Kiwi software developer CodeScan Labs is taking software security scanning mainstream, with a low-cost code scanner its developer says takes a different approach to software security testing.
Peter Benson, the founder of security consultancy Security-assessment.com, which was bought by Datacraft last year, says his new CodeScan product contains some “seriously cool stuff” that allows new programming languages to be added in weeks.
CodeScan now scans ASP Classic, PHP, ASP.Net, and C#.Net code, but more languages are on the way, Benson says. Java is “on the horizon”.
CodeScan Labs last week released version 1.8.3 for .Net that includes identification of the commonly exploited web application vulnerabilities SQL injection and cross-site scripting.
Benson is particularly pleased to have developed scanning for what he calls an emerging class of vulnerability, stored cross-site scripting, or “Stored XXS”. In these attacks, injected code is permanently stored on the server in a database or field. The exploit takes place when the code is fed back, Benson says.
He says a standard approach to scanning for such vulnerabilties would involve looking at every instance of stored data and this would lead to large numbers of false positives. CodeScan finds these vulnerabilities by tracking the data input and output paths.
Benson says CodeScan has deliberately entered the market as an affordable security tool to be easily accessible to anyone that works with web source code and web applications. He says security issues affect the whole online world and not just the large corporates who can afford high-end security products.
The tool is built to scan bespoke code, so CodeScan is coming from a different direction from most other products, which do string searches of the languages they support.
“We decided to tackle the hard problem first,” he says.
The engine behind CodeScan can handle any programming language, Benson says, it’s just a matter of developing the interfaces and the signatures of vulnerabilities.
Basic Google searches reveal tens of millions of sites worldwide using the .Net language, with dynamic content, he says.
This means that a huge number of websites are potentially exposed to a range of attacks.
He says as most web development focuses on usability, function and features, security is frequently not built into the applications.