pppppppppppp

p p p p p p ppppppppp p p p
pppppppppppp
p p p p p p ppppppppp p p p p p p p p p p p
pppppppppppp
p p p p p p ppppppppp p p p p p p p p
pppppppppppp
p p p p p p ppppppppp p p p p p p p p p p p p p
pppppppppppp
p p p p p p ppppppppp p p p p p p p p p p p p p p p
pppppppppppp
p p p p p p ppppppppp p p p p p p p p p p p
pppppppppppp
p p p p p p ppppppppp p p p p p p p p p
pppppppppppp
p p p p p p ppppppppp p p p p p p p p p p
pppppppppppp
p p p p p p ppppppppp p p p p p p p
pppppppppppp
pppppppppppp
p p p p p p ppppppppp p p p
pppppppppppp
p p p p p p ppppppppp p p p p p p p p p p p p p p p
pppppppppppp
p p p p p p ppppppppp p p p p p p p p p p
pppppppppppp
p p p p p p ppppppppp p p p p p p p p p p p p p p p p p
p p p p p p ppppppppp p p p p p p p p p p
p p p p p p ppppppppp p p p p p p p p
p p p p p p ppppppppp p p p p p
p p p p p p ppppppppp p p p p p p
p p p p p p ppppppppp p p p p p p p
p p p p p p ppppppppp p p p p p p p p
p p p p p p ppppppppp p p
p p p p p p ppppppppp p p p
p p p p p p ppppppppp p
p p p p p p ppppppppp p p p p p
p p p p p p ppppppppp p p p
p p p p p p ppppppppp
p p p p p p pppp

TECHGUIDE
Application Security

A global look at application security threats and tools

q L ittle Being Done to Prevent

Web Application Threats

q P ros and Cons of Cloud-Based

Static Code Analysis Tools

q S tatic Code Analysis Tools

Gain Traction in India

pppppppppppp
pppppppppppp
pppppppppppp
pppppppppppp
pppppppppppp
WEB
pppppppppppp
pppppppppppp
APPLICATION
pppppppppppp
pppppppppppp
THREATS
pppppppppppp
pppppppppppp
pppppppppppp
pppppppppppp
pppppppppppp

Little Being Done to Prevent

Web Application Threats
Security analysts say that with a little extra time and care,
Web applications could be more secure. BY MORIAH SARGENT

WEB APPLICATION
THREATS

WEB APPLICATION SECURITY

threat stalwarts SQL injection and cross-site-scripting

(XSS) remain among the most targeted, however, security experts say new
technologies like HTML 5 come with their own set of dangerous vulnerabili-

CLOUD-BASED
ANALYSIS TOOLS

ties.
According to a report by Richardson, Texas-based secure cloud hosting firm

STATIC CODE
ANALYSIS

FireHost Inc., SQL injection attacks rose 69% between the first two quarters of
2012. SQL injection occurs when an attacker enters malicious code into a Web
form input box to gain access to resources or make changes to data.
SQL injection is by far the biggest [issue], for instances and data lost, said
Jeremiah Grossman, founder and chief technical officer at WhiteHat Security
in Santa Clara, Calif.
In the WhiteHat Security Website Statistics Report for summer 2012, SQL
injection had an 11% likelihood of appearing in a website at least once. This
number put SQL injection in eighth place for vulnerability prevalence.
Claiming the top spot for prevalence was XSS, with a 55% likelihood of at
least one security vulnerability on a website. XSS occurs when an attacker inserts malicious coding into a link that appears to be from a trustworthy source.
By clicking the link, the user unleashes the embedded programming, which
is submitted as part of the clients Web request and can execute on the users
computer, often allowing the attacker to steal information.
Security experts said other vulnerabilities, less prevalent and less dangerous than the top issues but still pose a threat. Joe Basirico, vice president of
application security services at Wilmington, Mass.-based Security Innovation,

APPLICATION SECURITY

pppppppppppp
pppppppppppp
pppppppppppp
pppppppppppp
pppppppppppp
WEB
pppppppppppp
pppppppppppp
APPLICATION
pppppppppppp
pppppppppppp
THREATS
pppppppppppp
pppppppppppp
pppppppppppp
pppppppppppp
pppppppppppp

said authorization issues, when users can access information above their authorization level, are a growing concern. Grossman pointed to business logic
flawswhen two security steps clash and end up creating a vulnerability, as a
problem.

