Secure coding

7 Reasons to Embrace Source Code Analysis

February 9, 2015 by Sharon Solomon

With the exponential rise in cybercrime in recent years, application security is starting to take center stage. Conventional methods such as antivirus solutions and firewall tools have become less effective in fighting the ever-evolving malware and hackers. The growing consensus is that security starts from the foundation – the application code. Choosing the right solution for your project is where things start getting complicated.

Dynamic Application Security Testing (DAST), also known as “black-box testing”, is implemented in the latter stages of the development process and in some cases only after the application is up and running. This means that issues cannot be located early, turning the remediation process into a long and costly one. The inability to pinpoint the exact location of the flaws is also an inherited deficiency of this methodology.

Penetration (Pen) Testing involves the hiring of specially trained security experts who test the robustness of the application by actively trying to hack it. Pen Testing is usually performed after major upgrades or modifications and is best used as a complimentary security strategy due to its limited coverage and high costs.

This is where Static Application Security Testing (SAST) enters the scene. Source Code Analysis (SCA), which involves the scanning of raw source code, has numerous advantages for companies and customers alike. The following article will cover the top 7 benefits of implementing the Source Code Analysis methodology.

  1. Creation of a Secure Software Development Life Cycle (sSDLC).The integration of the testing solution into the various development process stages (source repositories, build management servers and bug tracking tools just to name a few) leads to the creation of a secure SDLC.

    Security requirements are treated as checkpoints and the build is halted as soon as vulnerabilities are located. Auditors can simply determine benchmarks as per their specific requirements. For example, build can be automatically stopped when a medium or high level security issue is located during the scanning, which can be scheduled beforehand as per the company’s specific needs.

  2. Knowing where exactly to fix the vulnerability. DAST solutions cannot exactly find the flaw locations, while Pen Testing requires the professional to do all the hard work by himself. Source Code Analysis solutions locate and pinpoint the weak points in the code, hereby shortening and simplifying the remediation process.This becomes crucial especially in large projects where tens or hundreds of flaws can be detected with each scan.
  3. Faster vulnerability remediation times. SCA can be easily integrated into the various stages of the Software Development Life Cycle (SDLC). These include developer IDEs, source repositories, build servers and bug tracking systems. Early vulnerability detection and mitigation eventually saves the company time, resources and maintenance costs.Time is money when it comes to locating vulnerabilities. Courtesy: Ponemon InstituteAs shown above, locating vulnerabilities in the development stage has huge financial benefits. SCA helps integrate security directly into the SDLC, often helping terminate vulnerabilities even before the build stage. Late detections result in costly production delays or resource-heavy maintenance processes.
  4. Full cloud language support.New coding language breeds have developed recently under a wide variety of cloud computing scenarios. These cases require the developers to use the specific Platform-as-a-Service (PaaS) provider’s language, leaving them with no control over parameters such as validation, compilation and execution actions. In such cases, security can be enforced only via the source code, which is where Source Code Analysis (SCA) solutions come into the picture.
  5. Improving of coding standards.Source Code Analysis (SCA) is effective for scrutinizing the integrity of the application code. Common errors such as memory leaks, logic errors and anti-patterns can be spotted and fixed with the SCA methodology. This promotes healthy coding practices amongst the developers, who gradually learn to develop robust and stable applications with minimal flaws.
  6. Seamless integration into the developer environment.
    Some SCA solutions offer IDE pluginsthat makes life easier for the developers, as they don’t have to deal with heavy third-party software installations and cumbersome maintenance procedures. The vulnerabilities are broken down and displayed within the developer’s natural working environments (Eclipse, IntelliJ, Visual Studio, etc), literally bringing security analysis to their doorstep.

    Many SCA companies offer IDE plugins that enable the direct uploading of projects for scanning. Developers can then visualize, break-down and understand the problems in the code within their work environment. Security awareness is boosted, coding standards are improved and developers are directly involved in the testing process.These plugins are light-weight and don’t hog system memory, making them a very potent security solution.

  7. Support for Agile environments.Agile environments are being adopted by more and more software companies in recent years. SCA solutions enable seamless integration into the Software Life Cycle (SLC), allowing technology leaders to also be security champions. In this way, security becomes an aspect that is not neglected even in scrum meetings.The organization can pre-define the levels of security wanted from their developers. Build is broken immediately when vulnerabilities of “high” and/or “medium” severity are detected.Incremental scanning also helps speed up the security process in Agile environments. Unchanged pieces of code are not re-scanned, resulting in faster scanning speeds and shorter remediation times.

    Source Code Analysis eventually becomes the foundation of an efficient and collaborative platform for security analysis on various levels. Many SCA solutions allow the exporting of reports for offline scrutiny, something that leads to productive discussions between the developer teams and the security staff.

Technology research and advisory giant Gartner presented a worrying prediction at their Security and Risk Management Summit held in September 2014. Their research showed that over 75% of mobile applications will fail the basic security tests through 2015. In other words, application security still has a long way to go.

“Cyber-attacks have changed into targeted and financially motivated attacks. These have included SQL injection, cross-site request forgery (XSRF) and XSS, which are focused on manipulating applications and stealing or tampering with sensitive data.” Gartner stated in its 2014 Magic Quadrant for Application Security Testing report.

As mentioned in this article, the benefits of creating a secure SDLC with a SCA solution are many and organizations must prioritize the securing of their application code. Application security is no longer an afterthought and only a pro-active approach will eventually allow the minimizing of software vulnerabilities and also reduce cybercrime.

Posted: February 9, 2015
Sharon Solomon
View Profile

Sharon Solomon (@checkmarx) is a Content Manager at Checkmarx, a leading provider of Source Code Analysis (SCA) solutions to identify security vulnerabilities in web and mobile applications. It provides an easy and effective way for organizations to introduce security into their Software Development Lifecycle (SDLC) which systematically eliminates software risks and coding flaws.