Section 8. Using the Audit Workbench


8. Using the Audit Workbench

This exercise describes how to use the Audit Workbench to review results obtained from the Source Code Analysis Engine and generate audit reports based on those results.

The J2EE application for this lesson is located at Tutorial/use_AWB/webapp.

The SCA Engine has already analyzed the source code, and the FVDL output is located at Tutorial/use_AWB/webapp.fvdl file.

  1. Start the Audit Workbench.

    • For Window systems, select Start All Programs Fortify Software Fortify SCA Suite 3.1.1Demonstration Edition Audit Workbench.

    • Select the New Audit option.

    • Select and load the following file: Tutorial/use_AWB/webapp.fvdl

    • Name the new project "SimpleCo Web Application."

    • Examine the information in the Project Summary dialog box.

    • Click Continue to AuditGuide >> and answer the questions that follow. When you are finished, AuditGuide limits the issues that Audit Workbench displays to the ones that are relevant to the application being audited.

    • Examine the information in the Navigator panel.

      • The three severity buttons, Hotlist, Warnings, and Info, display the number of detected issues for each severity type and control the contents of the navigation tree.

      • The items that appear in the navigation tree vary according to which "Group by" option is selected.

      • When expanded, the navigation tree lists the files in which issues were detected and the vulnerability categories.

      • The pair of numbers in square brackets shown next to each item in the expanded tree indicates how many of the issues have been audited (the number on the left) and how many issues there are total (the number on the right).

      • The "group by" feature allows you to group and display issues by category and analyzer (the default), file name, sink function, source function, and taint flag.

      • The Search field allows you to limit the displayed issues to those containing the search string.

    • Audit the first issue.

      • Expand the first element in the LoginPkg.sql:26 navigation tree, and examine the information that populates the other panels.

        • The Source Code Viewer panel displays the section of code in LoginPkg.sql containing the issue.

        • The Analysis Trace panel in the lower left corner displays the flow of tainted data through the program.

        • The Summary panel displays the issue's vulnerability category and location (file name and line number) and an abstract summary of the issue. It also allows you to enter comments, change status, move it to another issue bucket, specify its impact, suppress the issue, and (if integrated with a bug tracking system) file a bug.

      • Click the Details tab to examine the following information about the issue: vulnerability category, description, auditing tips, and reference.

    • Audit the remaining issues following the same steps.

    • Save your work. On the File menu, select Save Project.

    • Generate and export an audit report as follows:

      • Select Generate report in the Tools menu.

      • Select Raw XML from the "Export as" drop-down menu and click OK.

      • Open the report that you exported in an XML viewer or text editor and verify that your comments and settings are present.

Exercises for the Reader

Beginner

  1. Assuming that an attacker does not have your source code, what advantages do you have in finding vulnerabilities?

  2. How do you envision feeding back vulnerabilities found in Audit Workbench to the developers who will fix them?

  3. If you only had the text output for a large project, how would you go through it without Audit Workbench?

  4. If the Source Code Analysis Engine runs on a build server but you run Audit Workbench on your local machine, will you run into problems? How will you solve them?

Advanced

  1. How many Source Code Analysis vulnerability categories can you describe in detail along with example exploitable code?

  2. What kind of comments do you tend to use most often when you are auditing?

  3. In the last 30 days, how many of these vulnerability categories have appeared on BugTraq?

  4. Name some vulnerability categories that have appeared on BugTraq that are not Fortify Source Code Analysis vulnerability categories.

  5. Do you think an external attacker viewing the program as a black box would name vulnerability categories in the same manner as an internal auditor who is analyzing the source code (white box) from the inside, or would they be different? Why?




Software Security. Building Security In
Software Security: Building Security In
ISBN: 0321356705
EAN: 2147483647
Year: 2004
Pages: 154
Authors: Gary McGraw

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net