HTML 5 A GROWING TARGET

The newest version of standard programming language of web pages, HTML

WEB APPLICATION
THREATS

5 seeks to make Web applications and documents equal on every type of

browser. But the emerging technology poses new dangers.
Ed Moyle, senior security strategist at Town & Country, Mo.-based Savvis

CLOUD-BASED
ANALYSIS TOOLS

Inc., said the emphasis HTML 5 has on the client side continues to make attacking from the user perspective easy
for cybercriminals. New technology like

STATIC CODE
ANALYSIS

HTML 5 is dangerous because threats are

harder to find and harder for developers to
fix, he said.
When you shake things up and start
to introduce technologies like cloud,
HTML 5...you introduce new complexi-

Newness may be the

issue with lack of pro
tection for HTML 5,
but that is not a rea
son for SQL injection
and XSS attacks.

ties, Moyle said.

Moyle added that in terms of cases of attacks, HTML 5 is lagging because
cybercriminals are sticking to the older, more widely deployed programming
languages such as Java.
Newness may be the issue with lack of protection for HTML 5, but that is not
a reason for SQL injection and XSS attacks, which have been around for more
than a decade. Security experts said security is not a top priority when creating
a Web application. Instead, the emphasis is on speed, functionality and overall
experience, said Diana Kelley, founder of consulting and research firm SecurityCurve in Amherst, N.H.
We hear a lot about [security]. It gets a lot of press and ink, Kelley said.

APPLICATION SECURITY

pppppppppppp
pppppppppppp
pppppppppppp
pppppppppppp
pppppppppppp
WEB
pppppppppppp
pppppppppppp
APPLICATION
pppppppppppp
pppppppppppp
THREATS
pppppppppppp
pppppppppppp
pppppppppppp
pppppppppppp
pppppppppppp

But, she added, security falls apart in practice when application creators realize they have to spend more time and money on the product before it can be
released.
Moyle said that when an enterprise IT security team addresses security for
Web apps, the money and focus is often at the network level. The company will
spend money on applications but not specifically on the security of those applications.

WEB APPLICATION
THREATS

LACK OF SECURITY-AWARE PROGRAMMERS

Some experts have found a general lack of security people in the industry.
CLOUD-BASED
ANALYSIS TOOLS

Theres no one around to do the job, Grossman said. He added that many
SQL injection and XSS attacks are targeting legacy code because old code has
weaknesses left out of newer versions.

STATIC CODE
ANALYSIS

Theres 15 years worth of insecure Web

code we need to clean up, Grossman said.
Still, he said that while flaws in new code
can be avoided, these steps are sometimes
skipped in the creation of an application.
Grossman and other security analysts
named parameterized SQL statements as
one of the best ways to mitigate SQL injec-

Security falls apart in

practice when appli
cation creators real
ize they have to spend
more time and money
on the product before
it can be released.

tion attacks. With parameterized statements, Grossman said only specific entries would be accepted in a Web form
input box, based on the restrictions put in place by developers. In an example,
he said a good statement would be My name is Jeremiah while My name is
Jeremiah; would be rejected. Because punctuation is not accepted, this prevents attackers from entering code into an input box.
For XSS, Grossman named context-aware output encoding as a good defense. Input validation is another step that can be used in securing Web applications against both XSS and SQLi.

APPLICATION SECURITY

pppppppppppp
pppppppppppp
pppppppppppp
pppppppppppp
pppppppppppp
WEB
pppppppppppp
pppppppppppp
APPLICATION
pppppppppppp
pppppppppppp
THREATS
pppppppppppp
pppppppppppp
pppppppppppp
pppppppppppp
pppppppppppp

When creating a Web application, Grossman said it is important to have

security in every step of the process. He identified three roles that need to be
filled to address security throughout the life of a Web application. Builders
begin the process by creating secure code,
breakers then come in to test and find security threats, and defenders are operationally focused, watching for attacks once a
Web application has been launched.
WEB APPLICATION
THREATS

