automating your code review - moving to a saas model for application security

8/9/2019 Automating Your Code Review - Moving to a SaaS Model for Application Security

1/10

AutomatingYourCodeReviewMovingtoaSaaSModelforApplicationSecurity

White Paper


2/10

2

ContentsOverview................................................................................................................................. 3ExecutiveSummary................................................................................................................. 3CodeReviewandSecurityAnalysisMethods........................................................................... 5SourceCodeReview 5

PenetrationTesting 6

BinaryCodeReview 7

ApplicationRating

and

Remediation

.......................................................................................

7

VeracodeandAutomatedCodeReviews................................................................................. 8Binaryapplicationanalysis 8

ApplicationReviewsandRatingsforSoftwareProcurement 9

Remediation 9

MultipleVulnerabilityDetectionTechnologies 10

Summary............................................................................................................................... 10AboutVeracode.................................................................................................................... 10

2008Veracode,Inc.


3/10

3

OverviewTodaysapplicationhasbecometheenterprisesnewperimeter.Withbetter

network

level

security

technology

hardening

the

network

perimeter,

malicious

attackersarenowfocusingtheireffortstostrikeattheleastdefendedpoints the

application. WhilehackerswereoncesatisfiedwithdefacingWebsites,

unleashingdenialofserviceattacksandtradingillicitfilesthroughtargeted

networks,modernattackersareprofitdriven. Financialandcustomerdatahave

becomevaluablecommoditiesandapplicationsmustbesecureenoughtoprotect

them.

ExecutiveSummarySoftware

vulnerabilities

have

become

extremely

common,

yet

inspecting

code

for

security

flaws

is

such

atimeconsumingandexpensiveprocessthatmanybusinessesforgoitentirely. Automatedinspection

ofsoftwareusingtoolsoronpremiseproductsexpeditestheprocess,butstillrequiresanenterpriseto

investsignificantlyinITresources,trainingandmaintenance. Italsoisdifficult,ifnotimpossible;to

deploytheseresourcesconsistentlyacrossgeographicallydisperseddevelopmentgroups,address

securityrisksposedbycommercialsoftware,oroffshoreoutsourcedapplicationdevelopment. Few

businesseshavethestaff,securityexpertise,timeandmoneynecessarytoanalyzetheirentire

applicationportfolioinhouse. Tocomplicatematters,sourcecodeisoftenunavailableforexternally

developedsoftwareandthosethatdohaveaccessarewaryofexposingtheirproprietarysourcecode

outsideoftheorganization.

In

a

recent

survey

of

U.S.

based

software

developers,

only

12

percent

of

the

developers

who

responded

saidthatsecuritytakesprecedenceoverandlessthanhalfhavehadanyformaltrainingonsecure

codingtechniquesandprocesses. Thishasresultedinover7,000newsecurityvulnerabilitiesdisclosed

overthelastyearaloneanalltimehigh. Inanefforttocombatthisgrowingtrend,newcompliance

requirementsfromthePaymentCardIndustry(PCI),theComptrolleroftheCurrencyAdministratorof

NationalBanks(OCC)alongwithrecommendationsfromindustrygroupsandanalystscallforcode

reviewstosecuresoftwareapplications.

Ondemandapplicationsecuritytestingofferedasanautomatedserviceisemergingasasimplerand

morecosteffectivewaytoraisethesecuritylevelofsoftware. Infact,ITanalystfirmGartnerpredicts

thatwithintwoyears50%ofenterpriseswillbeusingsomeformofsecurityasaserviceofferings.

Applicationsecurityofferedasanondemandservicebasedonbinaryanalysisanddynamicweb

scanningtechnologies

allows

organizations

to

review

their

entire

code

base

for

vulnerabilities

without

exposingtheirsourcecode.Ondemandapplicationsecurityisamajorsteptowardreducingriskin

applicationsdevelopedinhouse,commercialoftheshelf(COTS)softwareaswellasapplications

developedbyoffshoreoutsourcingproviders.


