SCA
Wiedza 3 February 2017 Krzysztof Sadecki
The security of applications is at the center of attention of most of companies along with a substantial growth of cyber crimes. Conventional prevention methods such as antivirus software and firewalls became less efficient due to the development of malware and increasing skills of hackers.
The security of applications is at the center of attention of most of companies along with a substantial growth of cyber crimes. Conventional prevention methods such as antivirus software and firewalls became less efficient due to the development of malware and increasing skills of hackers. The belief that app’s security starts in its base, i.e. the code is becoming more common. A good selection of a proper solution for a particular project during its start may help you avoid many complications.
Using DAST (Dynamic Application Security Testing) i.e. testing using the black box method is mainly realised only at further project stages and very often, just before launching. This means that testing can not take place at the beginning of the process and makes a repair process long and expensive when errors are detected. It happens because the testing process using the black box is not able to indicate the exact location of flaws what is the main disadvantage of this method.
In general, a penetrating test consists in employing external security experts who actively test the application safety, trying to have an access to places where they shouldn’t have. This survey is aimed to use penetrating tests to see which application areas should be updated or which should be modified, and this is the best complementation of the security strategy due to its limited range and high costs. And it suddenly appears that there is a lot of space for other solutions. This is when there enters Static Application SecurityTesting – SAST. Source Code Analysis (SCA) consists in an exact scanning of the source code and has numerous advantages, both for companies and their clients. This article mainly covers advantages resulting from analysing the source code at an early stage of a project.
Developing a safe life cycle of software (Secure Software Development Life Cycle – sSDLC) consists in integrating most of possible tests at various development stages (source code, repository, construction of management servers, etc.). In this case, all requirements concerning safety are treated as control points and the process of software development is stopped when any gaps appear. Authors of audits always try to set standards, sometimes setting very specific requirements.
For example, it is possible to automatically construct a certain repository but only when it is not being scanned. Most of these requirements is usually planned in advance and strictly adjusted to specific needs of a company.
Thanks to this solution, just after finding a defect, we know its location and are able to correct it very promptly. Just notice that DAST solutions can not exactly specify the defect’s location and a specialist in penetrating tests usually does the hard work by himself. A detailed analysis of the project sources enables fast localisation of weak points of the code what definitely facilitates the process and makes it simpler. This often becomes a key aspect, especially in case of large projects, where one scanning can result in hundreds or thousands of detected flaws.
Implementation of SCA processes also enables a faster recultivation of all detected gaps. SCA may be easily included at each stage of the software life. The process can be connected already in IDE for coders, in repositories, on servers and in the construction of error tracking systems. Early detection of gaps and their mitigation often rescues companies, reducing costs and saving resources.
As far as finding gaps in software is concerned, time is money. As it’s shown above, SCA process has great financial benefits. SCA enables a perfect integration of safety in SDLC process, often helping to neutralise gaps already at the stage of software development. Just notice that a delay in gap detection may result in expensive production delays or burden the process of resources maintenance at a particular level.
Unfortunately, all of us use computing clouds. New programming languages try to work with the closely and require coders realise certain scenarios. They are mainly built basing on particular Platformas- a-Service (PaaS) requirements and require the use of the provider’s language and deprive us of a control over parameters such as code validation, compilation and execution. In such cases, protection can be enforced from the coders only by the means of the app’s source code.
Another advantage is an improvement of the coding standards. Analysing the source code is an effective tool in controlling the application code’s integrity. Typical mistakes occurring during coding such as memory leaks, logical errors and using harmful patterns can be promptly noticed and corrected. This promotes so called good practices of coding along programmers, who gradually learn to act reliably and to develop stable application without any bugs.
Most of SCA tools integrates without any problems with most of IDEs what makes work of programmers easier as they do not have to deal with installation of software provided by other producers and don’t have to go through burdensome maintenance procedures.
Potential security gaps are detected and shown in the editor what provides analysis results directly to a coder.
Numerous SCA plugins offer very prompt sending of projects for scanning.
Programmers can next visualise, display or analyse potential gaps of the code not leaving own natural work environment. Please notice that we strengthen the security awareness, improve coding standards and programmers are directly engaged in the research project. Most of available plugins are very light and do not use much memory.
SCA also enables a significant support for environments working in agile development, which was introduced by many software developers. SCA solutions allow a problem-free integration of SCA with SDLC what enables technology leaders to become security masters. In this way, the security aspect is not neglected even during daily scrum. Thanks to this, we can relatively evaluate the organisation’s security level, which is used by programmers.
Software development is usually stopped when gaps of high or medium priority are detected. Incrementation of scanning processes enables facilitation of them. Unchanged parts of the code are not re-scanned thanks to what the pace of scanning is higher and the time of software repair is shorter. Thus, analysing the source code becomes a basis of an effective project management and constitutes a platform for cooperation for analysing security at various levels. Many tools for SCA enable exporting of reports after a control what leads to fruitful dialogues between programmers and people responsible for security.
The study conducted by Gartner company showed alarming prognoses concerning mobile apps. It turns out that most of mobile applications is not able to pass basic security tests so their developers are still ahead of a long journey. Cyber attacks are currently different and are focused on achieving the highest possible financial aims.
They mostly concern SQL Injection, Cross-Site Request Forgery and Cross-Site Scripting, which focus on manipulating of applications or a theft and fraud of sensitive data.
As it is mentioned in this article, a mixture of SDLC and SCA has numerous advantages and organisations should treat application code protecting in a priority way. Application security can not be a second line subject and only an active attitude towards it allows minimisation of software gaps as well as to increase the possibility of cyber criminals operation.
Przeczytaj ten artykuł w wersji polskiej: http://www.businessmantoday.org/sca/