As application security becomes a bigger priority in software development, new code scanners and penetration tests are being developed by app security vendors.
In the past, when it came time to test custom code, organizations were limited by their purse strings and the clock. Manual code analysis and
Historically, companies have had few viable and financially reasonable methods to secure their applications. Security boutiques such as Foundstone, @Stake and Aspect, or powerhouses to the likes of CSC, Ernst &Young and IBM can be consulted throughout the security development lifecycle. The typical range of services includes source code security audits, architecture reviews, library development, training and both white box and black box application penetration tests. While nothing is quite as valuable as an expert, neutral third-party perspective, cost is more often than not the deterrent for employing such services. Expect to pay $200-300 per hour for a security boutique expert, and do NOT hesitate to ask for references and a bio.
Around the 2000-2001 timeframe, software companies started to emerge in the application assessment space. Most were designed to automate the remote assessment of commercial products such as IIS, Apache, Oracle and Domino. However, a few began creating the next wave of assessment technology that aimed to accurately identify weaknesses in the consistently evolving, custom Web application environments. Santa Clara, Calif.-based Sanctum and New York, NY-based AppSecInc. are considered thought leaders and at a minimum should be evaluated as a complementary solution when deploying or securing your Web environments. Beware; cost may also be an issue here, too.
Gloriously, a new light at the end of the tunnel for cost effectively improving application security is here. Commercialized source code scanners are quickly providing an analysis of code. While most of these products look for similar issues as their basic freeware counterparts RATS and Flawfinder, a few are adding aesthetically pleasing interfaces, lowering false positives and providing deeper cross file security insights.
Waltham, Mass.-based Ounce Labs offers Prexis, a powerful and easy-to-use suite of products that aim to help identify vulnerabilities before they reach production. Through a complex suite of technologies that are built on top of a patent-pending contextual analysis engine, Prexis aims to find vulnerabilities within uncompiled applications or source code. Contextual analysis is defined by the act of determining if an implemented system call is truly vulnerable. Prexis does this through the inferred intelligence and understanding of the individual and interrelationships between the system calls, data elements, modules, processes and links. Naturally, this approach aims to help developers secure their applications and hopefully thwart malicious attempts by the bad guys.
With commercial code-testing products like Prexis you should always have at least one leg up on an attacker, since you have access to and can review your own source code anytime. From a technological perspective, accurate and robust source code scanning is exponentially more difficult than network scanning; yet if successful, source-code scanning will uncover vulnerabilities that all static network-based scanners miss. At the time of writing this column, Nessus, ISS and Qualys could not detect custom buffer overflow or SQL injection vulnerabilities within distributed Web applications, both of which are on The Open Web Application Security Project's (OWASP) Top 10 list.
At the heart of Prexis' core business model is their coined and trademarked V-Density scale. When an application is analyzed with Prexis' contextual-analysis engine, it receives a corresponding V-Density score based on the lines of code in direct respect to the number, severity and types of the vulnerabilities that were identified.
Ounce Lab's drill down technology quickly identifies and graphically displays the application's critical security-need areas. This allows developers, management and quality engineers to budget time more effectively for security remediation efforts. Going forward, it may also aid in the upfront allotment of security time required for any new release of software.
Currently, the majority of commercial applications in existence are written in C and C++. However, this is a quickly changing metric with the continued development and global championing of Web-based environments. The Prexis 2.0 engine can quickly analyze C and C++ for both Windows, and native Unix and Linux environments and will gain the ability to analyze Java in its upcoming 2004 3.0 debut.
Ounce is also leveraging its product suite as an executive management assistance tool that can be used to help compare projects and code written by outsourcers, in-house developers and the open source community. This is a novel idea that could, even at a high-level, help determine who are the best developers and more importantly help identify your in-house weaknesses.
Prexis' pricing model reflects its enterprise focus. You can get the suite of software with everything you need to get testing for approximately 100k for twenty enterprise applications, making this an investment of 5k per application.
Even though the concept of source-code scanning is not what we'd consider a bleeding-edge technology, multiple companies have recently entered the market to include Menlo Park, Calif.-based Fortify Software, Sunnyvale, Calif.-based HBGary and even Cambridge, Mass.-based @Stake.
Prexis and its growing list of competitors may be able to help you and your team reach the honorable goal of communicating to your executives and VCs the precious words of "we are on time, under budget and secure."
About the author
James C. Foster is the Deputy-Director of Global Security Solution Development for CSC. Prior to joining CSC, Foster was the Director of Research and Development at Foundstone, subsequent to working at Guardent (Acquired by Verisign) and the Department of Defense. A well published author, Foster has been seen in Hacking Exposed 4th Edition, Snort 2.0 and 2.1, Hacking the Code, Special Ops Security, and Intrusion Detection and Prevention. Foster has an AS, BS, MBA and is currently a Fellow at University of Pennsylvania's Wharton School of Business.
This was first published in December 2005