Embed Size (px)
Citation preview
Static Analysis for SecurityJUNE 2016FABDULWAHAB.COM
Security is Requirement
Testing code against common security risks to ensure the quality before release(before attacker access)
Help in implementation best practices and prioritize the risks Also called white box testing or source code review
Software developers are the first and best line of defense for the security of their code
Types
Static Analyze the code before go to run Automated by tools (also can analyze the binary code or (bytecode) but with limitations) Also include code review by senior developers and professionals Find risks like business logic , exception handling and NULLL issues
Dynamic Analyze the application behavior during the run phase Automated by tools Used when no code access or knowledge Find risks like XSS , Injection or configuration issues
Better to go with both types (defense in depth)
Development Process
Study past security errors and prevent them from happening in the future
All portions of the program must be secure Still need best practices , training and skills
Whitelist vs. blacklist validation Good design and good implementation need
each other Manual Code review is very important
Including configuration analysis
Tools
Information security department focus on dynamic analysis tools for pen testing
Development department focus on static analysis and sometime also for dynamic analysis tools
In most cases ,Static analysis tools integrated with IDE Tools has rules to validate the code like searching for user inputs like
Request[] or searching for injection like SQL Command in code … Remember , running tools doesn’t make application secure
false negatives are more troublesome than false
positives
Tools
Static analysis tools categories Type checking Style checking (whitespace , naming , program structure …) Program understanding (find all uses of this methods or variable …) Program verification and Property checking (check against rules and
specifications) Bug finding Security review
Tools
Commercial/free Open source Support Development Standards and Compliance (PCI , ISO …) Based on programming Languages Examples
https://sourceforge.net/projects/visualcodegrepp/ https://sourceforge.net/projects/agnitiotool/ https://www.microsoft.com/en-us/download/details.aspx?id=6544 ttps://www.microsoft.com/en-us/download/details.aspx?id=19968 http://www8.hp.com/us/en/software-solutions/application-security/index.html https://www.checkmarx.com/
https://samate.nist.gov/index.php/Source_Code_Security_Analyzers.html (list)
Demo 01 – Visual Studio Code Analysis
Identify potential issues based on Microsoft’s rules and best practices http://nugetmusthaves.com/Tag/CodeAnalysis http://fxcopaspnetsecurity.codeplex.com/ https://blogs.msdn.microsoft.com/hkamel/2013/10/24/visual-studio-201
3-static-code-analysis-in-depth-what-when-and-how/
Demo 02 – WCSA
To analyze the web.config https://code.google.com/archive/p/wcsa/downloads
References
https://www.owasp.org/index.php/Static_Code_Analysis Secure Programming with Static Analysis book , By Brian and Jacob
