automating your code review - moving to a saas model for application security
TRANSCRIPT
-
8/9/2019 Automating Your Code Review - Moving to a SaaS Model for Application Security
1/10
AutomatingYourCodeReviewMovingtoaSaaSModelforApplicationSecurity
White Paper
-
8/9/2019 Automating Your Code Review - Moving to a SaaS Model for Application Security
2/10
2
ContentsOverview................................................................................................................................. 3ExecutiveSummary................................................................................................................. 3CodeReviewandSecurityAnalysisMethods........................................................................... 5SourceCodeReview 5
PenetrationTesting 6
BinaryCodeReview 7
ApplicationRating
and
Remediation
.......................................................................................
7
VeracodeandAutomatedCodeReviews................................................................................. 8Binaryapplicationanalysis 8
ApplicationReviewsandRatingsforSoftwareProcurement 9
Remediation 9
MultipleVulnerabilityDetectionTechnologies 10
Summary............................................................................................................................... 10AboutVeracode.................................................................................................................... 10
2008Veracode,Inc.
-
8/9/2019 Automating Your Code Review - Moving to a SaaS Model for Application Security
3/10
3
OverviewTodaysapplicationhasbecometheenterprisesnewperimeter.Withbetter
network
level
security
technology
hardening
the
network
perimeter,
malicious
attackersarenowfocusingtheireffortstostrikeattheleastdefendedpoints the
application. WhilehackerswereoncesatisfiedwithdefacingWebsites,
unleashingdenialofserviceattacksandtradingillicitfilesthroughtargeted
networks,modernattackersareprofitdriven. Financialandcustomerdatahave
becomevaluablecommoditiesandapplicationsmustbesecureenoughtoprotect
them.
ExecutiveSummarySoftware
vulnerabilities
have
become
extremely
common,
yet
inspecting
code
for
security
flaws
is
such
atimeconsumingandexpensiveprocessthatmanybusinessesforgoitentirely. Automatedinspection
ofsoftwareusingtoolsoronpremiseproductsexpeditestheprocess,butstillrequiresanenterpriseto
investsignificantlyinITresources,trainingandmaintenance. Italsoisdifficult,ifnotimpossible;to
deploytheseresourcesconsistentlyacrossgeographicallydisperseddevelopmentgroups,address
securityrisksposedbycommercialsoftware,oroffshoreoutsourcedapplicationdevelopment. Few
businesseshavethestaff,securityexpertise,timeandmoneynecessarytoanalyzetheirentire
applicationportfolioinhouse. Tocomplicatematters,sourcecodeisoftenunavailableforexternally
developedsoftwareandthosethatdohaveaccessarewaryofexposingtheirproprietarysourcecode
outsideoftheorganization.
In
a
recent
survey
of
U.S.
based
software
developers,
only
12
percent
of
the
developers
who
responded
saidthatsecuritytakesprecedenceoverandlessthanhalfhavehadanyformaltrainingonsecure
codingtechniquesandprocesses. Thishasresultedinover7,000newsecurityvulnerabilitiesdisclosed
overthelastyearaloneanalltimehigh. Inanefforttocombatthisgrowingtrend,newcompliance
requirementsfromthePaymentCardIndustry(PCI),theComptrolleroftheCurrencyAdministratorof
NationalBanks(OCC)alongwithrecommendationsfromindustrygroupsandanalystscallforcode
reviewstosecuresoftwareapplications.
Ondemandapplicationsecuritytestingofferedasanautomatedserviceisemergingasasimplerand
morecosteffectivewaytoraisethesecuritylevelofsoftware. Infact,ITanalystfirmGartnerpredicts
thatwithintwoyears50%ofenterpriseswillbeusingsomeformofsecurityasaserviceofferings.
Applicationsecurityofferedasanondemandservicebasedonbinaryanalysisanddynamicweb
scanningtechnologies
allows
organizations
to
review
their
entire
code
base
for
vulnerabilities
without
exposingtheirsourcecode.Ondemandapplicationsecurityisamajorsteptowardreducingriskin
applicationsdevelopedinhouse,commercialoftheshelf(COTS)softwareaswellasapplications
developedbyoffshoreoutsourcingproviders.
