Static source code analysis has been around since the dawn of software development. However, in the context of...
security, it's a relatively new function that only reached its prime within the past decade.
Static source code analysis is a great way for finding bugs and quality-related issues that end up becoming security problems. Some of these issues are mere buffer overflows that were somehow able to sneak by, while others are actual security oversights involving user session fixation, code injection and configuration faults, such as hardcoded cryptographic keys.
Certain software security flaws can be uncovered during web vulnerability scanning and penetration testing, but many are not, and instead lie around waiting to be exploited. This underscores the value and importance of both penetration testing and source code analysis.
I have found, through hearing from clients and having been in the market for these tools myself, that the procurement process can be frustrating. There are a relatively limited number of vendors in the space, and their products aren't necessarily marketed to the people doing the actual testing.
In fact, I know many people who do not have a lot of technical or security savvy, but who are interested in performing source code analysis. However, they're confused about what to buy, or, more likely, they're not exactly sure how to run the tools or interpret the results.
By and large, you get what you pay for with these tools. There are numerous commercial static source code analysis options on the market, such as those offered by Veracode, PVS-Studio and buguroo. Some of the top commercial products can check for source code flaws across multiple languages, including C#, Java, PHP and even the mobile app development languages.
There are open source and freeware options available, as well, such as Visual Code Grepper and SonarQube. It can be a bit time-consuming tracking down which of the free tools will work with your specific code -- not to mention the setup and configuration requirements of some of them -- but it's often well worth it. Regardless of whether you go with the paid or free route, both the Open Web Application Security Project and the National Institute of Standards and Technology have good lists of the various tools from which to choose.
Static source code analysis is only part of the overall security offerings from certain vendors. For example, NowSecure has a mobile application-centric system that not only performs a static analysis of the code in Android and iOS-based apps, but also performs a dynamic analysis to determine how the apps behave during runtime. This includes checking to see what services the apps connect to externally, which network protocols are in use and what forensic artifacts are left behind. Much of this can be performed manually using the traditional penetration testing approach, but not nearly as quickly or with as much accuracy.
Another vendor, Tactical Network Solutions, has a neat, cloud-based service called Centrifuge that does a deep dive into the stack by analyzing actual firmware from internet of things (IoT) devices. These two areas -- mobile and IoT -- are the new frontier of software testing. That's a good thing because it's common for mobile apps and IoT devices to be overlooked in terms of the system's development lifecycle. Furthermore, these tools often uncover unbelievable security flaws that an average person would assume would never be present.
The pros of using source code analysis are plenty, especially when combined with dynamic analysis. The cons aren't many, outside of certain complexities and the costs required to get up and running and to interpret the findings. The important thing is to do something. You don't want to fall into the group of businesses that fail to take reasonable steps to test the security of all of their applications from all reasonable angles.
Source code analysis may sound like a costly and time-consuming exercise. However, it can be great a way for enterprises to understand the code structure of applications, to weed out vulnerabilities and to ensure compliance with industry standards. Both as a piece of technology and a process, static source code analysis should find its way into the enterprise either through the systems development lifecycle on the development and quality assurance side of the house or as part of the information security function -- and sooner as opposed to later.
Beyond static and dynamic analysis, keep an eye on interactive application security testing, which combines the best of both worlds to ensure that all code and functionality are reviewed. If you don't feel equipped to increase your current level of software security testing, then you should explore outsourcing the task. Contract directly with the vendors or hire an outside expert that specializes in application security.
Whichever way you go about it, looking for security flaws at the source code level is a great way to find critical issues that would have likely remained unknown until a criminal hacker found and exploited them. It's not a cure-all for weaknesses in your applications, networks and overall information security program, but it's certainly a step in the right direction.
Learn how static and dynamic analysis techniques can be used on cloud-based applications
Find out how to incorporate education into your enterprise's application security program
Discover how to locate and address overlooked web security vulnerabilities