Testing code against common security risks to ensure the quality before release (before attacker access)

1. Static Analysis for Security
JUNE 2016
FABDULWAHAB.COM

2. Security is Requirement
 Testing code against common security risks to ensure the quality before
release(before attacker access)
 Help in implementation best practices and prioritize the risks
 Also called white box testing or source code review

3. Software developers are the first and
best line of defense for the security
of their code

4. Types
 Static
 Analyze the code before go to run
 Automated by tools (also can analyze the binary code or (bytecode) but with limitations)
 Also include code review by senior developers and professionals
 Find risks like business logic , exception handling and NULLL issues
 Dynamic
 Analyze the application behavior during the run phase
 Automated by tools
 Used when no code access or knowledge
 Find risks like XSS , Injection or configuration issues
 Better to go with both types (defense in depth)

5. Development Process
 Study past security errors and prevent them from happening in the future
 All portions of the program must be secure
 Still need best practices , training and skills
 Whitelist vs. blacklist validation
 Good design and good implementation need
each other
 Manual Code review is very important
 Including configuration analysis

6. Tools
 Information security department focus on dynamic analysis tools for pen testing
 Development department focus on static analysis and sometime also for dynamic
analysis tools
 In most cases ,Static analysis tools integrated with IDE
 Tools has rules to validate the code like searching for user inputs like Request[] or
searching for injection like SQL Command in code …
 Remember , running tools doesn’t make application secure

7. false negatives are more troublesome
than false positives

8. Tools
 Static analysis tools categories
 Type checking
 Style checking (whitespace , naming , program structure …)
 Program understanding (find all uses of this methods or variable …)
 Program verification and Property checking (check against rules and specifications)
 Bug finding
 Security review

9. Tools
 Commercial/free
 Open source
 Support Development Standards and Compliance (PCI , ISO …)
 Based on programming Languages
 Examples
 https://sourceforge.net/projects/visualcodegrepp/
 https://sourceforge.net/projects/agnitiotool/
 https://www.microsoft.com/en-us/download/details.aspx?id=6544
 ttps://www.microsoft.com/en-us/download/details.aspx?id=19968
 http://www8.hp.com/us/en/software-solutions/application-security/index.html
 https://www.checkmarx.com/
 https://samate.nist.gov/index.php/Source_Code_Security_Analyzers.html (list)

10. Demo 01 – Visual Studio Code Analysis
 Identify potential issues based on Microsoft’s rules and best practices
 http://nugetmusthaves.com/Tag/CodeAnalysis
 http://fxcopaspnetsecurity.codeplex.com/
 https://blogs.msdn.microsoft.com/hkamel/2013/10/24/visual-studio-2013-static-
code-analysis-in-depth-what-when-and-how/

11. Demo 02 – WCSA
 To analyze the web.config
 https://code.google.com/archive/p/wcsa/downloads

12. References
 https://www.owasp.org/index.php/Static_Code_Analysis
 Secure Programming with Static Analysis book , By Brian and Jacob