Experts agreed that security specifics

need to come from company executives.
Taking time to write code properly, check

CLOUD-BASED
ANALYSIS TOOLS

When security is
considered through
out the Web applica
tion creation process,
it can ultimately save
time and money.

it and write extra code for security measures like input validation will only happen if it is mandated by executives,
said SecurityCurves Kelley. Software developers are hired to do a job, she said,

STATIC CODE
ANALYSIS

and if those who employ them emphasize expediency and the experience of
writing a Web application, then the final product will reflect that. Instead, Kelley said executives should give clear instructions on what security measures
they want implemented.
When security is considered throughout the Web application creation process, it can ultimately save time and money, although it initially does not seem
that way at the time, Kelley said. There have been instances at the end of the
development process when an auditor has said that the Web application does
not meet certain requirements. The auditor stops production, making the development team go back and fix problems. Under these circumstances, Kelley
said production could be delayed up to a week, where if the proper security
steps had been taken initially, it would have only been a day or two.
Ultimately, Kelley said executives need to decide what is important to the
final product. If security is important, then an enterprise needs to take every
step to protect its Web application. n

APPLICATION SECURITY

pppppppppppp
pppppppppppp
pppppppppppp
pppppppppppp
pppppppppppp
pppppppppppp
CLOUD-BASED
pppppppppppp
pppppppppppp
ANALYSIS TOOLS
pppppppppppp
pppppppppppp
pppppppppppp
pppppppppppp
pppppppppppp
pppppppppppp

Pros and Cons of Cloud-Based

Static Code Analysis Tools
Using the cloud can streamline static code analysis
but comes with challenges and risks. BY CRYSTAL BEDELL

WEB APPLICATION
THREATS

AN INCREASING NUMBER

of security functions are moving to the cloud, including de-

velopment tools such as static code analysis. Cloud-based static code analysis
tools offer organizations convenience and cost-savings, but their effectiveness

CLOUD-BASED
ANALYSIS TOOLS

still relies on the developers using them, experts say.

Cloud-based static code analysis is essentially where you take the tradi-

STATIC CODE
ANALYSIS

tional functionality of reviewing code for security issues and you rely on a
third-party vendor to take your code and scan it in the cloud for you, said
Frank Kim, principal security consulting firm ThinkSec and curriculum lead
for application security at the SANS Institute. With the SaaS model, organizations upload executables to the vendor, he said.
According to Ed Adams, president and CEO, Security Innovation Inc., a
Wilmington, Mass.-based firm that provides software security training and assessment services, market demand for application security has breathed new
life into static analysis. Every day, were analyzing some piece of software or
recommending how organizations can improve their software development
lifecycle, and a critical component to that is static analysis. And over the last
couple of years weve seen a fair amount of movement from desktop [tools] to
an automated service, he said.
Using cloud-based tools relieves the security team from some of the burden
associated with static analysis. A big hurdle with any application security
process or tool is getting the expertise in-house to maintain that capability. Getting the infrastructure up and running, evaluating results, false positivesan
expert has to read through all of that. If you can offload some of that intensive

APPLICATION SECURITY

pppppppppppp
pppppppppppp
pppppppppppp
pppppppppppp
pppppppppppp
pppppppppppp
CLOUD-BASED
pppppppppppp
pppppppppppp
ANALYSIS TOOLS
pppppppppppp
pppppppppppp
pppppppppppp
pppppppppppp
pppppppppppp
pppppppppppp

labor stuff, then you can direct resources into more valuable areas, Kim said.
Because cloud services eliminate capital expenditures, cloud-based static
code analysis tools also offer more flexibility. The different vendors have different capabilities depending on the language and nature of the application, said
Kim. It might behoove you, if you are a
large organization and you have apps written in different languages and platforms, to
WEB APPLICATION
THREATS

test those different technologies with dif-

A cloud-based tool is
worthless if develop
ers are not applying
the results.

ferent cloud-based vendors because they

may have different strengths based on where they come from historically.

CLOUD-BASED
ANALYSIS TOOLS

Adams said his company chooses a tool based on its strengths for a given
project. It may lease a tool for a month, use it as much as needed and then turn
it off. Thats really the beauty of cloud provisioning: You turn it on when you

STATIC CODE
ANALYSIS

need it, and you turn it off when you dont, as opposed to a desktop tool where
you pay for a licensing fee whether or not youre using it, he said.

