{"id":8158,"date":"2021-07-19T09:36:43","date_gmt":"2021-07-19T14:36:43","guid":{"rendered":"https:\/\/www.rushworth.us\/lisa\/?p=8158"},"modified":"2021-08-19T10:55:31","modified_gmt":"2021-08-19T15:55:31","slug":"fortify-on-demand-remediation-introduction","status":"publish","type":"post","link":"https:\/\/www.rushworth.us\/lisa\/?p=8158","title":{"rendered":"Fortify on Demand Remediation &#8211; Introduction"},"content":{"rendered":"<p>The company for which I work signed a contract with some vendor for cloud-based static code analysis. We ran our biggest project through it and saw just shy of ten thousand vulnerabilities. Now &#8230; when an application sits out on the Internet, I get that a million people are going to try to exploit whatever they can in order to compromise your site. When the app is only available internally? I fully support firing anyone who plays hacker against their employer&#8217;s tools. When a tool is an automation that no one can access outside of the local host? Lazy, insecure code isn&#8217;t anywhere near the same problem it is for user-accessible sites. But the policy is the policy, so any code that gets deployed needs to pass the scan &#8212; which means <em>no<\/em> vulnerabilities identified.<\/p>\n<p>Some vulnerabilities have obvious solutions &#8212; SQL injection is one. It&#8217;s a commonly known problem &#8212; a techy joke is that you&#8217;ll name your kid &#8220;SomeName&#8217;;DROP TABLE STUDENTS; &#8230; and most database platforms support parameterized statements to mitigate the vulnerability.<\/p>\n<p>Some vulnerabilities are really a &#8220;don&#8217;t do that!&#8221; problem &#8212; as an example, we were updating the server and had a page with info(); on it. Don&#8217;t do that! I had some error_log lines that output user info that would be called when the process failed (&#8220;Failed to add ecckt $iCircuitID to work order $iWorkOrderID for user $strUserID with $curlError from the web server and $curlRepsonse from the web service&#8221;). I liked having the log in place so, when a user rang up with a problem, I had the info available to see what went wrong. The expedient thing to do here, though, was just comment those error_log lines out. I can uncomment the line and have the user try it again. Then checkout back to the commented out iteration of the file when we&#8217;re done troubleshooting.<\/p>\n<p>Some, though &#8230; static code analysis tools don&#8217;t always understand that a problem is sorted when the solution doesn&#8217;t match one of their list of &#8216;approved&#8217; methods. I liken this to early MS MCSE tests &#8212; there was a pseudo-GUI that asked you to share out a printer from a server. You had to click the exact right series of places in the pseudo-GUI to answer the question correctly. Shortcut keys were not implemented. Command line solutions were wrong.<\/p>\n<p>So I&#8217;ve started documenting the solutions we find <em>that pass the Fortify on Demand scan<\/em> for everything identified in our scans &#8212; hopefully letting the next teams that use the static scanner avoid the trial-and-error we&#8217;ve gone through to find an acceptable solution.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>The company for which I work signed a contract with some vendor for cloud-based static code analysis. We ran our biggest project through it and saw just shy of ten thousand vulnerabilities. Now &#8230; when an application sits out on the Internet, I get that a million people are going to try to exploit whatever &hellip;<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[33],"tags":[45,1437,856,595,1440,35,69,1329],"class_list":["post-8158","post","type-post","status-publish","format-standard","hentry","category-coding","tag-coding","tag-fortify-on-demand","tag-javascript","tag-oracle","tag-oracle-db","tag-php","tag-security","tag-web-coding"],"_links":{"self":[{"href":"https:\/\/www.rushworth.us\/lisa\/index.php?rest_route=\/wp\/v2\/posts\/8158","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.rushworth.us\/lisa\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.rushworth.us\/lisa\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.rushworth.us\/lisa\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.rushworth.us\/lisa\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=8158"}],"version-history":[{"count":3,"href":"https:\/\/www.rushworth.us\/lisa\/index.php?rest_route=\/wp\/v2\/posts\/8158\/revisions"}],"predecessor-version":[{"id":8179,"href":"https:\/\/www.rushworth.us\/lisa\/index.php?rest_route=\/wp\/v2\/posts\/8158\/revisions\/8179"}],"wp:attachment":[{"href":"https:\/\/www.rushworth.us\/lisa\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=8158"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.rushworth.us\/lisa\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=8158"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.rushworth.us\/lisa\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=8158"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}