-
8/9/2019 Automating Your Code Review - Moving to a SaaS Model for Application Security
4/10
4
Software:TodaysBiggestSecurityRiskTodaysapplicationhasbecometheenterprisesnewperimeter.Withbetternetworklevelsecurity
technologyhardeningthenetworkperimeter,maliciousattackersarenowfocusingtheireffortstostrike
attheleastdefendedpoints theapplication. WhilehackerswereoncesatisfiedwithdefacingWeb
sites,unleashingdenialofserviceattacksandtradingillicitfilesthroughtargetednetworks,modern
attackersareprofitdriven. Financialandcustomerdatahavebecomevaluablecommoditiesand
applicationsmustbesecureenoughtoprotectthem.
Recentindustrystatisticsconfirmthistrend. DatafromCERTrevealsthatthenumberofsoftware
vulnerabilitieshasrisendramaticallyandhaseclipsed7,000newsoftwarevulnerabilitydisclosuresin
thepastyearanalltimehigh.Meanwhile,GartnerandNISTreportthat95%ofallreported
vulnerabilitiesareinsoftware,75%ofthreatstargetbusinessinformation,and75%ofattackstargetthe
applicationlevel. Yet,evenwiththesefindings,mostenterprisesallocatelessthan10%oftheirsecurity
spendingtoapplicationsecurity.
NIST/GartnerKeyFacts CERTNumberofSoftwareVulnerabilityDisclosuresperYear
-
8/9/2019 Automating Your Code Review - Moving to a SaaS Model for Application Security
5/10
5
CodeReviewandSecurityAnalysisMethodsThereareseveralmethodsintodaysmarketplacefororganizationstointroduceapplicationsecurity
intotheirbusinesseseitherdynamically,withpenetrationtesting,orstatically,withsourcecodeanalysis
orbinary
code
analysis:
1. SourceCodeReviewmanualandautomated
2. PenetrationTestingmanualandautomated
3. BinaryCodeReviewautomated,asaservice
SourceCodeReviewSource
code
scanning
comes
in
two
forms
manual
and
automated
analysis.
Both
allow
developers
to
inspectcodeforknownsecurityvulnerabilitiesbeforecompilation. Fixingtheseflawsduringcodingcan
reducethenumberofbuildsnecessarytoproduceasecureproductandeducateinternaldevelopers
aboutsecurecodingpractices.
Manualsourcecodeanalysis,thoughveryindepth,islaborintensiveandrequireshighlyskilled
applicationsecurityexperts. Becauseofthis,itlacksrepeatabilityandisgenerallynotconsidered
practical. Automatedsourcecodeanalysisisbecomingmoreprevalentinthemarketplace,butbecause
sourcecodeisproprietary,mostbusinessesarewaryofsubmittingitforoffsitethirdpartyanalysis. As
aresult,thesescanningtoolsaredeployedasonpremisessoftware,requiringdedicated
infrastructureandstaffwithapplicationsecurityexpertise. Automatedscanningtoolsshortentesting
times,but
require
dedicated
hardware,
installation,
configuration,
training,
and
frequent
updates,
makingitcostlyandtimeconsumingfororganizations.
Mostbusinesscannotjustifyhiringdedicatedapplicationsecurityexpertstoperformsourcecode
reviews. Thus,whethermanualorautomated,sourcecodescanningforcesorganizationstoretask
developersandQApersonnelwhomaybehavelimitedexpertiseinapplicationsecurity. Additionally,
modernsoftwaredevelopmentpracticesmaylimittheeffectivenessofsourcecodescanning. By
definition,asourcecodescancanonlybeaseffectiveastheamountofsourcecodeavailabletoit.
Businessesfrequentlyintegratecodefromthirdparties,suchaslibraries,commercialofftheshelf
(COTS)software,andopensourcesoftware.Enforcingsecurecodingstandardswithoutsourcedand
offshoredevelopmentpartnersistypicallydifficult,andenforcingthesestandardsforCOTScomponents
fromthirdpartyvendorsisimpossibleusingsourcecodeanalysisalone.