4/10

4

Software:TodaysBiggestSecurityRiskTodaysapplicationhasbecometheenterprisesnewperimeter.Withbetternetworklevelsecurity

technologyhardeningthenetworkperimeter,maliciousattackersarenowfocusingtheireffortstostrike

attheleastdefendedpoints theapplication. WhilehackerswereoncesatisfiedwithdefacingWeb

sites,unleashingdenialofserviceattacksandtradingillicitfilesthroughtargetednetworks,modern

attackersareprofitdriven. Financialandcustomerdatahavebecomevaluablecommoditiesand

applicationsmustbesecureenoughtoprotectthem.

Recentindustrystatisticsconfirmthistrend. DatafromCERTrevealsthatthenumberofsoftware

vulnerabilitieshasrisendramaticallyandhaseclipsed7,000newsoftwarevulnerabilitydisclosuresin

thepastyearanalltimehigh.Meanwhile,GartnerandNISTreportthat95%ofallreported

vulnerabilitiesareinsoftware,75%ofthreatstargetbusinessinformation,and75%ofattackstargetthe

applicationlevel. Yet,evenwiththesefindings,mostenterprisesallocatelessthan10%oftheirsecurity

spendingtoapplicationsecurity.

NIST/GartnerKeyFacts CERTNumberofSoftwareVulnerabilityDisclosuresperYear


5/10

5

CodeReviewandSecurityAnalysisMethodsThereareseveralmethodsintodaysmarketplacefororganizationstointroduceapplicationsecurity

intotheirbusinesseseitherdynamically,withpenetrationtesting,orstatically,withsourcecodeanalysis

orbinary

code

analysis:

1. SourceCodeReviewmanualandautomated

2. PenetrationTestingmanualandautomated

3. BinaryCodeReviewautomated,asaservice

SourceCodeReviewSource

code

scanning

comes

in

two

forms

manual

and

automated

analysis.

Both

allow

developers

to

inspectcodeforknownsecurityvulnerabilitiesbeforecompilation. Fixingtheseflawsduringcodingcan

reducethenumberofbuildsnecessarytoproduceasecureproductandeducateinternaldevelopers

aboutsecurecodingpractices.

Manualsourcecodeanalysis,thoughveryindepth,islaborintensiveandrequireshighlyskilled

applicationsecurityexperts. Becauseofthis,itlacksrepeatabilityandisgenerallynotconsidered

practical. Automatedsourcecodeanalysisisbecomingmoreprevalentinthemarketplace,butbecause

sourcecodeisproprietary,mostbusinessesarewaryofsubmittingitforoffsitethirdpartyanalysis. As

aresult,thesescanningtoolsaredeployedasonpremisessoftware,requiringdedicated

infrastructureandstaffwithapplicationsecurityexpertise. Automatedscanningtoolsshortentesting

times,but

require

dedicated

hardware,

installation,

configuration,

training,

and

frequent

updates,

makingitcostlyandtimeconsumingfororganizations.

Mostbusinesscannotjustifyhiringdedicatedapplicationsecurityexpertstoperformsourcecode

reviews. Thus,whethermanualorautomated,sourcecodescanningforcesorganizationstoretask

developersandQApersonnelwhomaybehavelimitedexpertiseinapplicationsecurity. Additionally,

modernsoftwaredevelopmentpracticesmaylimittheeffectivenessofsourcecodescanning. By

definition,asourcecodescancanonlybeaseffectiveastheamountofsourcecodeavailabletoit.

Businessesfrequentlyintegratecodefromthirdparties,suchaslibraries,commercialofftheshelf

(COTS)software,andopensourcesoftware.Enforcingsecurecodingstandardswithoutsourcedand

offshoredevelopmentpartnersistypicallydifficult,andenforcingthesestandardsforCOTScomponents

fromthirdpartyvendorsisimpossibleusingsourcecodeanalysisalone.


