A new web application security scanner, developed by a former MIT student now Berkeley postdoctoral researcher, could be a real find for developers wishing to lock down bugs that live outside the OWASP top 10.
The static-analysis tool is called Space and will be unveiled at the upcoming International Conference on Software Engineering (ICSE). Space, used in conjunction with two other MIT-built web application security tools called Alloy (a language that describes programming structures) and Derailer (a tool that enumerates how app data might be exposed), can make bug-hunting in web apps more efficient.
Its developer Joseph P. Near, under the supervision of MIT Computer Science and Artificial Intelligence Laboratory professor Daniel Jackson, ran the scanner against 50 open source Ruby on Rails applications that were favorited on Github for one reason or another. The scans turned up 23 new vulnerabilities that were reported to the respective developers; the maximum time per scan, MIT said, was 64 seconds.
“The classic flaws we detect are basically inadequate mechanisms to protect read-write access to critical resources,” Jackson told Threatpost.
“We were very interested from the beginning in application-specific bugs,” Jackson said. “We saw so much progress on generic anomalies such as SQL injection and cross-site scripting, things that blacklisting, whitelisting and sanitization could take care of, that we saw a need to address application-specific errors.”
Jackson said that web application developers make assumptions about context when it comes to securing applications and therefore certain behaviors are allowed. Without checking whether those assumptions about context are correct, vulnerabilities could arise that could enable unwanted read-write access, Jackson said. Space, Jackson said, brings a catalog of known common patterns to scans. It checks code independent of context and extracts the conditions used to determine whether access should be allowed, he said.
Space was part of Near’s PhD work, MIT said. In building Space, he identified seven ways Web applications control access to data such as the public availability of data, or administrative access, for example. For each access pattern, MIT said, Near built a model that describes the level of access users should be granted. Space then evaluates whether the application conforms to policy, and if not, flags behavior as potentially malicious.
Space is still a prototype, and Jackson said developers can run it free-standing or it someday could be packaged as part of a bigger scanner.
“It has great promise,” Jackson said. “It’s exciting for the potential it has and the paths it could open for better application security.