2017-05 solared appscreener wp and can be tailored to support any other ticket management system if...

© Solared Cyber Security

https://[email protected]

1

Solared APPscreener White paper v 3.0 05-2017

Table of Contents

CHALLENGE ..................................................................................................... 2

HOW TO REDUCE CODE VULNERABILITY EXPLOITATION RISKS ............................................ 2

SOLUTION DESCRIPTION ................................................................................ 3

REPORTING SYSTEM ............................................................................................ 4 ANALYSIS SYSTEM .............................................................................................. 5 SOLARED APPSCREENER INTEGRATION OPTIONS .......................................................... 6 SOLARED APPSCREENER BENEFITS .......................................................................... 7

CASE STUDIES ................................................................................................ 8

CASE 1. PROMPT VULNERABILITY BLOCKING ............................................................... 8 CASE 2. LEGACY SYSTEM CHECK ............................................................................. 8 CASE 3. CONTROL OVER DEVELOPERS ...................................................................... 8

REGULATORY COMPLIANCE ............................................................................ 8

Solared APPscreener White Paper


2


Challenge Although code vulnerability issues are no longer a novelty, they were somewhat neglected by cybersecurity officers while most software was running within corporate LANs and inaccessible to external users. Moreover, cybersecurity teams had to address much more pressing challenges, such as perimeter security, access management, leakage and virus protection, etc. However, the development of remotely accessible services has totally changed the game:

Online services and apps commonly used and available to any company’s prospective customer

Growing number of business systems accessible to remote employees

Blurry outer edge making software the only security layer

Dramatically increased risk of exploitation of software code vulnerabilities

In other words, software code vulnerabilities now directly affect the security of systems, critical information, and sometimes revenue, especially with regard to online services and apps.

This is why Application Security is now no less important than other cybersecurity practices. However, application security is a relatively new concept for Chief Information Security Officers, and no best practices are available yet in this area, mainly due to the fact that information security and software development teams speak different languages.

Developers are committed to writing code on time, minimizing bugs, and meeting business needs, with only a few operating in line with the secure development lifecycle (SDLC), while most cybersecurity officers would struggle to even specify secure development requirements. As a result, application security is neglected, with more than 45% of attacks exploiting software vulnerabilities, according to our statistics. The most common attacks include:

SQL Injection

Buffer Overflow

Cross Site Scripting

Insecure Configuration

How to reduce code vulnerability exploitation risks

In order to prevent or minimize incidents related to code vulnerabilities:

Regularly analyze level of security of software code developed both within a company and by external contractors

Take countervailing measures to address revealed vulnerabilities as fast as possible

Ensure code correction by developers to eliminate vulnerabilities in the code itself

In this case, end-to-end security in a medium-sized or large company requires SDLC to be implemented and powered by an easy-to-use tool.



3


Solution description If you are looking for such a tool, keep your eyes out for Solared APPscreener, which combines reporting and analysis systems, with the latter including several functional modules (Figure 1).

Figure 1 Solution architecture

Solared APPscreener is a real asset when you need to: Sell goods and services online, provide online banking, personal account functionality, mobile e-

commerce, and other online services to external users

Check apps for vulnerabilities and backdoors left by developers even if the source code is unavailable

Comply with PCI DSS, OWASP, HIPAA requirements in terms of software code analysis

Strengthen the authority and influence of information security function with regard to both in-house and third-party developers

Properly and promptly set up Web Application Firewalls



4


Reporting system

The Solared APPscreener reporting engine offers the following functionality:

Provision of recommendations for both information security and development teams:

Information security-specific reporting includes detailed recommendations on how to eliminate revealed vulnerabilities (including description of exploitation methods) and configure Web Application Firewalls (Figure 2). Such recommendations are useful when there is a need to prevent vulnerability exploitation even BEFORE any code correction.

Development-specific reporting describes vulnerabilities in detail, refers to vulnerable fragments of the code, and recommends how to modify the code to remove such vulnerabilities.

Continuous updating of knowledge bases containing vulnerability signatures and safeguard recommendations

Multi-format export of reports

Figure 2 Protection tool setup recommendations

Solared APPscreener has a straightforward and user-friendly interface based on a simplified logic, which does not require deep technical expertise to interpret scan findings (Figure 3). Users can use the GUI or run the solution from a command line.



5


Figure 3 Solared APPscreener interface

Analysis system

Static Application Security Testing (SAST) Detect and eliminate vulnerabilities as early as possible thanks to integration of testing function into existing development cycle.

Production SAST (prodSAST) Scan already released apps with SAST whether you have a source code or just binaries or executables, as it's never too late to check using Solared APPscreener prodSAST.

