Should static analysis be a part of the software development process?

BROWSE BY TAG Platform Security,   Application and Platform Security,   Software Development Methodology,   Enterprise Vulnerability Management,   Security Testing and Ethical Hacking,   VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Platform Security Should developers create libraries of common cryptographic algorithms? How to secure USB ports on Windows machines What is the best database patch management process? What is an encryption collision? What are new and commonly used public-key cryptography algorithms? Should management processes change based on a patch release schedule? Does an EULA make it truly illegal to decompile software? Should businesses delay Windows Vista adoption and just buy Windows 7? Why should we place data files on a separate partition than the OS? Should Windows Mobile updates come from Microsoft? Software Development Methodology Quiz: How to build secure applications How to detect software tampering Developers Need Help with Security Errors Does an EULA make it truly illegal to decompile software? SQL injection continues to trouble firms, lead to breaches IBM acquires Ounce Labs for source code analysis Microsoft issues emergency Active Template Library updates Software security threats and employee awareness training Adobe patches ColdFusion vulnerability blocking website attack nCircle statistics show rising Web application vulnerabilities Security Testing and Ethical Hacking H.D. Moore speaks about Metasploit Project deal, Release 3.3 Could Metasploit popularity erode? Metasploit Project acquired by vulnerability management firm Rapid7 Should management processes change based on a patch release schedule? Does an EULA make it truly illegal to decompile software? Screencast: BackTrack 4 offers an arsenal of penetration testing tools Security testing firm uncovers XML vulnerabilities Screencast: Samurai offers pen-testing nirvana The requirements needed to make an external penetration test legal McAfee to acquire Solidcore Systems for whitelisting

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary bypass  (SearchSecurity.com) Common Weakness Enumeration  (SearchSecurity.com) debugging  (SearchSoftwareQuality.com) fuzz testing  (SearchSecurity.com) heuristics  (SearchSoftwareQuality.com) sandbox  (SearchSecurity.com) threat modeling  (SearchSecurity.com) trigraph  (SearchSecurity.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary

A comprehensive approach to secure software development is needed to eradicate vulnerabilities. Network defenses alone will struggle to protect a system running a vulnerable application. To improve the quality of your software, you should adopt a "security development lifecycle (SDL)" approach, the aim of which is to reduce the number of security-related design and coding defects, as well as lessen the severity of any defects that make it through to the release version.

As development of your application gets underway, you'll need to initiate code reviews. Even if developers write code with security in mind, the code must still be tested for technical and logical vulnerabilities. In an effort to share best practices for developing more secure code, Microsoft has made public its security development lifecycle. Throughout its SDL, the software goes through both static and dynamic code analysis.

Neither static nor dynamic analysis can capture every type of error. As applications become more complex, it is getting increasingly harder to dynamically test all of the possible permutations that an application may face in the real world. This is why I recommend a combination of static and dynamic verification tools that continually check for technical and logical vulnerabilities during the development cycle. Microsoft has found that software that has undergone its SDL has experienced a significantly reduced rate of externally discovered security vulnerabilities.

Static analysis involves reviewing an application's source code without executing the application itself. While program compilers only identify language rule violations, such as type violations and syntax errors, static analysis aims to uncover and remove problems, such as semantic mistakes, that pass through compilers and result in buffer overruns, invalid pointer references, uninitialized variables and other vulnerabilities. There are tools that can analyze code to create diagrammatic representations, making it easier to follow and understand the effects when a branch of code is executed. It does take experienced developers to analyze the results and examine any suspect source code, however. Interestingly, having code reviewed by experts tends to make developers document their code more clearly so as not to be picked up by their peers.

Nonetheless, some problems are difficult to foresee during static analysis. The interaction of multiple functions can generate unanticipated errors, which only become apparent during component-level integration, system integration or deployment. Therefore, once the software is functionally complete, dynamic analysis should also be performed. Dynamic analysis reveals how the application behaves when executed, and how it interacts with other processes and the operating system itself. While static analysis can find errors early in the development cycle, dynamic analysis tests the code in real-life scenarios. To that end, many developers now use a technique called fuzzing that bombards a running program with random data to test the robustness of its code. If the fuzz data causes the program to fail, crash, lock up, consume memory or produce uncontrolled errors, the developer knows that there is a flaw somewhere within the code.

There are plenty of static code-analysis tools for developers, many of which are free. There's a fairly comprehensive list available, which includes metric and lint-like tools. (The term lint-like refers to the process of flagging suspicious language usage.) If you use any of the Microsoft development environments, then you should certainly look at its free code-analysis tools, such as PREfix, PREfast, and FxCop.

Finding and fixing programming errors can be time-consuming, but in the long run, the process will result in a more stable and secure application. When the cost of addressing security issues increases as the software design lifecycle proceeds, using static analysis early on not only helps create better products and increase customer confidence in your applications; it can also benefit the bottom line, too, most notably in the form of flaws discovered before an application is deployed.

More information: