given in last 30 days
0
Forums and Threads
Scavenger Hunt
expand Ranch Hand Scavenger Hunt
expand Greenhorn Scavenger Hunt

Recent posts by Jeff Williams

One more thought on your database hypotheticals.....

> Like how does it know that creating a Statement with a concatenated string can cause SQL injection?
> What if I use a concatenated string to create a PreparedStatement?
> What if I use JPA?
> What if I use third party utilities like Apache DButils?
> What if I have my own library that is similar to DBUtils?

Contrast identifies vulnerabilities by combining two very powerful techniques: Data Flow Analysis and our Code Execution Pattern Matching. In Contrast, data flow analysis is done by actually tracking strings, byte arrays, and other Objects as they flow through the code. So we always know exactly which Objects (actually which exact part of Objects) need to be tracked. For SQL injection, we're looking to track untrusted, but if you want to track some other kind of data that's certainly possible. We have some clients using Contrast's DFA to make sure credit-card numbers don't go anywhere they shouldn't, for example.

So once we know where untrusted data is going, we just have to make sure we properly match the pattern of SQL Injection. We match all the possible ways of using JDBC to interact with the database, including Statement, PreparedStatement, and others. We match the JDBC API, not any one particular implementation, so no matter what database driver or persistence layer you are using, Contrast will properly identify the SQL injection.

Give it at try -- I'd love to hear how it works for you. Thanks for all the great questions.

--Jeff
Jayesh,

Contrast isn't really either static analysis or dynamic scanning. Contrast uses instrumentation to gather information directly from inside the running application. Gartner calls this technique "interactive application security testing" IAST (as opposed to SAST or DAST).

> Does it run like Find bugs that reads the code for potential defects, or does it monitor the behavior of the application to look for behaviors that can lead to security vulnerabilities?

It's more like monitoring the code for behaviors, but it does it from inside the application itself.

> If it does dynamic analysis, does it feed input data to test for exploits? Or does someone have to run test scenarios that are designed to test exploits?

Contrast is passive, meaning that all you have to do is build and test your code the normal way that you do that. You absolutely do not have to attempt attacks or exploits. All you have to do is use your application normally. Selenium is one way to exercise an application automatically, but human QA testers, JUnit tests, or even testing during development all work too.

> If it does static code analysis, how does it know where the vulnerabilities are? Like how does it know that creating a Statement with a concatenated string can cause SQL injection? What if I use a concatenated string to create a PreparedStatement? What if I use JPA? What if I use third party utilities like Apache DButils? What if I have my own library that is similar to DBUtils?

Contrast doesn't do static, but it does know exactly where security relevant events happen in your code. It will handle all the scenarios you identified above. The best way to learn how Contrast works is to actually use it. Make a little JSP that has something like this in it...

<%
String param = request.getParameter( "name" );
String message = "Hello, " + param;
%>

...

<H1><%=message%>


Contrast will detect the XSS here, and the trace will show you exactly the line of code of each of the steps of this vulnerability.

Hope you enjoy it.

--Jeff

Short answer is yes!

> Can I run this code through COntrast Security on a nightly basis so I can get a report every day?

Yes, just add the -javaagent flag to your Hava launch config

> Can I see the results on Jenkins? Ideally, it would be great to see some trend charts of security vunerabilities found by Contrast.

Yes. Everything in Contrast is accessible through a REST API. You can even check the REST results after you run your tests and fail the build if you want.

> I think Eclipse integration is great. It allows the developers to fix the vulnerability as they are writing the code. However, I have lots of legacy code. I need a easy way to scan all the code regularly, create defects in JIRA for the vulnerabilities, fix them when I get time, and re run the code.

The Enterprise product works exactly this way. Continuously monitoring your apps in realtime. There's no need to schedule and run scans though. Just use your app normally. You can also push vulns into JIRA with all the details.

Hope that helps!
Your vulnerabilities are safe! If you are using the Eclipse plugin, then everything happens local to your machine. If you use the Enterprise Edition, then you can choose between using the SAAS TeamServer or running an on-premises TeamServer. In both, we have put a *lot* of work into security, including using Contrast on Contrast continuously throughout development. There are a ton of security features. If you want to know more, please check the support site for details or just ask!
Great questions...

> Do you think that the EE6-libraries are safer than external frameworks?

No. Not not necessarily. It's possible to write a secure or insecure app using just about any framework. In theory, frameworks should provide the standard security controls to make security easier. Unfortunately, many of them are so powerful that they make some kind of security mistakes easier. In the end, it's really about understanding the technology, and making sure that there are defenses in place for the risks you foresee.

> Are security issues always related to the frameworks being used or does it have to do with the lack of knowledge of developers?

I don't look to framework to solve every security issue, so there is a lack of knowledge issue associated with every security flaw. However, I'm optimistic that frameworks can be used to make security massively simpler for developers.

> How do you keep your product up to date with all the security issues of the different frameworks in the market?

Two ways. First, because Contrast runs inside the running application we don't have to know as much about the inner workings of the framework as, say, static analysis tool. But we do have an excellent research team that make sure our product works properly on new frameworks. You should see our test suite... We test on about 20 different containers across six or seven operating systems and all the major frameworks. Each one of those combinations gets thousands of test cases run every time we change our agent.
Hi, Contrast for Eclipse is focused on the OWASP T10 (which I wrote incidentally) and finds most of these items. The full Enterprise Contrast product finds much more.
Absolutely. Contrast does a great job with all kinds of injection. Basically, Contrast looks for any untrusted data that flows through your code and makes it to a SQL query. All you have to do is use your application normally and Contrast will do all the work. You don't have to type in any attacks! Let me know what you find.
Hi everyone,

Thanks for inviting me. I've been a Java programmer since Java 1.0 and specialized in application security for 25 years. If you have any questions about writing secure code, please feel free to ask.

--Jeff
Thanks Jeanne,

I'm thrilled to be able to release the free Contrast for Eclipse plugin. It's totally different from legacy static and dynamic scanners. You can get it in the Eclipse marketplace...search for Contrast or go to http://marketplace.eclipse.org/content/contrast-eclipse.

--Jeff