Given the visibility and vulnerabilities that make up many Web applications, I'm surprised to see that the underlying source code isn't being analyzed. Be it ignorance, lack of budget or anything in between, there's a lot that can come from performing this exercise in the name of reducing business risks.
Here are eight reasons for placing a higher priority analyzing the source code of your Web applications:
- It's easy to do
Source code analysis sounds very technical and hands-on. Who outside of the techiest of all developers and IT byteheads wants to get involved with something like that? Actually, this difficulty factor is a myth. Once you get analysis tools installed (which happens to be the hardest part I've experienced), it's simply a matter of pointing them to the source files and clicking Go. The tools I've used are mature and chock-full of handy features that most anyone can use without expending too much brain power.
- High benefit and (relatively) low cost
I've yet to perform a source code analysis where the developers haven't come back and said, "Oh, I didn't think of that." In many cases, the vulnerabilities that source code analysis tools have found wouldn't have been discovered by developers in a million years but could be exploited at any minute by an attacker. Finding just one vulnerability easily justifies the few thousand dollars you'll spend on any tools you'll buy.
- Web applications are a prime target
Think about where Web applications are located. They're accessible to any and all. Both internal users and external attackers can connect and do bad things -- oftentimes even without a valid user account. Contributing to the problem is the fact that most attacks will go unnoticed even with logging enabled and basic log auditing taking place. There's just too much noise to keep up with. Finally, many Web applications are the entry point to all that makes up the business. There's so much accessibility and so much to lose.
- Security is as important as functionality and the user experience
It's funny how so many people -- testers, QA engineers, product managers and even upper management -- are often involved in making sure software is just right in the eyes of the customer. As long as the software does what it's supposed do, that's all that really matters. But what about the security flaws that could impact the user on a grander scale? The priorities are shifting slowly, but the "requirement" of secure code is still not where it needs to be.
- Traditional security testing tools go only so far
I'm a firm believer that you've got to have good tools to find good vulnerabilities. I've also experienced how imperfect Web application vulnerability scanning tools can be. You often have to manually validate what the tools find and then some. But manual analysis is not going to uncover everything either. That leaves the third and final option -- auditing checklists. But we all know how little value those provide. You've got to look at the entire attack surface of your Web applications from all possible angles. That includes the source code.
- Enhanced development processes
A nice side benefit of source code analysis is that it will often uncover weaknesses in the software development lifecycle (SDLC) and broader problems with business processes that would otherwise go unnoticed. Plus, security integration earlier on will save time, effort and money for everyone involved.
- Competitive differentiation
A lot of people are talking about source code analysis. I don't buy into vendor hype, but I do listen when end users start talking about issues such as this. Apparently the need is growing. A lot of security assessment work is the result of a third party -- be it a customer, auditor or business partner -- asking for an independent view of software vulnerabilities. When the time comes for someone to ask, "How do I know your software is secure?" it will pay to have a good response and perhaps a source code analysis report to share with him.
- Compliance as a side effect
Be it meeting service-level agreements (SLAs), internal policies or the mish-mosh of industry and government regulations we're all up against, having higher-quality source code can help businesses meet their compliance and legal requirements. In fact, fixing the vulnerabilities in your Web applications could be the one thing that makes the business compliant or helps it look better on its next audit.
Arguably many businesses could benefit from certain financial gains as the result of growing the customer base, building trust and loyalty, and putting out more and more software. Those benefits come when they root out Web security problems where they often begin -- in the source code -- and create more secure and higher-quality software.Consider giving source code analysis a whirl. Most tool vendors provide some sort of free trial of their products. It won't hurt to at least try it out to see what's uncovered. It may end up being the best thing you do to improve software quality and minimize security risks for some time to come. -----------------------------------------
About the author: Kevin Beaver is an independent information security consultant, speaker, and expert witness with Atlanta-based Principle Logic, LLC. He has more than 19 years of experience in IT and specializes in performing information security assessments revolving around IT compliance. Kevin has authored/co-authored six books on information security including Hacking For Dummies and Hacking Wireless Networks For Dummies (Wiley) as well as The Practical Guide to HIPAA Privacy and Security Compliance (Auerbach). He's also the creator of the Security On Wheels series of audiobooks. Kevin can be reached at firstname.lastname@example.org.
This was first published in October 2007