CLOUD-BASED STATIC CODE ANALYSIS CHALLENGES

However, a cloud-based tool is worthless if developers are not applying the

results. The tools do a good job flagging vulnerabilities, but they only do a rudimentary job on telling you how to fix them, Adams said. They dont give
secure coding guidance so that a developer can get ahead of the next time a
scan is done to make sure the same vulnerability doesnt occur. Thats the most
expensive partrecurrence of the same vulnerability because the developer
doesnt know how to develop securely.
Integrating static analysis into the SDLC is the biggest stumbling block,
Adams said. Ultimately, static analysis has to come back to and reside with
the developer. A lot of organizations have a centralized security chain that runs
static analysis as an audit as opposed to an integrated part of an SDLC. Its not
a flaw, but its a stumbling block to using static analysis successfully.
Kim agreed that the people and process aspect of secure software develop7

APPLICATION SECURITY

pppppppppppp
pppppppppppp
pppppppppppp
pppppppppppp
pppppppppppp
pppppppppppp
CLOUD-BASED
pppppppppppp
pppppppppppp
ANALYSIS TOOLS
pppppppppppp
pppppppppppp
pppppppppppp
pppppppppppp
pppppppppppp
pppppppppppp

ment is critical. Like anything else, it turns into shelfware if you dont have
the process and people to support it internally. You need a sustainable software security initiative already in place. You need the appropriate people and
processes lined up to make sure they can take full advantage of it, Kim said.

CLOUD SECURITY RISKS

The cloud brings with it security concerns, and that is no different for cloudWEB APPLICATION
THREATS

based static code analysis. When you have a product behind your firewall, on
desktops, you dont have to worry about sending sensitive data outside your
firewalled network. If youre using a cloud

CLOUD-BASED
ANALYSIS TOOLS

provider, you need assurance that the

cloud provider has sufficient controls in
place to protect your data throughout the

STATIC CODE
ANALYSIS

lifecycle, Adams said.

Chris Wysopal, co-founder and CTO,
Veracode, a Burlington, Mass.-based pro-

The cloud brings with

it security concerns,
and that is no differ
ent for cloud-based
static code analysis.

vider of cloud-based application security

services, advises companies to ask service providers how their data is protected when its in the cloud and to inquire about procedural controls as well as
technical controls. Procedural controls include employee background checks,
internal checks and balances, auditing, and the policies and processes around
remediation, he said.
Adams said his organization requires assurances before they will begin
using a new tool. Theyve got to not just attest to it in writing; theyve got to
show it to me, he said. That means getting proof, in the way of code reviews
and demonstrations, that the company is implementing security measures.
Once we get past that barrier then we can reap the benefits of scale, licensing.
Its a great thing when you have what you need when you need it at less than
the cost of the product, he added. n

APPLICATION SECURITY

pppppppppppp
pppppppppppp
pppppppppppp
pppppppppppp
pppppppppppp
pppppppppppp
STATIC CODE
pppppppppppp
pppppppppppp
ANALYSIS
pppppppppppp
pppppppppppp
pppppppppppp
pppppppppppp
pppppppppppp
pppppppppppp

Static Code Analysis Tools

Gain Traction in India
Static analysis tools are gaining popularity with Indian
companies as software development models and perspectives
mature. BY VARUN HARAN

WEB APPLICATION
THREATS

CLOUD-BASED
ANALYSIS TOOLS

THE RELEVANCE OF static code testing to organizations today cannot be overstated.

Indian companies are increasingly realizing that identifying and fixing bugs
and issues in software right at the outset, in the coding phase itself, is exponentially cheaper than patching a live production environment; an acknowledg-

STATIC CODE
ANALYSIS

ment that is resulting in static code analysis tools making their presence felt in
the Indian market.
While black-box or dynamic testing tools and methods help identify issues
in a live runtime environment, they have no way of examining the source code
to pinpoint the lines or sections of code that are causing the problem. Thats
where static analysis tools, which help determine defects and vulnerabilities
within the software code but without executing that code, come into the picture. Both types of analysis are required to ensure robust application security.