-
8/9/2019 Automating Your Code Review - Moving to a SaaS Model for Application Security
6/10
6
PenetrationTestingManualpenetrationtestinginvolvesahumantestersimulatinganactualexternalattack. Duringatest,
asecurityexpertattemptstocompromiseatargetapplicationusingexactlythesamemethodsasa
hacker.Manual
penetration
testing
is
usually
conducted
in
a
black
box
setting
tested
from
the
outsidein,withnoknowledgeofsourcecodeorinternalprocesses. Businessescansafelyoutsource
mostblackboxtesting,butoutsourcingmorevaluablewhiteboxtesting,performedwithspecific
knowledgeofsourcecodeorsoftwaredesigndocumentation,riskscompromisingproprietaryassets.
Manualpenetrationtestingcanprovidevaluablespotchecksandperhapsdetectsomelowhanging
fruitvulnerabilities,butthetesterslevelofknowledgeandtheinabilitytoachieveadequatecoverage
oftheapplicationscodefromitsexternalinterfaceslimitsitseffectiveness.Evenateamofthebest
testerswouldbeunabletoperformcomprehensivetestsonrepeatedbuildsofanapplicationwithout
slowingtheSDLCandaddingsubstantialcosts.Manualpenetrationtestingcanbenondeterministic,
withtesterscontinuingtofindflawswhengivenanunlimitedamountoftime. Asaresult,manual
penetration
testing,
while
valuable,
can
be
costly
and
time
consuming
for
organizations
looking
to
introducesecurityintotheirapplicationsoranalyzingthirdpartyapplicationsforsecurityflaws.
Toaddressthelimitationsofmanualpenetrationtesting,softwarevendorsnowoffertoolsthat
automatethemostcommonscansandpenetrationattempts. Automatedpenetrationtestingprovides
afaster,moreconsistentscanofcommonexternalvulnerabilitiesthanmanualtesting.However,these
toolsarenotfullyautomated. Theyrequireahumantoguideorteachthetoolaboutthe
applicationandrequireahumanwithsecurityknowledgetoinvestigatefalsepositives.
Despiteitscostandtimeadvantages,automatedpenetrationtestingisnotareplacementformanual
testing. Someapplicationsbehaveunpredictablyandautomatedtesttoolscannotpredicthowahuman
attackermightreacttothosebehaviors. Bothmanualandautomatedpenetrationtestingrequire
applicationsecurity
analysts
with
deep
expertise
in
design,
development
and
deployment.
In
addition,
bothtestscomelateintheSDLC. Organizationsarefacedwithadifficultchoicedelaythesoftware
releaseinordertofixvulnerabilitiesandloserevenueordeploytheapplicationandplantoissuea
potentiallyexpensivepatch.
-
8/9/2019 Automating Your Code Review - Moving to a SaaS Model for Application Security
7/10
7
BinaryCodeReviewTheanalysisofcompiledapplicationsisarecentdevelopmentinsecuritytesting. Similartosourcecode
reviews,binary
reviews
fall
under
the
category
of
static
analysis,
also
commonly
called
white
box
testingandhavethesamedistinctadvantagesinthatitcanevaluatebothwebandnonweb
applicationsandthroughadvancedmodeling,candetectflawsinthesoftwaresinputsandoutputsthat
cannotbeseenthroughpenetrationtestingalone.
Byexaminingacompiledformofanapplicationinitsruntimeenvironment,thistechniquecanprovidea
muchmorecomprehensivepictureofrealworldvulnerabilities.Whileintegratingotherformsof
securitytestingrequiressignificantprocessmodifications,analyzingatthebinariesrequiresveryfew
suchmodifications. ThestandardSDLCprovidesawindowforbinaryanalysisduringbuildacceptance
testing. Developerscanrunsecurityanalysisandfunctionaltestinginparallelfromthesamecompiled
binary.
Binaryanalysiscreatesabehavioralmodelbyanalyzinganapplicationscontrolanddataflowthrough
executablemachine
code
the
way
an
attacker
sees
it.
