How To Avoid the Blind Spot In Static Analysis Tools Caused By Frameworks

Excerpt from my latest blog post at Cigital…

More and more organizations are using static analysis tools to find security bugs and other quality issues in software long before the code is tested and released. This is a good thing, and despite their well-known frustrations like high false positive rates and relatively slow speeds, these tools are helping improve the overall security of software. Unfortunately, these known frustrations may also introduce a dangerous blind spot in these tools which do not know modern frameworks as well as they know the base languages.

The blind spot

Frameworks are doing more and more of the basic work—providing common functionality of an application. This is a fantastic leap forward in terms of productivity and the ability to release software faster and faster. This frees up more time to focus on the core business functionality of applications.

Sometimes these frameworks are clearly separate things (like Spring, for example) and sometimes they are a mix of basic functionality and advanced features (like the .Net Framework where the tools understand some features but not others). These frameworks are virtually exploding around us, offering many options to take care of the basic drudge work of application writing.

This explosion is happening fast and it seems to be accelerating. New versions and even new frameworks are appearing faster than most can keep up with. Static analysis tools are doing a decent job keeping up with basic languages. However, there is almost no way they can keep up with all these frameworks and handle even a few of them well, let alone all of them. As these frameworks take care of more and more of the plumbing within applications, this inability to understand what they are doing creates a blind spot in which code gets scanned and nothing gets reported.

Frameworks create data flows that the static analysis tools may be blind to. They introduce sources of tainted data that the static analysis tools know nothing about. Therefore, there is nothing to trace to the sinks created in code where problems could occur. These frameworks may introduce new sinks, but since the tools do not know of them, the sources in code cannot be traced to them. They also provide functionality behind the scenes that the static analysis tools do not see at all.

If the static analysis tools cannot see it, they cannot report it. If they do not report it, organizations are left feeling secure when they are not.

False positives are annoying. False negatives are dangerous.

Read more at the Cigital blog

Fixing an Acronis True Image 2016 Hang During Backup


There’s a more direct solution available but the original solution I found is below.

The Problem

In the last month or so, my copy of Acronis True Image 2016 has been hanging during the scheduled backup every night. It hangs while showing the calculating remaining time status. Seems to fit the description talked about in the Acronis forums. The posted solution that seem to make the most sense was the problem with Microsoft’s Volume Shadow Copy (the VSS service) features but I didn’t want to just disable that service as suggested.

Looking for the Solution

Being a techie and knowing Windows pretty well I knew services could be enabled and disabled from the command line using the SC commands. I figured combining that with True Image’s ability to run commands before and after a backup I could disable and reenable VSS and fix the problem. The problem with that is the SC commands require admin level privileges to run. Trying to automate that without causing a User Access Control (UAC) prompt was something to overcome. I didn’t know that this would be a problem while the backup was being run but I knew I didn’t want it to be one.

While looking for a way around that I found this post at How-To Geek and another at TechRepublic. They talk about using an on demand scheduled task set to use elevated privileges and then calling that task from a lower privilege session via the schtask command. Seemed to fit my needs nicely. Continue reading “Fixing an Acronis True Image 2016 Hang During Backup”

Bob Speidel’s Underground Tour of Seattle

Hit Bob Speidel’s Underground Tour yesterday. Great tour of some of the underground that was created after the great Seattle fire of 1889. After the fire the city wanted to raise the ground level to avoid all the problems being on such low ground caused. That plan was going to take too long so the business started rebuilding at the original ground level. They had to plan on their second story becoming their main entrance as the city build the streets and its property up higher. Eventually the businesses and city built new sidewalks at the new level but the original level remained in use for a long time and some still is. Eventually a lot of it was sealed off and left to decay until Bob Speidel broke into them and started doing tours as part of an effort to help raise awareness and get Pioneer Square declared a protected historic site. The tours have been going strong for over 50 years now.

Flying Heritage Museum

I visited Paul Allen’s Flying Heritage Collection a few weeks ago. Lots of great warbirds and other war materials. Most of the birds can still fly although some like the FW 190 D-13 won’t since it is the last one of its kind we still have.