When it comes to application security, traditional pen testing is not enough, and source code reviews tell only part of the story. Fear not: Hybrid security analysis, which combines both static source code analysis and dynamic analysis during application runtime, can help.
To understand hybrid security analysis, it helps to think about an application's "attack surface," a term that Microsoft helped make popular through its security initiatives that started nearly a decade ago. This concept has grown in importance, especially as it relates to application security. The question has become: Are you truly securing the entire attack surface of your applications?
Static analysis involves manual reviews (which I don't recommend given the complexity of the task and possibility of oversights) and static source code analyzers, which can look at some or all of the code. Looking at an application from a static perspective can reveal numerous issues, but you never know exactly how software is vulnerable until you see it in its final form.
Dynamic analysis helps solve this problem by compiling and/or executing and analyzing the code in real time. Dynamic analysis can also include more common Web vulnerability scanner tools. The real value in taking a hybrid approach using both static and dynamic methods is that it allows you to find the greatest number of security flaws that matter in your unique situation. Understanding the actual source code and flaws at that level can provide better contextual insight into how the application can be manipulated in a dynamic, real-world setting. You can test the entire application across its full and true attack surface.
You never know exactly how software is vulnerable until you see it in its final form.
There are numerous tools such as Armorize CodeSecure and HP Fortify Static Code Analyzer, among others, which developers and QA professionals can run internally to accomplish these goals. Other vendors such as Veracode and Checkmarx also offer cloud-based solutions, which is where the industry appears to be headed. Of course, there are traditional Web vulnerability scanners, such as WebInspect, NTOSpider and Acunetix Web Vulnerability Scanner. These scanners provide the external attack surface perspective as well, which can be a part of hybrid analysis.
Integrating hybrid analysis into the SDLC
A common question is how software teams integrate hybrid analysis into the software development lifecycle (SDLC). I've heard claims that it is easier to find security flaws and subsequently plug the holes after the fact than to overhaul the entire SDLC. I disagree. Sure, it'll take some effort and money to get the momentum going, but it can be well worth it. Why not get started now? The developers I interact with would love to have these security tools at their disposal, but I don't see them being used very often. In fact, the only people I know using such tools are security professionals, and that's not enough.
Ultimately, you'll need to do what's best for your specific business needs. Just know that you don't have to wait until everything is "just right" to begin. With hybrid analysis, you'll know that you've left no stone unturned. OK, there's once exception: Every source code analyzer and every vulnerability scanner (literally every single one) is going to find different problems with your applications. This dilemma underscores the need to use multiple tools when performing software security tests.
We have a dangerous dependence on IT auditing to ensure everything is in check with our applications. Organizations that rely solely on checklist audits that don't focus on what really counts, high-level vulnerability scans that provide minimal value, and cloud vendors to do all the legwork are delusional. They're setting themselves, their applications and their businesses up for failure.
Look at your most critical applications from every possible angle. There is no one best method for software security testing. Hybrid analysis -- which goes beyond pen testing and static analysis -- is the only way to go if you're going to do it right.
This was first published in April 2013