6/10

6

PenetrationTestingManualpenetrationtestinginvolvesahumantestersimulatinganactualexternalattack. Duringatest,

asecurityexpertattemptstocompromiseatargetapplicationusingexactlythesamemethodsasa

hacker.Manual

penetration

testing

is

usually

conducted

in

a

black

box

setting

tested

from

the

outsidein,withnoknowledgeofsourcecodeorinternalprocesses. Businessescansafelyoutsource

mostblackboxtesting,butoutsourcingmorevaluablewhiteboxtesting,performedwithspecific

knowledgeofsourcecodeorsoftwaredesigndocumentation,riskscompromisingproprietaryassets.

Manualpenetrationtestingcanprovidevaluablespotchecksandperhapsdetectsomelowhanging

fruitvulnerabilities,butthetesterslevelofknowledgeandtheinabilitytoachieveadequatecoverage

oftheapplicationscodefromitsexternalinterfaceslimitsitseffectiveness.Evenateamofthebest

testerswouldbeunabletoperformcomprehensivetestsonrepeatedbuildsofanapplicationwithout

slowingtheSDLCandaddingsubstantialcosts.Manualpenetrationtestingcanbenondeterministic,

withtesterscontinuingtofindflawswhengivenanunlimitedamountoftime. Asaresult,manual

penetration

testing,

while

valuable,

can

be

costly

and

time

consuming

for

organizations

looking

to

introducesecurityintotheirapplicationsoranalyzingthirdpartyapplicationsforsecurityflaws.

Toaddressthelimitationsofmanualpenetrationtesting,softwarevendorsnowoffertoolsthat

automatethemostcommonscansandpenetrationattempts. Automatedpenetrationtestingprovides

afaster,moreconsistentscanofcommonexternalvulnerabilitiesthanmanualtesting.However,these

toolsarenotfullyautomated. Theyrequireahumantoguideorteachthetoolaboutthe

applicationandrequireahumanwithsecurityknowledgetoinvestigatefalsepositives.

Despiteitscostandtimeadvantages,automatedpenetrationtestingisnotareplacementformanual

testing. Someapplicationsbehaveunpredictablyandautomatedtesttoolscannotpredicthowahuman

attackermightreacttothosebehaviors. Bothmanualandautomatedpenetrationtestingrequire

applicationsecurity

analysts

with

deep

expertise

in

design,

development

and

deployment.

In

addition,

bothtestscomelateintheSDLC. Organizationsarefacedwithadifficultchoicedelaythesoftware

releaseinordertofixvulnerabilitiesandloserevenueordeploytheapplicationandplantoissuea

potentiallyexpensivepatch.


7/10

7

BinaryCodeReviewTheanalysisofcompiledapplicationsisarecentdevelopmentinsecuritytesting. Similartosourcecode

reviews,binary

reviews

fall

under

the

category

of

static

analysis,

also

commonly

called

white

box

testingandhavethesamedistinctadvantagesinthatitcanevaluatebothwebandnonweb

applicationsandthroughadvancedmodeling,candetectflawsinthesoftwaresinputsandoutputsthat

cannotbeseenthroughpenetrationtestingalone.

Byexaminingacompiledformofanapplicationinitsruntimeenvironment,thistechniquecanprovidea

muchmorecomprehensivepictureofrealworldvulnerabilities.Whileintegratingotherformsof

securitytestingrequiressignificantprocessmodifications,analyzingatthebinariesrequiresveryfew

suchmodifications. ThestandardSDLCprovidesawindowforbinaryanalysisduringbuildacceptance

testing. Developerscanrunsecurityanalysisandfunctionaltestinginparallelfromthesamecompiled

binary.

Binaryanalysiscreatesabehavioralmodelbyanalyzinganapplicationscontrolanddataflowthrough

executablemachine

code

the

way

an

attacker

sees

it.

Unlike

source

code

tools,

this

approach

accuratelydetectsissuesinthecoreapplicationandextendscoveragetovulnerabilitiesfoundin3rd

partylibraries,prepackagedcomponents,andcodeintroducedbycompilerorplatformspecific

interpretations. Anotheradvantageofbinaryanalysisistheabilitytodetectgrowingtypesofthreats

suchasthosecomingfrommaliciouscodeandbackdoorswhichareimpossibletospotwithtraditional

toolsbecausetheyarenotvisibleinsourcecode.