DYNAMIC AND STATIC SOFTWARE TESTING DOCTRINES

Black-box testing is considered by some to be more obscure than a static code

review. You will get much more bang for your buck from a code review tool
than from a black-box tool, said K. K. Mookhey, founder and principal consultant at NII Consulting in India.
A multi-pronged approach is recommended for strong application security,
said Mookhey. Tools available in the market today provide features supporting
both dynamic and static testing, and there has been some amount of consolida-

APPLICATION SECURITY

pppppppppppp
pppppppppppp
pppppppppppp
pppppppppppp
pppppppppppp
pppppppppppp
STATIC CODE
pppppppppppp
pppppppppppp
ANALYSIS
pppppppppppp
pppppppppppp
pppppppppppp
pppppppppppp
pppppppppppp
pppppppppppp

tion with most vendors amalgamating both these functionalities into their tools.
Static analysis tools are generally procured by companies that are involved
in software development, given that they already have the source code available on hand. There is a very clear cost-benefit emerging since the process
becomes a part of the development life cycle, said Mookhey. However, static
analysis is also becoming relevant to companies planning to develop in-house
softwareeither internally or by outsourcing.

WEB APPLICATION
THREATS

STATIC ANALYSIS TOOLS IN INDIA

According to Rohan Patil, manager for risk and security services at Vista InfoCLOUD-BASED
ANALYSIS TOOLS

sec, Indian firms today increasingly request both VA/PT and code review for
in-house apps. While Indian companies might not always acquire the tools
themselves, subscribing to static analysis as a managed service is gaining pop-

STATIC CODE
ANALYSIS

ularity. Patil said that Indian companies are amenable to sharing the source
code as long as confidentiality is assured (under nondisclosure agreements and
contractual clauses).
Most static analysis tools in the market cover just about all programming
languages that one might use today. The USP for each then becomes the familiarity and comfort with the operator/vendor, and any unique features that
sweeten the deal.
Further, with each static analysis tool, the extent and manner in which false
positives (code wrongly tagged as a vulnerability) are identified and remediated differs. Given that many organizations today use customized frameworks
and methods for coding, a significant amount of hand-holding is required for
every static analyzer. As long as the coders stick to standard frameworks and
methods of coding, its possible to expect good results from a static analysis tool
in the standard configuration.
The reporting/recommendation mechanism in static analysis tools also differs. While some may merely provide straight reports, others link to knowledge-base articles. Some may even offer concise recommendations on how to
rewrite the code. Other features to consider when evaluating static code analy10

APPLICATION SECURITY

pppppppppppp
pppppppppppp
pppppppppppp
pppppppppppp
pppppppppppp
pppppppppppp
STATIC CODE
pppppppppppp
pppppppppppp
ANALYSIS
pppppppppppp
pppppppppppp
pppppppppppp
pppppppppppp
pppppppppppp
pppppppppppp

sis tools include how well the solution integrates with the development platform/environment, the internal knowledge-base, and, of course, pricing.
Heres a brief look at some static analysis tools popular with Indian
companies:

D 1. Checkmarx
Checkmarx is the tool of choice for many a security tester and owes this not
only to its level of accuracy but also its capability to handle large chunks of
WEB APPLICATION
THREATS

code. Checkmarx supports a wide range of analyzed languages and has excellent false positive remediation.
Checkmarx comes with LDAP integration and role-based access and also

CLOUD-BASED
ANALYSIS TOOLS

provides compliance coverage for PCI DSS and HIPAA.

Priced between Rs. 8-13 lakh (around $25,000), Checkmarx also partners
with security solutions providers who are authorized to provide it as a man-

STATIC CODE
ANALYSIS

aged service.

D 2. Veracode
Veracode is a completely cloud-based solution. The code scan is done on Veracode servers, received and scanned in the binary format ensuring an inability
to recompile the code. Veracode is reputed to be highly accurate in its reports,
with false positive remediation performed in its own environment. This static
analysis tool also works with EXEs, DLLs and compiled code. A subscription
to Veracodes service obtains access to the entire product suite online, with no
local installation of software or hardware required.
One disadvantage with Veracode is that it cannot be used on the fly, as with
a local static code analyzer in your development environment. Veracode makes
good sense if you are looking for a service and dont have a very large app-sec
environment.

