The increase in adoption of Social, Mobile, Analytics, and Cloud (SMAC) technologies and growth in data volumes has led to increased concerns about data security. With large enterprises building or deploying new applications using public cloud platforms, there are doubts about the safety of company data. Moreover, the size and scale of an organization’s enterprise applications today are huge, including as they do all Internet facing applications—those accessed by mobile users, SaaS applications, and platform and infrastructure as a service interfaces among others. Against this background, enterprises have succeeded in defending the application perimeter and are now focusing their efforts on securing the application layer, which is where a majority of the attacks are aimed, according to Gartner.
The source code of enterprise applications is often a major source of vulnerabilities that can be exploited by hackers to gain access to confidential information. Static code analysis is one of the security tools that an enterprise can use to identify vulnerabilities in code before the application is deployed. These automated tools review source code (or in some cases object code) line by line to detect coding errors or security vulnerabilities before the code is released into production.
Static analysis tools review code before it goes live, while dynamic analysis tools conduct automated scans of production web applications to uncover vulnerabilities. Some organizations may use both to detect and fix vulnerabilities.
In recent years, code analysis has become standard in software development. Incorporating security earlier in the Software Development Life Cycle (SDLC) helps to uncover vulnerabilities earlier, and reduces costs and increases efficiency when compared to the high cost of finding and patching application flaws after the code is in production. Static code analysis tools scan through source code and look for violations to defined rules; they highlight any potential problem areas in the code relating to security, performance, interoperability etc. that may require the attention of skilled personnel.
Even when organizations use vendor-written code or third party software for which source code may not be provided, this code must be tested to ensure that it is functionally correct and secure. Most static analyzers scan source code, but in cases where source code is not available, binary code (object code or compiled code) scanning is possible using analyzers such as Veracode, HP’s Fortify, WhiteHat Sentinel and IBM, or open source static code analyzers.
Organizations typically use static analyzers at two stages of the development process. They are used by developers within the development environment to check their own code as they are writing it. Developers can look at the warnings generated, determine false positives, and fix potential problems, if any. Static analyzers are also used within the code repository so that any code being checked in is analyzed at check-in time and a report is generated with a list of issues to address. Some organizations might do incremental builds or nightly static code analyzer runs to identify potential vulnerabilities in the code base. The results generated by any open source or proprietary code analysis tools can be aggregated into a dashboard.
While static code analysis is an integral part of application security testing, tools cannot replace processes. Processes have to be in place to ensure that application security is being considered from the beginning of the SDLC, starting with defining requirements and design. To maximize the impact of source code reviews, warnings output by the analyzers have to be addressed and potential problems fixed. Application testing should thus not only include functionality testing, but also check for security vulnerabilities. The importance of incorporating security testing to mitigate an organization’s risk profile cannot be overstated.
Manoj Rai has around 14 years of IT experience in Enterprise Applications, Mobile and Infrastructure security. Has rich and diverse global experience in leading large engagements and building deep technology expertise in security testing domain.
Manoj is a Bachelor of Engineering in Computer Science with MBA in Systems and Executive Delivery Program from IIM-Bangalore. A regular speaker on various technical subjects like Ethical Hacking, Mobile security, Secure SDLC and Cloud Security areas in CISO platforms, OWASP, BLUG, NULL etc. Has been a regular blogger and has published white papers on threat management and best practices in various social groups.
