What is static application security testing, and how does it work? In what scenarios is it a useful and worthwhile testing method for enterprises?
There are two different software testing methodologies for evaluating the security of an application: dynamic testing and static testing. I recommend you use both. Dynamic testing involves using a variety of techniques, such as fuzzers and penetration tests. These tests inspect the running application: How it behaves and responds to various inputs, and how it interacts with its environment. Static testing is quite different in that it involves reviewing or auditing the application's source code, either manually or -- more commonly -- by using automated code source analyzer tools.
Static application security testing takes place during the implementation phase of a project and is a required practice in Microsoft’s Security Development Lifecycle. It is also one of the methods that can be used to mitigate security risks for applications that are required to comply with the Payment Card Industry Data Security Standard (PCI DSS).
A thorough source code review has an advantage over dynamic testing. Nothing is hidden from analysts during a source code review, so they can examine exactly how data flows through a program. Specific attributes of the application, such as credit card numbers and personal data, can be taken into account, allowing the full range of security vulnerabilities to be identified. A source code review can help ensure secure coding policies are followed, and unsafe and prohibited functions aren’t being used, for example, looking at the way errors are handled and checking permissions on configuration files and network connections. By solving the problem at the code level, static testing reduces the number of security-related design and coding defects, and the severity of any defects that make it through to the release version, thus dramatically improving the overall security of the application.
Automated tools greatly reduce the time it takes to review complex reams of code. Although static analysis tools can’t test adherence to security policy or identify backdoors in an application in the way a manual code review can, they can shorten the time it takes to review large complex applications.
High-range tools use sophisticated functions such as data flow analysis, control flow analysis and pattern recognition to identify potential security vulnerabilities. I say potential because the results tend to include a high number of false positives. The advantage is they can analyze highly complex reams of code and identify issues a manual review should concentrate on. This can make them quite cost-effective.
You do, however, need to be aware of the strengths and weaknesses of static analysis tools and be prepared to augment them with human reviews where appropriate. For example, automated tools tend to be weak on detecting errors that could occur due to poor flow control and badly implemented business logic. It's possible to use internal staff for your reviews as long as they have the necessary skills and experience, and aren’t the same employees who developed the application. However, having dedicated code reviewers is only economical for large enterprises that are constantly developing their own applications. The flip side to this is a well-built application dosen’t require the same level of ongoing care and maintenance as one that is repeatedly hacked into due to unidentified coding flaws.
This was first published in November 2011