D 3. IBM Security AppScan

One of the most powerful static code analysis suites available in the market
today, IBMs Security AppScan product family (formerly IBM Rational Ap11

APPLICATION SECURITY

pppppppppppp
pppppppppppp
pppppppppppp
pppppppppppp
pppppppppppp
pppppppppppp
STATIC CODE
pppppppppppp
pppppppppppp
ANALYSIS
pppppppppppp
pppppppppppp
pppppppppppp
pppppppppppp
pppppppppppp
pppppppppppp

pScan) offers both dynamic and static testing capabilities. AppScan has formidable bug finding and false positive remediation capabilities. The reporting
console correlates the results of dynamic and static tests.
AppScan supports nearly all languages but demands a level of expertise,
suffering from a steep learning curve, according to users. AppScan is known to
integrate well with different development platforms and is a good bet if you are
already subscribed to IBMs Rational application lifecycle management solutions, since this might net you significant discounts.
WEB APPLICATION
THREATS

D 4. Armorize CodeSecure
Starting as a niche player, Armorize was originally an appliance-based solu-

CLOUD-BASED
ANALYSIS TOOLS

tion but is offered today as on-premises licensed software. A Web-based solution is also available. Armorizes engine incorporates WAF and a malware
alerting and monitoring service. User feedback indicates that Armorizes false

STATIC CODE
ANALYSIS

positive mitigation is effective, albeit tricky, while the reports are crisp and legible. Armorize has a very strong focus on security and static code analysis of
Web applications. According to industry sources, Armorize costs close to Rs 4
Lakh ($ 7,000), a price point much below most of the leading solutions on the
market today.

D 5. HP Fortify
Another leader in the static analysis tools space, Fortify was acquired by HP
in 2010 and has since replaced HPs DevInspect static analysis product. Fortify
offers innovative features such as runtime software protection for vulnerable
sections of cde and tools like program trace analyzer that analyzes the logic
flow to determine if additional controls are required.
Fortify integrates with most SLC platforms and offers the largest number of
analyzed languages in the market today. The Fortify suite offers static and dynamic analysis and correlation features. Fortify is apparently the most expensive solution on the market; however, industry sources state that HPs pricing
model is negotiable. n

12

APPLICATION SECURITY

pppppppppppp
pppppppppppp
pppppppppppp
pppppppppppp
pppppppppppp
pppppppppppp
ABOUT THE
pppppppppppp
pppppppppppp
AUTHORS
pppppppppppp
pppppppppppp
pppppppppppp
pppppppppppp
pppppppppppp
pppppppppppp

Moriah Sargent reports on

enterprise cybersecurity topics
for SearchSecurity.com. Sar
gent is a student in the North
eastern University School of
Journalism.

WEB APPLICATION
THREATS

CLOUD-BASED
ANALYSIS TOOLS

STATIC CODE
ANALYSIS

Crystal Bedell is a freelance

technology writer specializing
in information security, cloud
computing and computer net
working. She can be reached
at cbedell@bedellcommunica
tions.com.
Varun Haran contributes to
SearchSecurity.in and Search
DataCenter.in. He holds a
bachelors degree in economics
and a post graduate diploma
in journalism from ACJ,
Chennai.

This Technical Guide on application

security is a SearchSecurity.com
e-publication.
Eric Parizo
Senior Site Editor
Robert Westervelt
News Director
Marcia Savage
Site Editor
Kara Gattine
Senior Managing Editor
Linda Koury
Director of Online Design
Doug Olender
Vice President/Group Publisher
dolender@techtarget.com
Scott Kelly
Associate Publisher
skelly@techtarget.com
TechTarget
275 Grove Street, Newton, MA
02466
www.techtarget.com
2012 TechTarget Inc. No part of this publication
may be transmitted or reproduced in any form or
by any means without written permission from
the publisher. TechTarget reprints are available
through The YGS Group.
About TechTarget: TechTarget publishes media
for information technology professionals. More
than 100 focused websites enable quick access
to a deep store of news, advice and analysis
about the technologies, products and processes
crucial to your job. Our live and virtual events
give you direct access to independent expert
commentary and advice. At IT Knowledge Exchange, our social community, you can get advice and share solutions with peers and experts.

13

APPLICATION SECURITY