On the Value of Automated Code Scanners

[This was originally published on the OSVDB blog.]

CodeScan Labs recently disclosed that their new product was used on ASP Portal to look for vulnerabilities. These types of scanners are automated and check for common programming errors that lead to vulnerabilities. These types of tools have been around for many years, but are starting to mature quickly. However, one has to wonder just how effective they can be:

2006-03-02 – ASP Portal announces version 3.1.0 which contains “CodeScan security fixes”
2006-03-03 – ASP Portal announces version 3.1.1 which contains “a critical security Fix” (in news_item.asp)
2006-03-14 – CodeScan discloses their tool found 10 SQL injections and over 50 cross-site scripting vulns
2006-03-20 – nukedx releases a working exploit for an SQL injection (in download_click.asp)
2006-03-21 – nukedx releases details for 10 SQL injections in 3.1.1 including one in news_item.asp

So CodeScan finds 10 SQL injections, but doesn’t find the 11 others that nukedx finds a week later, and doesn’t find the “critical” issue in news_item.asp either. Hopefully these tools continue to mature very quickly. Maybe some day, cross-site scripting vulnerabilities will be a thing of the past! Hah yeah right, if that were true, overflows and race conditions wouldn’t pop up every few days either.

Leave a Reply