Perhapsthebiggestadvantageofbinarycodereviewsisthatstaticbinariesarefullycomplied,and

thereforesafertoreleasetothirdpartysecurityservicesforanalysiswithoutriskingproprietaryassets.

Performingbinarycodereviewsremovesconcernssurroundingintellectualpropertycontainedinsource

codeandisapplicabletosituationswhereaccesstosourcecodeisnotavailable,asisthecasewith

commercialsoftware,legacyapplicationsormanyoffshoreoutsourcedapplications. Thisovercomes

therequirementtohaveanonpremisestoolandenablesapplicationsecuritytobedeliveredexternallyusingSecurityasaService(SaaS)model.ApplicationRatingandRemediationRegardlessoftheirchoiceoftechniquesforapplicationanalysis,mostbusinessesarenotpreparedto

processtheresultingsecurityanalysisdata. Applicationdevelopmentdepartmentsarefocusedon

bringingfunctionalapplicationstomarketasquicklyandinexpensivelyaspossible. Qualityassurance

departmentscanclassifyandprioritizefunctionaldefects,orbugs,insoftwareaccordingto

establishedpractices,butmostbusinessesareunabletoclassifyandprioritizesecuritydefectsfrom

vulnerabilitydata. Falsepositivesandalackofexperiencebalancingacceptablelevelsofsecurityrisk

andmarket

demands

further

complicate

this

process.

Tohelpbusinessesprioritizedecisionsaboutwhichflawstofix,ascoringandrankingsystemhasbeen

developedinthemarketplace. Untilrecently,securitysolutionprovidersassessedtheseverityof

vulnerabilitiesaccordingtoitsown,proprietarysystem. Thisledtodiscrepanciesbetweenproductsand

services,andlimitedthevalueofsecurityassessments. In2005,acoalitionofsecurityexpertscreated

theCommonVulnerabilityScoringSystem(CVSS),avendoragnosticstandardforcommunicatingthe


8/10

8

severityofvulnerabilities. CVSSusesstandardmathematicalequationstocalculatetheseverityofnew

vulnerabilitiesandprovidesscoresbasedonthefollowingfactors:

Systemvulnerabilityandtypeofsecurityimpact

Exploitabilityand

remediation

availability

Severitypotential

CVSSisaconsistentbenchmarkforapplicationsecurity,providingbusinesseswithactionabledataand

ensuringthattheirsecurityeffortscanbedocumentedforregulatorycompliance. Onceabusinesscan

quantifytheseverityofitsvulnerabilities,itcanbeginadjustingitsshiporlaunchdecisionprocessto

addressthem.

Scoredandprioritizedvulnerabilitydataprovidesanexcellentstartingpointforaformalsecurity

remediationprogram. Eachvulnerabilitythatisuncoveredandclassifiedprovidesaspecific,actionable

exampleofapoorcodingpracticefromwhichdeveloperscanlearn.Withtheassistanceofasecurity

expert,businesses

can

build

a

library

of

secure

coding

best

practices

tied

to

real

world

examples

from

theirowncodebases. Overtime,thisknowledgewillimprovethequalityofabusinessdevelopersand

itsapplications,reducingcostandincreasingproductivity. Businessescanuseapplicationscoringasa

methodoftrackingadeveloperorgroupsprogresstowardsecurecodingstandards,andcancompare

theirscorestothoseofothercompaniesorindustrybenchmarks,ifavailable.

