9. Auditing Open Source Applications Now you know how to use the Fortify Source Code Analysis Suite, and you are ready to embark on your own independent security audits, equipped with analysis capabilities that would have typically taken a source code auditor many years to learn. This final exercise allows you to practice using the Source Code Analysis Engine and Audit Workbench by auditing open source projects. The following subdirectories are located at Install_Directory/Tutorial/do_open_source_audit: splc A small J2EE application that provides a Web interface for managing inventory. webgoat A set of Java servlets developed by the Open Web Application Security Project (OWASP) to illustrate various Web security issues. wu-ftpd-2.6.0 The Washington University FTP daemon (also used in "Introducing the Audit Workbench"). Answers Contains subdirectories for each of the four projects listed above with notes, output, and security findings.
Note: These projects can be evaluated independently and in any order. splc Use ant to build splc. When you are certain that the project is building correctly, add the sourceanalyzer command to the build process, perform an "ant clean," and rebuild. Note: For help, see the "Integrating with an Automated Build Process" exercise. Analyze the resulting FVDL with Audit Workbench. Note that the application contains suspicious use of sockets. Compare your results to those in the Install_Directory/Tutorial/do_open_source_audit/Answers/splc directory.
webgoat Use ant to build webgoat. Once you are satisfied that the project is building correctly, add the sourceanalyzer command to the build process, perform an "ant clean," and build again. Note: For help, see the "Integrating with an Automated Build Process" exercise. Analyze the resulting FVDL with Audit Workbench. Compare your results to those in the Install_Directory/Tutorial/do_open_source_audit/Answers/webgoat directory.
wu-ftpd-2.6.0 Use the configure command to create a makefile for wu-ftpd. You may need to add options to the configure command, as in the following example: ./configure -host localhost --disable-dns Build wu-ftpd using the make utility. When you are certain that the project is building correctly, add the sourceanalyzer command to the build process. Note: For help, see the "Integrating with an Automated Build Process" exercise. Rerun the configure command, as follows: rm config.cache config.h config.log config.status CC="sourceanalyzer -b wu-ftpd -c gcc" ./configure -host localhost --disable-dns Run the SCA Engine: make clean make sourceanalyzer -scan -b wu-ftpd -format fvdl -f wu-ftpd.fvdl Analyze the results using Audit Workbench. Compare your results to those located at Install_Directory/Tutorial/do_open_source_audit/Answers/wu-ftpd-2.6.0. Note: This demo does not utilize the full set of rules, therefore your output will contain only summary results in some cases.
Exercises for the Reader Advanced Return to the first lesson, "Introducing the Audit Workbench," and locate the Buffer Overflow in the wu-ftpd-2.6.0 file using the SCA Engine and Audit Workbench. What other methods for identifying security vulnerabilities can you name? How do they overlap or complement source code analysis?
Answers For answers to the questions in this tutorial, see this book's Web site at <http://www.swsec.com>. |
|
