Software Security Testing Part — III
Update: This article is part of a series. Check out the full series: Part 1, Part 2, Part 3, Part 4, Part 5!
Source Code Review Tools & Techniques
Welcome to the third module of the software security testing workshop. This module will specifically discuss tools available on the Internet to perform security source code review, or simply code review. These tools are not easy to use and understand as it is not a script kiddy job to simply run and detect the vulnerability and you need to have a solid background in programming to understand what the tool is highlighting as a flaw and what could be the outcome of a complete review.
This module is an easy go as it will speak about different tools and some snapshots. This module can be separately studied to gain more knowledge about source code review tools and their features. In this module, we will public speaking and reviews about these tools.
In today’s field of information security, the fastest growing area in the software security industry is a source code analysis tool, also known as static analysis tools. These tools review source code line by line to detect security vulnerabilities.
Why do we need tools?
This has been already answered to some extent in the previous module where we discussed the Black Box testing method for performing a security code review. However, it’s worthwhile to highlight some more benefits of using cutting-edge security tools for performing the source code reviews.
* Good bug-finding performance
* Centralized reporting components
* Tight integration
* Time & performance
* Quick solutions & recommendations
* Standardized approach for detection of flaws
* Uses best practices * Detect buffer overflows
* Memory corruption detection
* Bounds-checking errors and type confusion
* Control flow analysis
* Pinter aliasing
* Memory allocation errors
* Calls to insecure library functions
* Database of vulnerability library calls
* Ability to preprocess source code
* Lexical analysis
Some of the key features are explained below which are also stated by big organizations.
* A database of vulnerable library calls is perhaps the heart of this security scanning technology, but at the same time, it is the hardest to evaluate. The vulnerability database must, above all things, be up to date, but an evaluation suite would have to be constantly updated, as well, to remain relevant.
* The ability to preprocess source code is important for C/C++ analyzers because it lets the analyzer see the same code that will be seen by the compiler. Without this capability, there are numerous ways to deceive the analyzer. Many analyzers use heuristics to approximate the functionality of a preprocessor.
* Lexical analysis is the process of breaking a program into tokens prior to parsing. Lexical analysis is necessary to reliably distinguish variables from functions and to identify function arguments. These functions can also be performed with heuristics-at the cost of some reliability, however. These are some of the key benefits of using such tools.
Leading Source Code Review Tools Flawfinder
Flawfinder is very a simple tool among the source code review tools that examine C/C++ source code specifically and reports possible security weaknesses (“flaws”) which are also rated or sorted by the risk level of those weaknesses. Developers of this tool recommend it as very useful for quickly finding and removing at least some potential security problems before a program is widely released.
Vendor link: http://www.dwheeler.com/flawfinder/.
IBM Rational Software Analyzer
This is a commercial tool by industry experts that runs a static analysis to perform code reviews. You can run tools to run the different analyses with rules and it also provides quick fixes of the problems it finds in the code. To understand more about this tool, you can read this paper written by IBM which is available at the below link.
Vendor link: http://www.ibm.com/developerworks/rational/library/08/0429_gutz1/#toggle.
A commercial tool to perform code reviews to detect security flaws and omissions more quickly and at a lower cost via automation. Covers flaw detection including SQL Injections, cross-site scripting (XSS), buffer overflows and unhandled error conditions, and potential back doors in the software code.
Vendor link: http://www.veracode.com/products/binary-static-analysis-sast.
Secure Coding Validation Suite by CERT
Developed by CERT to validate rules defined in ISO/IEC TS 17961. These tests are based on examples in their technical specification. It’s a suite, which includes tools that allow vendors to use these tests with an analyzer, interpreter, or compiler along with the script driver it has.
Vendor link: http://www.cert.org/secure-coding/tools/validation-suite.cfm.
This is one of the best tools in performing source code review for .NET applications, as it is obvious that the vendor itself provides it. It is a binary code analysis tool that helps in identifying common variants of certain prevailing vulnerabilities that can give rise to common attacks. Basically, CAT.NET is a plugin to the Visual Studio IDE, which helps to identify security flaws within a managed code. It performs scanning over the binary and/or assembly code of the application. It also works on rule sets and the following rules are currently supported by the tool.
* Cross-Site Scripting
* SQL Injection
* Process Command Injection
* File Canonicalization
* Exception Information
* LDAP Injection
* XPATH Injection
* Redirection to User Controlled Site
Vendor link: http://www.microsoft.com/en-us/download/details.aspx?id=19968.
These are only a few tools that are available. Over the Internet, you will be able to find such types of tools that can provide source code review functionality, in both the domains of the commercial as well as open-source industry. For your ease and to give you a focus area to look for such tools, we have provided a link that lists most of these tools with links to their vendor’s page along with their types and areas of functionality.
Tools list: http://samate.nist.gov/index.php/Source_Code_Security_Analyzers.html
In our next module, we will be using Flawfinder, which is an open-source tool for performing code reviews. Personally, I like it as it’s easy to use, lightweight for demonstrations, and Linux-based. Since I am a Linux user, I like things on Linux. Most of the software industry also uses Microsoft tools so it's worthwhile that we further present some more generic information about CAT.NET and more specifically highlight the functionality it performs.
Basically, Code Analysis Tool (CAT.NET) is a binary source code analysis tool that helps in identifying common security flaws in managed code. These vulnerabilities are listed in the below table.
This is to be considered and noted that whatever functionalities or information we have presented in this workshop for any of the tools by any of the vendors is solely for the purpose of education and it doesn’t confirm that these tools only have such features and is not a criticism of any of the tools or vendors listed or explained in this workshop.
Originally published at https://learncybersec.blogspot.com.