Unlike
source
code
tools,
this
approach
accuratelydetectsissuesinthecoreapplicationandextendscoveragetovulnerabilitiesfoundin3rd
partylibraries,prepackagedcomponents,andcodeintroducedbycompilerorplatformspecific
interpretations. Anotheradvantageofbinaryanalysisistheabilitytodetectgrowingtypesofthreats
suchasthosecomingfrommaliciouscodeandbackdoorswhichareimpossibletospotwithtraditional
toolsbecausetheyarenotvisibleinsourcecode.
Perhapsthebiggestadvantageofbinarycodereviewsisthatstaticbinariesarefullycomplied,and
thereforesafertoreleasetothirdpartysecurityservicesforanalysiswithoutriskingproprietaryassets.
Performingbinarycodereviewsremovesconcernssurroundingintellectualpropertycontainedinsource
codeandisapplicabletosituationswhereaccesstosourcecodeisnotavailable,asisthecasewith
commercialsoftware,legacyapplicationsormanyoffshoreoutsourcedapplications. Thisovercomes
therequirementtohaveanonpremisestoolandenablesapplicationsecuritytobedeliveredexternallyusingSecurityasaService(SaaS)model.ApplicationRatingandRemediationRegardlessoftheirchoiceoftechniquesforapplicationanalysis,mostbusinessesarenotpreparedto
processtheresultingsecurityanalysisdata. Applicationdevelopmentdepartmentsarefocusedon
bringingfunctionalapplicationstomarketasquicklyandinexpensivelyaspossible. Qualityassurance
departmentscanclassifyandprioritizefunctionaldefects,orbugs,insoftwareaccordingto
establishedpractices,butmostbusinessesareunabletoclassifyandprioritizesecuritydefectsfrom
vulnerabilitydata. Falsepositivesandalackofexperiencebalancingacceptablelevelsofsecurityrisk
andmarket
demands
further
complicate
this
process.
Tohelpbusinessesprioritizedecisionsaboutwhichflawstofix,ascoringandrankingsystemhasbeen
developedinthemarketplace. Untilrecently,securitysolutionprovidersassessedtheseverityof
vulnerabilitiesaccordingtoitsown,proprietarysystem. Thisledtodiscrepanciesbetweenproductsand
services,andlimitedthevalueofsecurityassessments. In2005,acoalitionofsecurityexpertscreated
theCommonVulnerabilityScoringSystem(CVSS),avendoragnosticstandardforcommunicatingthe
-
8/9/2019 Automating Your Code Review - Moving to a SaaS Model for Application Security
8/10
8
severityofvulnerabilities. CVSSusesstandardmathematicalequationstocalculatetheseverityofnew
vulnerabilitiesandprovidesscoresbasedonthefollowingfactors:
Systemvulnerabilityandtypeofsecurityimpact
Exploitabilityand
remediation
availability
Severitypotential
CVSSisaconsistentbenchmarkforapplicationsecurity,providingbusinesseswithactionabledataand
ensuringthattheirsecurityeffortscanbedocumentedforregulatorycompliance. Onceabusinesscan
quantifytheseverityofitsvulnerabilities,itcanbeginadjustingitsshiporlaunchdecisionprocessto
addressthem.
Scoredandprioritizedvulnerabilitydataprovidesanexcellentstartingpointforaformalsecurity
remediationprogram. Eachvulnerabilitythatisuncoveredandclassifiedprovidesaspecific,actionable
exampleofapoorcodingpracticefromwhichdeveloperscanlearn.Withtheassistanceofasecurity
expert,businesses
can
build
a
library
of
secure
coding
best
practices
tied
to
real
world
examples
from
theirowncodebases. Overtime,thisknowledgewillimprovethequalityofabusinessdevelopersand
itsapplications,reducingcostandincreasingproductivity. Businessescanuseapplicationscoringasa
methodoftrackingadeveloperorgroupsprogresstowardsecurecodingstandards,andcancompare
theirscorestothoseofothercompaniesorindustrybenchmarks,ifavailable.
