And, as with the white hat, the auditing tool??™s output
is by no means definitive. It is entirely possible to find vulnerabilities in areas of a
program not flagged during the automated source audit.
The Gray Hat Point of View
So where does the gray hat fit in here? It is often not the gray hat??™s job to fix the source code
she audits. She should certainly present her finding to the maintainers of the software, but
there is no guarantee that they will act on the information, especially if they do not have
the time, or worse, refuse to seriously consider the information that they are being furnished.
In cases where the maintainers refuse to address problems noted in a source code
audit, whether automated or manual, it may be necessary to provide a proof-of-concept
demonstration of the vulnerability of the program. In these cases, it is useful for the gray
hat to understand how to make use of the audit results for locating actual vulnerabilities
and developing proof-of-concept code to demonstrate the seriousness of these vulnerabilities.
Finally, it may fall on the auditor to assist in developing a strategy for mitigating the
vulnerability in the absence of a vendor fix, as well as to develop tools for automatically
locating all vulnerable instances of an application within an organization??™s network.
Pages:
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513