Tip

Application security increased by static and dynamic code analysis

Integrating security measures into the software development life cycle (SDLC) is crucial Web application security

    Requires Free Membership to View

. One of these measures is source code analysis, which includes both static and dynamic analysis.

With increased reliance on the Web and the growth in Web application-based attacks, Bill Gates' call for companies to strive for excellence in security engineering at all stages of development was timely, if not overdue. In an effort to share best practices for developing secure code, Microsoft released their Security Development Lifecycle (SDL). SDL subjects products to static and dynamic code analysis to test for technical and logical vulnerabilities, and determine if products can withstand malicious attacks. Let's look at the benefits of adding this process to your application security strategy.

Security testing tools
Free Web application security testing tools 

Code analysis: Which tool is right for you?

Static analysis involves reviewing an application's source code without executing the application itself using automated tools that analyze what the code does during every potential program execution. This allows the programmers to create diagrammatic or graphical representations of the code, which gives them a better understanding of the executed code's effects. It is then necessary to have experienced developers analyze the results and examine any suspect source code to remove the coding errors. While program compilers only identify language rule violations, such as type violations and syntax errors, static analysis checks the source code for problems such as semantical errors that pass through compilers and result in problems such as buffer overflow, invalid pointer references, uninitialized variables and other vulnerabilities.

However, some problems are difficult to foresee during static analysis. Interaction of multiple functions can generate unanticipated errors, which only become apparent during component-level integration, system integration or deployment. Therefore, once the software is functionally complete, dynamic analysis should be performed. Dynamic analysis reveals how the application behaves when executed, and how it interacts with other processes and the operating system itself. While static analysis can find errors early in the software development life cycle, dynamic analysis tests the code in real-life attack scenarios.

Finding and fixing programming errors can be time consuming, but it is worth it. In fact, Gartner pegs the cost of removing security vulnerabilities during testing to be less than 2% of the cost of removing it from a production system. To help you streamline this process, there are numerous code analysis tools available -- many of which are free [see "Security testing tools" sidebar for more]. There's a comprehensive list of tools, including metric and lint-like (tools that flag suspicious language usage) available at http://testingfaqs.org/t-static.html. If you use Microsoft's development environments, Microsoft offers several free code analysis tools, such as PREfix, PREfast and FxCop.

While including static and dynamic code analysis in an application security strategy can reduce the risk of vulnerabilities making it into the final version, the following can help you improve the overall quality and security of your applications as well:

  1. Develop and implement an application security life cycle. Having an application security life cycle in place can reduce the cost of eradicating vulnerabilities and make your efforts more effective. For example, Microsoft found that using their SDL has significantly reduced the rate of external discovery of security vulnerabilities.

    Code analysis and app security
    Static Analysis as Part of the Code Review Process -- Secure Programming with Static Analysis 

    How static analysis can improve software security 

    How source code analysis improves application security 
  2. Move your security assessment phase into the development phase. Many developers have found that doing so actually reduces overall application development times.

  3. Repeat the security assessment process when the business logic in the application changes. This is necessary to evaluate the impacts of any changes on overall application security.

--------------------------------
About the author: Michael Cobb, CISSP-ISSAP is the founder and managing director of Cobweb Applications Ltd., a consultancy that offers IT training and support in data security and analysis. He co-authored the book IIS Security and has written numerous technical articles for leading IT publications.

This tip originally appeared on SearchSecurity.com.


This was first published in May 2006

There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

Disclaimer: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.