How to analyse security scans from static analysis tools

Merative ™ Social Program Management is now Cúram ™ by Merative™

How to analyse security scans from static analysis tools on Merative ™ Social Program Management

Question & Answer

Question

How do I analyse security scans from static analysis on Merative Social Program Management?

Answer

Static analysis security reports from security scanning tools can be quite difficult to triage and analyse from a Merative Social Program Management (SPM) perspective due to large volumes of generated code.

The following sections provide information that is useful in triaging and analysing such security reports from static analysis tools to ease the burden of this process.

Encoding Routines

Merative ™ Social Program Management includes a number of custom encoding routines which are used to neutralise untrusted content prior to outputting the content into the HTML of the browser. Most static analysis tools will not recognise these routines and report a positive finding even if the data has been correctly sanitised by being passed through the routine.

The custom routines in Merative Social Program Management are:

* curam.util.common.util.JavaScriptEscaper.escapeText
This routine sanitizes data for inclusion within a script node inside the HTML DOM
* curam.util.common.util.XMLEscaper.escapeXML
This routine sanitizes data for inclusion directly in the HTML DOM. It is used for any data which will be embedded directly in to the HTML DOM.
* curam.omega3.request.RequestUtils.escapeURL
This routine sanitises data for inclusion in a URL and prevents against CRLF injection attacks such as HTTP Response Splitting.

When triaging and analysing a static security report of Merative Social Program Management code, it is important to analyse the data that is being reported as problematic to determine if it has passed through any of these routines. If it has passed through an appropriate routine then the report is likely to be a false positive.
\ Analysing the Source of the Data

Many static analysis security tools have difficulty in understanding the context of the source of the data completely and this can lead to concerns that are not genuine concerns in the context of the application. An important example of this is property files deployed in the web application, and in particular the CDEJResources.properties files. The CDEJResources.properties file contains a number of options which control application behaviour. As this file is deployed in the build, only a developer or computer administrator can change the content of this file, and any person with the ability to change this file could just as easily change the application code itself which removes this as a valid attack vector. An important question to ask with all of the tools is "where is the data from?", and to redetermine whether a threat genuinely exists based on the answer to this question.

Development Code in Deployments

A common issue that many static analysis security tools will report, particularly on older versions of the Merative Social Program Management, is a test class included in a deployment. For example:
* A class used only in Unit Testing may be included in the deployment, or
* A main method used for testing in development may be included in the deployment, or
* A class that is part of the code that is used by the generator but not used at runtime may be included in the deployment.
For these, it is important to review the actual risk to the deployment of these particular issues - unless the code can be invoked remotely then it is limited to the machine administrator. It is unlikely in most cases to represent a true vulnerability in the context of the system, though in rare cases this might occur. It is important to review these findings in the context of the actual threat they pose to your system.
\ XML Schemas in Merative Social Program Management

Some static analysis tools may report concerns about XML Schemas, such as concerns around the use of "unbounded" for a particular element. It is important to review such reports to determine if there is actually any risk posed. For example,

• If the XML Schema is a development time artifact, e.g. the schema for UIM files, then this schema would not be used at runtime in the application and there is no possibility to attack the system.
• If the XML Schema represents a storage format for a particular data structure, but users of the application cannot pass that xml format to the application as it is internal to the system operation, then there would be no way to attack the system.

Deployment Descriptor Results

Some static analysis tools may report concerns about the deployment descriptors used for the Web Archives. For example, it may report that security restrictions applied to files do not apply to J2EE role based security. In this case however, all access to data in the Merative Social Program Management application is mediated by the Merative Social Program Management Server, and the Merative Social Program Management Server includes its own Role Based Security mechanism which does not rely on the J2EE security roles, and is configurable by system administrators.