You run an Ounce source code security scan on a brand new large Web application and come up with over 100K findings. Assuming 30 seconds to triage each finding, you estimate it will take you about 34 days working non-stop (without sleep) to clear through all the findings. Hmmm, way too much Red Bull. Now what?
Digging in a little big more, you see that most of the findings point to the same root findings in common include files. As a result, each finding in an include file translates to thousands of findings (essentially one for each JSP that includes those files).
What can you do? Fixing those few root findings will reduce your finding count. However, in some cases, these findings are false positives. Ideally, the Ounce scanner should have detected the similarities and just flagged the include file once. Ounce Labs said they are working on a fix.
One trick is to go to the Configuration perspective for that Web application. Click on the Overview tab and select the "Filter findings contained in external sources" to exclude the findings from the included file. The original intent of this filter is to "filter out any findings discovered in files that are not source files of the scanned project. This option reduces noise for projects where findings are reported in compiler-generated or temporary files, such as ASP.NET."
In my case, the subsequent scan (without any other changes) dropped the findings down from over 100K to just 15K.
Next, you will still want to scan all those include files. To do that, (as a brute force approach), you could issue the following command to find all unique include files
egrep -R -i "<%@ +include +file *= *\"" * | \
sed 's/.*file *= *"\(.*\)".*/\1/' | sort | uniq
The egrep command will recursively scan through all files looking for any lines that have <%@ followed by any number of spaces then "include" followed by "file" and then by "=". The sed command will strip off the characters between "file=" and the next """. The sort and uniq will give you the list of distinct include files.
This will create a list of include files that you have omitted from your scan. You should now create a smaller project under the current application to only scan these include files.
Hope this helps.
An0n S3c
Subscribe to:
Post Comments (Atom)
Posts
No comments:
Post a Comment