SAST (also called “white box testing) is the basic form of security testing for application development. It involved the hard work of examining the actual un-compiled application source code to see if and where security vulnerabilities exist. This form of security testing is from the inside-out. According to Gartner, SAST should be a mandatory requirement for all application development. Gartner notes that 80 percent of attacks are aimed at the application layer. SAST analysis is one of the best ways to ensure application security.
The kinds of defects that cause vulnerabilities include:
- “Race Conditions”– poor synchronization between multiple threads that can cause a program never to terminate or never to return from some form of logic or control.
- Input Validation Defects – Security problems caused by trusted user identity and parameter input problems can cause security violations.
- Exceptions — Poor handling of events that disrupt the normal flow of code.
- SQL Injection — Code defects that allow outsiders to embed DQL commands with user-provided parameters.
- Buffer Overflows — Failure of the developer to specify bounds for array and pointer references (this has to be done manually with C and C++.
- Stack Overflows — Code vulnerabilities caused by careless use of data buffers.
- Integer Overflows — Using unsafe integer operations. Placing an integer value in a storage space that is not big enough to contain the integer’s binary representation.
Advantage Number 1
SAST tools such as Source Code Analysis can detect high-risk software vulnerabilities such as SQL injection which would affect the system through the life of the software, Buffer Overflows which could disable the system, cross-site problems like cross-site scripting and cross-site request forgery. SAST tools will detect all of the Open Web Application Security Project (OSWAP) top 10 security risks.
Advantage Number 2
SAST systems can be applied early in the software development cycle because it looks at the code before it is compiled and warns of weak spots. It would be up to 100 times more expensive to fix the code after the application was compiled. By detecting security code early, as opposed to testing right before release, or in post-production, high-risk issues can be resolved without having to break the application build. The security testing can be run throughout the software development lifecycle, minimizing the risk of allowing vulnerabilities to get through to the released application and reducing the risk that hackers can get into the application.
Advantage Number 3
SAST tools can easily integrate into an already established process in an organization’s software development lifecycle. They will work within an integrated development environment, work with bug trackers, source repositories, and other testing tools. The smooth interfacing will further ensure that security testing is consistent and thorough.
Advantage Number 4
The United States government demands that agencies who lease or wish to lease to federal agencies implement a threat assessment program that conforms to the Interagency Security Committee standard. The threat assessment is entirely external and looks possible sources of cyber threat in the building and surroundings. The mandated vulnerability assessment is aimed at reducing the external sources of threat.
Generally, the term threat assessment is defined as “agents that violate the protection of information assets” [US_CERT–United States Computer Emergency Readiness Team]. Although the emphasis is on seeking and eliminating external threat, the U.S. CERT does recognize the importance of “Code Analysis,” “White Box” or “Black Box” Code Analysis Tools to manage risks. The advantage of SAST tools is that the code analysis can be done in a way seamlessly integrated with software development.
The conventional threat assessment does not attempt to eliminate the weaknesses inherent in the software. If the software were initially designed without vulnerabilities it would be inherently resistant to all threats. Use of SAST tools in the design of software should be mandated as the ultimate device to remove the threat of external interference to software.
Advantage Number 5
SAST software is relatively fast without cutting corners. There are several methods for conducting source code reviews. In the top-down approach, the auditor examines the source code for certain types of vulnerabilities without bringing to bear any understanding of the specifics of how the program functions. This approach may be useful in some cases but any vulnerability requiring knowledge of the program’s deep architecture will be missed. The bottom-up approach incorporates a deep knowledge of the way the program works. This approach is relatively thorough but very time consuming and expensive.
In general manual auditing of the code for security vulnerabilities can be very time-consuming. The auditor must really understand what security vulnerabilities look like, before they can rigorously examine the code.
SAST tools compare favorably to manual audits because,
- They are faster.
- They can be used to examine code more frequently.
- They can encapsulate security knowledge without the same level of security as the human operator.
No Longer an Afterthought
Application security was not given a lot of attention until a few years ago when cybercrime rose exponentially. Increased malicious activity forced organizations to pay more attention to the vulnerability of software. Penetration testing, application security testing and web application firewalls were widely recognized security methods for a long time, they are, nowadays, used as processes that compliment the two most popular solutions in use today, SAST testing and “black-box” or Dynamic Application Security Testing, referring to
- Molecular examination of code to find vulnerabilities.
- Testing of developed software under a range of threat conditions to see if they are vulnerable.
Studies of these two testing methodologies show that,
- The average vulnerability assessment has a 5 percent probability of detecting vulnerabilities.
- Scans have a 2 percent probability of detecting vulnerabilities.
- Black Box testing has an 18 percent probability of detecting client-side vulnerabilities, but only a 5 percent probability of detecting server-side vulnerabilities.
- White Box (SAST) testing has an 86 percent probability of detecting client-side vulnerabilities and a near certainty of detecting server-side vulnerabilities.
Scanning and testing small applications are usually straight forward and don’t require a lot of flexibility from the security methods. However, today’s major applications usually involve thousands or even millions of lines of code. These projects could require tens or even hundreds of developer teams to build them. The problem with these large projects is that they generate huge numbers of errors. Any organization which uses inaccurate or inadequate security tools will have to hire personnel to mop up the errors.