Dynamic Application Security Testing (DAST) Use dynamic scanning to find out how vulnerable your app is. The Black box method is ideal for analysis of running apps.

Interactive Application Security Testing (IAST) Combine SAST with DAST to reveal covert vulnerabilities.

Mobile Application Security Testing (mAST) Maximize confidence in your mobile app security via the simple to use Solared APPscreener analysis tool.

Code analysis technologies

Solared APPscreener is based on two technologies:

Decompilation, i.e. reconstruction of a source code from executables

Source code analysis, including lexical and semantic aspects

Semantic analysis should never be underestimated, since most code vulnerabilities are not lexical errors in instructions, which can be detected by a lexical analyzer, but errors in the sequence of instructions. To discover such errors, you must first understand how these instructions will be executed and what their outputs will be. The only way to gain such an understanding is via the use of semantic analysis in order to build a software program execution model.



6


Production SAST!

DAST is widely adopted by waterfall software development teams and is typically used after an app production release is made available. At this stage, it is often difficult or even impossible to obtain the source code from developers. Although DAST has much worse vulnerability detection coverage and depth than SAST, black box is still the only method available when your app is already in production operation. But what if not? Solared APPscreener makes it possible to use static analysis even when development has been completed. When scanning binaries and executables, the unique Production SAST technology reconstructs original source code and reveals its vulnerabilities. The following operation modes are supported:

SAST based on source code: Java, Scala, PHP, Android, iOS, С#, PHP, PL/SQL, Python, Ruby, C/C++, VB 6.0, T/SQL, ABAP, Delphi

SAST based on executables: Android, iOS, jar, war, dll, and exe.

Executable-based SAST employs patented reverse engineering technology, thus allowing for the reconstruction of a source code, even if it was intentionally obfuscated.

Solared APPscreener easily detects app language and "understands" multi-language apps. Simply upload the code into Solared APPscreener and click Scan.

Fuzzy Logic Engine

This technology minimizes both false positives and false negatives, using fuzzy logic, a Solared Security's know-how. Filter parameters are defined by a knowledge base that is continuously updated once projects are complete. The number of false positives and false negatives is among the key code scanner parameters, thus making further technology improvement a top priority.

Solared APPscreener integration options

Solared APPscreener has rich integration capabilities.

Integration with a development repository: code to be analyzed is sent to Solared APPscreener directly from a repository, so there is no need to import source code files each time.

Integration with Service Desk software: solution features an out-of-the-box Atlassian Jira connector and can be tailored to support any other ticket management system if necessary. This allows a security officer to initiate troubleshooting jobs directly in the system (e.g. assign code modification to a development team or a WAF rule setup to system admins).

Integration with SDLC and Continuous Integration processes.



7


Solared APPscreener benefits

Custom recommendations on how to eliminate app code vulnerabilities

Custom recommendations on how to configure WAF

Unlike a code text analyzer, Solared APPscreener checks a code via intermediate representation to consider the specifics of program execution

Ability to analyze apps when source code is unavailable

Scanning starts in a few clicks without long preliminary configuration

Powerful integration capabilities



8


Case studies

Case 1. Prompt vulnerability blocking

During the acceptance of a new remote banking system from developers, security officers analyzed the code and revealed critical vulnerabilities that would allow a violator to get admin rights. However, it was estimated that it would take around 3.5 months to address this issue, while the deployment schedule was extremely tight. Eventually, it was decided to deploy the system anyway and mitigate exploitation risk via the existing WAF. The company obtained detailed WAF setup recommendations from Solared APPscreener, while the developers simultaneously eliminated code vulnerabilities.

Case 2. Legacy system check

For over 10 years, one of our clients had been operating a legacy trading system. Solared APPscreener revealed that data had been secretly leaked to an external server and blocked the undocumented feature via a firewall.

Case 3. Control over developers

With Solared APPscreener in place, a cybersecurity team analyzed a mobile app available on Google Play and revealed vulnerabilities that were not in the source code developers had provided for analysis. The investigation showed that the developers had intentionally provided an abridged version of the source code for analysis to avoid unnecessary (from their point of view) code correction that would otherwise be required by cybersecurity officers. Moreover, the developers obfuscated the compiled code and therefore were sure that security officers would not discover anything since they would be unable to reconstruct the code whatever it would take.

Regulatory compliance Solared APPscreener is ideal for companies focused on compliance with security standards, with a user being able to generate a report in line with the vulnerability classification adopted in PCI DSS, OWASP, or HIPAA.


2017-05 solared appscreener wp and can be tailored to support any other ticket management system if...

Documents