VeracodeandAutomatedCodeReviewsVeracodeprovidesautomated,ondemandapplicationsecuritysolutionsthatidentifyandhelp

remediateapplicationflawsintroducedthroughcodingerrorsormaliciousintentofferedasSoftware

asaService(SaaS). Veracodecombinesitspatentedbinarycodeanalysiswithmultiplescanning

technologies,includingdynamicwebscanninganalysis,intoasinglesolution.Becauseitisbasedon

multiplescanningtechnologies,VeracodeSecurityReviewoffersaccurateandcomprehensiveapplicationsecurityanalysisintheindustry.Andbyofferingitthroughanautomated,ondemand

solution,Veracodemakesiteasyandcosteffectivetofindandfixapplicationvulnerabilitiesthatcanput

organizationsatriskwhethertheyaredevelopingapplicationsinhouseorpurchaseapplicationsfrom

anoutsidevendor.

BinaryapplicationanalysisVeracodeprovidesbinary(composite)applicationanalysisbasedontheindustrysfirstpatentedbinary

vulnerabilityscanningtechnology.Binaryanalysispeersdeepintoallcodepathsanddataflowsthatthe

programwillexecutewithoutactuallyrunningtheprogram.Byexaminingacompiledformofan

applicationor

component

with

the

context

of

its

runtime

environment,

Veracode

provides

a

complete

pictureofrealworldvulnerabilities.Italsoexaminesrealtimecommunicationamongcomponentsfor

anyweaknessesintroducedduringlinkage.Binaryanalysisprovidestheeasiest,mostaccurateandmost

comprehensivemethodforcheckingforsecuringapplications.Inaddition,itenablesorganizationsto

improvesoftwaresecurityduringthedevelopmentprocessanddoesnotputacompanysintellectual

propertyasrisk,becauseitdoesrequiresourcecode.


9/10

9

ApplicationReviewsandRatingsforSoftwareProcurementThesoftwareindustryisoneofthelargestmanufacturingindustriesintheworld,with$350billionin

offtheshelfsoftwaresoldeachyear,over$100billionincustomizedcodeontopofthat.Despitethe

size,there

is

no

standardized

notion

of

software

security

quality

even

though

the

repercussions

include

productpatches,databreachesleadingtomassiveidentitytheftandfluctuationsincorporatestock

prices. Untilnow,independentsoftwareratingshavenotbeenpossiblefortworeasons:

Duetothesensitivityassociatedwithreleasingsourcecodeforindependentevaluation,

Existingevaluationtoolsarenotabletoassess100%iftheapplicationcode,whichisapre

requisiteforaccuraterating.

Veracodesinnovationwithbinarysecurityanalysis,coupledwithitsondemandservicemodelthat

integratesmultipletestingtechniques,makesthisratingservicepossible,asitdoesnotrequire

organizationstodivulgetheirproprietarysourcecode. Veracodeprovidesapplicationsecurityratings

forapplicationsbasedonindustrystandards,includingMITREsCommonWeaknessEnumeration(CWE)

forclassificationofsoftwareweaknessesandFIRSTsCommonVulnerabilityScoringSystem(CVSS)for

severityandeaseofexploitability.Veracodeistheonlyorganizationtocombinethesestandardsintoa

meaningfulandpracticalwaytoassesssoftwaresecurityacrossinternallyandexternallydeveloped

applications.

VeracodeSoftwareSecurityRatingsprovide:

Clearinsightintothesecuritylevelofsoftwarefromatrustedandindependentthirdparty;

Apracticalwaytosetsecuritythresholdsforpurchasedsoftware,beforeitsdeployedin

house;

Astandardmethodtoimplementcodeacceptancesecuritypolicesforoutsourced

applicationdevelopmentandevaluationofsoftwaresecurityriskinM&Atransactions.

RemediationTheVeracodeworldclassteamofapplicationsecurityexpertspassesalongtheirexpertisethrougha

second,moredetailedreportdesignedtohelpdevelopersfixthemostseverevulnerabilitiesfasterand

becomefamiliarwithsecurecodingstandards.Thisreportpointsouttheexactlineofcodecreating

eachproblem,providessupplementarydetailsaboutthenatureoftheissue,andrecommendsaspecific

fix.Thiscontextenablesdeveloperstolearnfromtheirmistakes,eventuallyleadingtocleaner,more

securecodeinfutureproducts.TheVeracodereportinginterfaceissimilartostandardintegrated

developmentenvironments(IDEs)withwhichdevelopersarealreadyfamiliar,reducingacclimation

time.By

providing

remediation

reports

and

updating

the

scanner

to

reflect

the

latest

security

developments,Veracodessecurityteamprovidesexpertisethatwouldbeimpossibletoobtainfromin

housestaffatmostsoftwaredevelopmentorganizations.


