Article for conference booklet:
Most Drupal security vulnerabilities are discovered via manual code reviews or by accident. This session will introduce two automated approaches to detecting Cross-Site Scripting (XSS) and SQL Injection (SQLi) security vulnerabilities and present progress to date in applying them to Drupal.
Dynamic Analysis, or "data tainting," involves tagging actual data within a running program received from untrusted sources as "tainted," propagating the taintedness to any data derived from tainted data, and detecting when tainted data is used in dangerous circumstances. For example, data tainting would detect when any data derived from unsanitized GET request parameters is outputted within HTML.
Static Analysis involves performing data-flow analysis directly on source code to detect when certain kinds of security vulnerabilities are possible. Like Dynamic Analysis it sometimes uses a data tainting model but instead of operating within a live running program on real data it studies all possible code paths within a program to identify potential problems.
Both dynamic and static analysis techniques have proved effective at identifying security vulnerabilities in Drupal. This session will describe how both techniques work and show examples of problems each has found.
Bios for conference booklet:
Barry is an entrepreneurially-minded computer programmer with a strong focus on computer security and privacy. Prior to Acquia, Barry spent two years as a Drupal core developer; he also created interMute, the first commercial web annoyance blocker, and Spamnix, a spam-blocking product. Barry is a maniacal whitewater kayaker and rock climber and generally spends his time wherever rocks, water, and gravity dance.