VeracodeandAutomatedCodeReviewsVeracodeprovidesautomated,ondemandapplicationsecuritysolutionsthatidentifyandhelp
remediateapplicationflawsintroducedthroughcodingerrorsormaliciousintentofferedasSoftware
asaService(SaaS). Veracodecombinesitspatentedbinarycodeanalysiswithmultiplescanning
technologies,includingdynamicwebscanninganalysis,intoasinglesolution.Becauseitisbasedon
multiplescanningtechnologies,VeracodeSecurityReviewoffersaccurateandcomprehensiveapplicationsecurityanalysisintheindustry.Andbyofferingitthroughanautomated,ondemand
solution,Veracodemakesiteasyandcosteffectivetofindandfixapplicationvulnerabilitiesthatcanput
organizationsatriskwhethertheyaredevelopingapplicationsinhouseorpurchaseapplicationsfrom
anoutsidevendor.
BinaryapplicationanalysisVeracodeprovidesbinary(composite)applicationanalysisbasedontheindustrysfirstpatentedbinary
vulnerabilityscanningtechnology.Binaryanalysispeersdeepintoallcodepathsanddataflowsthatthe
programwillexecutewithoutactuallyrunningtheprogram.Byexaminingacompiledformofan
applicationor
component
with
the
context
of
its
runtime
environment,
Veracode
provides
a
complete
pictureofrealworldvulnerabilities.Italsoexaminesrealtimecommunicationamongcomponentsfor
anyweaknessesintroducedduringlinkage.Binaryanalysisprovidestheeasiest,mostaccurateandmost
comprehensivemethodforcheckingforsecuringapplications.Inaddition,itenablesorganizationsto
improvesoftwaresecurityduringthedevelopmentprocessanddoesnotputacompanysintellectual
propertyasrisk,becauseitdoesrequiresourcecode.
-
8/9/2019 Automating Your Code Review - Moving to a SaaS Model for Application Security
9/10
9
ApplicationReviewsandRatingsforSoftwareProcurementThesoftwareindustryisoneofthelargestmanufacturingindustriesintheworld,with$350billionin
offtheshelfsoftwaresoldeachyear,over$100billionincustomizedcodeontopofthat.Despitethe
size,there
is
no
standardized
notion
of
software
security
quality
even
though
the
repercussions
include
productpatches,databreachesleadingtomassiveidentitytheftandfluctuationsincorporatestock
prices. Untilnow,independentsoftwareratingshavenotbeenpossiblefortworeasons:
Duetothesensitivityassociatedwithreleasingsourcecodeforindependentevaluation,
Existingevaluationtoolsarenotabletoassess100%iftheapplicationcode,whichisapre
requisiteforaccuraterating.
Veracodesinnovationwithbinarysecurityanalysis,coupledwithitsondemandservicemodelthat
integratesmultipletestingtechniques,makesthisratingservicepossible,asitdoesnotrequire
organizationstodivulgetheirproprietarysourcecode. Veracodeprovidesapplicationsecurityratings
forapplicationsbasedonindustrystandards,includingMITREsCommonWeaknessEnumeration(CWE)
forclassificationofsoftwareweaknessesandFIRSTsCommonVulnerabilityScoringSystem(CVSS)for
severityandeaseofexploitability.Veracodeistheonlyorganizationtocombinethesestandardsintoa
meaningfulandpracticalwaytoassesssoftwaresecurityacrossinternallyandexternallydeveloped
applications.
VeracodeSoftwareSecurityRatingsprovide:
Clearinsightintothesecuritylevelofsoftwarefromatrustedandindependentthirdparty;
Apracticalwaytosetsecuritythresholdsforpurchasedsoftware,beforeitsdeployedin
house;
Astandardmethodtoimplementcodeacceptancesecuritypolicesforoutsourced
applicationdevelopmentandevaluationofsoftwaresecurityriskinM&Atransactions.
RemediationTheVeracodeworldclassteamofapplicationsecurityexpertspassesalongtheirexpertisethrougha
second,moredetailedreportdesignedtohelpdevelopersfixthemostseverevulnerabilitiesfasterand
becomefamiliarwithsecurecodingstandards.Thisreportpointsouttheexactlineofcodecreating
eachproblem,providessupplementarydetailsaboutthenatureoftheissue,andrecommendsaspecific
fix.Thiscontextenablesdeveloperstolearnfromtheirmistakes,eventuallyleadingtocleaner,more
securecodeinfutureproducts.TheVeracodereportinginterfaceissimilartostandardintegrated
developmentenvironments(IDEs)withwhichdevelopersarealreadyfamiliar,reducingacclimation
time.By
providing
remediation
reports
and
updating
the
scanner
to
reflect
the
latest
security
developments,Veracodessecurityteamprovidesexpertisethatwouldbeimpossibletoobtainfromin
housestaffatmostsoftwaredevelopmentorganizations.