10/10

10

MultipleVulnerabilityDetectionTechnologiesWhilecompositeanalysisusingbinarytechnologyisthemosteffectivesinglemethodofsecurity

analysis,itisnottheonlytechnique,norisitaseffectiveasacombinationofapproachesthatinclude

binaryanalysis.

Different

companies

require

varying

levels

of

software

assurance

based

on

their

businessrequirements.Tomeettheseneeds,Veracodeintegratesmultipletypesofsecurityanalysis

suchasdynamicWebapplicationanalysisandmanualandautomaticpenetrationtesting.Byhelping

teamsworktogethertoidentify,prioritize,andremedysecurityissues,theVeracodeplatformwillhelp

businessesbuildmoresecure,costeffectiveapplicationsandhelporganizationspurchasingapplications

reducetheriskassociatedwithapplicationvulnerabilities.

SummaryMaturingsecuritytechnologiesatthenetworklevelhaveshiftedthefocusofmanynewmalicious

hackerattackstotheapplicationitself. Forprotectionfromthisevolvingthreat,businessesneedto

assess

application

level

security

on

a

regular

and

timely

basis.

Technological,

financial,

and

process

limitationsinhibittheeffectivenessofpenetrationtestingandsourcecodeanalysis,leavingbusinesses

withoutaviablemethodofcomprehensivesecuritytesting. Automatedcodereviewsusingstaticbinary

analysis,deliveredviaasoftwareasaservicemodel,provideanopportunityforbusinessestoconduct

comprehensivesoftwaretesting,exposingweaknessesthatmightnotbevisiblethroughothermethods,

withminimalimpactondevelopmentprocessordeploymenttimelines.TheVeracodesoftwaresecurity

solutionintegratesbinaryanalysiswithmultipleapplicationtestingtechniquestoprovidevulnerability

severityratingsandremediationadvice,allowingbusinessestomakeinformedbusinessdecisionsas

theysecuretheirinternalandpurchasedapplicationseasilyandcosteffectively.

AboutVeracodeVeracode

is

the

worlds

leader

for

on

demand

application

security

testing

solutions.

Veracode

SecurityReviewistheindustrysfirstsolutiontousepatentedbinarycodeanalysisanddynamicweb

analysistouniquelyassessanyapplicationsecuritythreats,includingvulnerabilitiessuchascrosssite

scripting(XSS),SQLinjection,bufferoverflowsandmaliciouscode.SecurityReviewperformstheonly

completeandindependentsecurityauditacrossanyinternallydevelopedapplications,thirdparty

commercialofftheshelfsoftwareandoffshorecodewithoutexposingacompanyssourcecode.

Deliveredasanondemandservice,Veracodedeliversthesimplestandmostcosteffectivewayto

implementsecuritybestpractices,reduceoperationalcostandachieveregulatoryrequirementssuchas

PCIcompliancewithoutrequiringanyhardware,softwareortraining.

Veracodehasestablishedapositionasthemarketvisionaryandleaderwithawardsthatinclude

recognitionas

a

Gartner

Cool

Vendor

2008,

Info

Security

Product

Guides

Tomorrows

Technology

TodayAward2008,InformationSecurityReadersChoiceAward2008,AlwaysOnNortheast's"Top

100PrivateCompany2008",NetworkWorldTop10SecurityCompanytoWatch2007,andDark

ReadingsTop10HotSecurityStartups2007.

BasedinBurlington,Mass.,Veracodeisbackedby.406Ventures,AtlasVentureandPolarisVenture

Partners.Formoreinformation,visitwww.veracode.com.

automating your code review - moving to a saas model for application security

Documents