This post has been syndicated from Peter Benson’s personal blog, “From The Source”
Excellent! We are starting to get some nice feedback from our users, and also from the community, and as a result, we have started incorporating some of the feedback into new releases coming up over the next couple of months.
Already we are planning releasing a new class of vulns in our 1.8.4 release, Stored Cross Site Scripting. We are taking a slightly different approach to some of the others in the space at the moment, and really expect to have both accurate detection, and a great reduction in false positives.
Also keep an eye out for a revised File Management screen, which will provide better usability for adding and managing files in Projects. This is a good win for us, and will make the management of projects (applications) within CodeScan a lot easier.
So we have had coverage last week in Computerworld, and good feedback / validation of approach through the Serendipity IT Ltd blog.
Keep the feedback and comments coming guys, the good, the bad, and the ugly. We’re here to build products for you guys, so the more the better. One free license each month for the best feedback!
It’s all good.
Follow @
Could you cofirm whether Simon might be a bit biased?
I just downloaded that product, and I have to say my first impression was “wtf?”
It may be an important area of IT, but this product looks like some graduate built it 10 years ago.
I see the need, but really don’t like this product.
- Mike
We have received a lot of feedback around the interface, both good and bad, and we also recognise that the interface requires work. As a result we have developed a new user interface in the next release, and are planning on further interface/performance changes over the next few releases. We have an aggressive release schedule, so you can expect to see significant changes over the next few months. Simon’s comments were specifically around the functionality of the product, and outcomes found, rather than the product look and feel.
Thanks Matt,
I found it really hard to use, and although the final report looked great, I really didn’t understand what needed to be fixed.
Do you guys have a forum or even a tutorial on web security? It’s new area to me, so strugling abit.
I checked out a couple of others – but they messed with my website and pushed all this crap data into my tables. So far your program hasn’t, just abit crap to use.
Is there a web tutorial or something I can sign up to?
- Mike
Hi Mike,
We’re currently in the process of building a new website which includes a forum and tutorial (watch this space) – but for now, the user guide documentation is probably your best source of information on how to use CodeScan. We have a quick start guide available at http://www.codescan.com/pdfs/CodeScan%20QSG%201.8.4%2020090825.pdf – and a full user guide available at http://www.codescan.com/pdfs/CodeScan%20User%20Guide%201.8.4%2020090825.pdf
Within CodeScan, you’re able to find additional information through the “Module Descriptions”
The trial version of CodeScan is limited to SQL Injection vulnerabilities, so the problems you’re seeing in your application are all related to sanitisation of user input. Any time when a user is allowed to enter information (eg, into a form) – if the data is not properly sanitised, they will be able to alter the query to do anything they like with your database. The random data that’s been added to your tables will be caused by the other scanners taking advantage of this vulnerability.
To give you a practical example of an SQL injection, let’s assume you’re doing a SELECT query on products via a search box, and you’re concatenating the SQL query to do it (Never do this!!)
$query = “SELECT * FROM Products WHERE Product Name LIKE ‘%” . $SearchString .”%’”;
If the user plays by the rules, and searches with an actual name, all will be well
$SearchString = “Brown Sofa”;
$query = “SELECT * FROM Products WHERE Product Name LIKE ‘%” . $SearchString .”%’”;
// $query now reads SELECT * FROM Products WHERE Product Name LIKE ‘%Brown Sofa%’
But if the user is malicious, they can perform a SQL Injection – guessing that you have a users table
$SearchString = “‘; DROP TABLE Users;–”
$query = “SELECT * FROM Products WHERE Product Name LIKE ‘%” . $SearchString .”%’”;
// $query now reads SELECT * FROM Products WHERE Product Name LIKE ‘%’; DROP TABLE Users;– %’
This will execute the first two queries, and fail on the third – however, you’ve now lost a user table. They can inject any query – and use this to gain full access to all information in your database.
There is a quick guide on Wikipedia with some examples of ways to prevent SQL Injections – but put broadly – what you want to do is use Parameterised Queries. This will ensure that user input can’t be used for SQL Injections. http://en.wikipedia.org/wiki/SQL_injection#Preventing_SQL_injection
SQL Injection is only one class of vulnerability though. The full version of CodeScan has much wider coverage. A good place to start in the security space is the OWASP Top 10 – http://www.owasp.org/index.php/Top_10_2007#Summary. OWASP is a fantastic resource, have a read around the site.
We’re planning to launch a full knowledge base with content such as this very soon, with information about a wide range of vulnerabilities. Would this be of use to you?
Thanks,
Matt
I agree with the other comments made on this website, i ran up codescan yesterday and uninstalled it about 10 minutes later.
the user interface is worse than a graduate’s work, its clunky and hard to understand and follow. I found myself getting lost and frankly confused while using it.
I also ran codescan over one of my own developed applications, which caused it to crash horribly!.. I would say there is some more work required on codescan to make it usable
and fire the grads..
Hi James, thanks for your feedback. All feedback is greatly appreciated at any stage.
Can you please confirm which version of CodeScan you were using? Was it version 1.8.5 (with a visual studio like look and feel) – or version 1.8.4?
If you could provide any more details about the crash that you experienced that would be greatly appreciated – What language were you scanning in? If you can provide us more info we’ll make a bug report and have it followed up by our developers to ensure that it’s fixed quickly.
We’re currently starting our next round of releases, of which there will be substantial changes and improvements –if you have any specific requests for changes and improvements in the UI/Process, we’ll definitely take that in to account. How would you expect CodeScan to work, and what would you like to see in regards to the interface? We’d be greatly appreciative if you would provide us with some specific points where we can improve. Any and all feedback is fantastic; we are developing this product for the community, and the more input we have to the ongoing development, the better the outcome will be for users.
Thanks,
Matt
Sorry. I’ve got better things to do than work with this product. I know you wanted some good feedback, but sorry.
Hi,
Just tried Codescan 1.8.4 and I am not sure about this software. As soon I have started it, I got a blue screen on my Windows XP Pro, sp3. The blue screen says:
*** STOP: 0×0000009F (0xC0000009, 0xDD5CCAF2, 0xDC90F7C0)
SYSTEM_THREAD_EXCEPTION_NOT_HANDLED
My suggestion is to use something else such as swaat or yasca, both free and more stable.
Cheers,
John
Hi John,
Are you sure that you are running CodeScan 1.8.4? If so, I’d reccomend that you upgrade to 1.8.5 – our most recent release. This may solve your problem. To upgrade, simply log in using the link on the top right of any page on http://www.codescan.com, and you will be provided with a download link.
If you still run in to problems, please let me know – matt@codescan.com. I’ll get our developers to look into it further.
Cheers,
Matt