-
8/9/2019 Automating Your Code Review - Moving to a SaaS Model for Application Security
10/10
10
MultipleVulnerabilityDetectionTechnologiesWhilecompositeanalysisusingbinarytechnologyisthemosteffectivesinglemethodofsecurity
analysis,itisnottheonlytechnique,norisitaseffectiveasacombinationofapproachesthatinclude
binaryanalysis.
Different
companies
require
varying
levels
of
software
assurance
based
on
their
businessrequirements.Tomeettheseneeds,Veracodeintegratesmultipletypesofsecurityanalysis
suchasdynamicWebapplicationanalysisandmanualandautomaticpenetrationtesting.Byhelping
teamsworktogethertoidentify,prioritize,andremedysecurityissues,theVeracodeplatformwillhelp
businessesbuildmoresecure,costeffectiveapplicationsandhelporganizationspurchasingapplications
reducetheriskassociatedwithapplicationvulnerabilities.
SummaryMaturingsecuritytechnologiesatthenetworklevelhaveshiftedthefocusofmanynewmalicious
hackerattackstotheapplicationitself. Forprotectionfromthisevolvingthreat,businessesneedto
assess
application
level
security
on
a
regular
and
timely
basis.
Technological,
financial,
and
process
limitationsinhibittheeffectivenessofpenetrationtestingandsourcecodeanalysis,leavingbusinesses
withoutaviablemethodofcomprehensivesecuritytesting. Automatedcodereviewsusingstaticbinary
analysis,deliveredviaasoftwareasaservicemodel,provideanopportunityforbusinessestoconduct
comprehensivesoftwaretesting,exposingweaknessesthatmightnotbevisiblethroughothermethods,
withminimalimpactondevelopmentprocessordeploymenttimelines.TheVeracodesoftwaresecurity
solutionintegratesbinaryanalysiswithmultipleapplicationtestingtechniquestoprovidevulnerability
severityratingsandremediationadvice,allowingbusinessestomakeinformedbusinessdecisionsas
theysecuretheirinternalandpurchasedapplicationseasilyandcosteffectively.
AboutVeracodeVeracode
is
the
worlds
leader
for
on
demand
application
security
testing
solutions.
Veracode
SecurityReviewistheindustrysfirstsolutiontousepatentedbinarycodeanalysisanddynamicweb
analysistouniquelyassessanyapplicationsecuritythreats,includingvulnerabilitiessuchascrosssite
scripting(XSS),SQLinjection,bufferoverflowsandmaliciouscode.SecurityReviewperformstheonly
completeandindependentsecurityauditacrossanyinternallydevelopedapplications,thirdparty
commercialofftheshelfsoftwareandoffshorecodewithoutexposingacompanyssourcecode.
Deliveredasanondemandservice,Veracodedeliversthesimplestandmostcosteffectivewayto
implementsecuritybestpractices,reduceoperationalcostandachieveregulatoryrequirementssuchas
PCIcompliancewithoutrequiringanyhardware,softwareortraining.
Veracodehasestablishedapositionasthemarketvisionaryandleaderwithawardsthatinclude
recognitionas
a
Gartner
Cool
Vendor
2008,
Info
Security
Product
Guides
Tomorrows
Technology
TodayAward2008,InformationSecurityReadersChoiceAward2008,AlwaysOnNortheast's"Top
100PrivateCompany2008",NetworkWorldTop10SecurityCompanytoWatch2007,andDark
ReadingsTop10HotSecurityStartups2007.
BasedinBurlington,Mass.,Veracodeisbackedby.406Ventures,AtlasVentureandPolarisVenture
Partners.Formoreinformation,visitwww.veracode.com.