Professional Documents
Culture Documents
p p p p p p ppppppppp p p p
pppppppppppp
p p p p p p ppppppppp p p p p p p p p p p p
pppppppppppp
p p p p p p ppppppppp p p p p p p p p
pppppppppppp
p p p p p p ppppppppp p p p p p p p p p p p p p
pppppppppppp
p p p p p p ppppppppp p p p p p p p p p p p p p p p
pppppppppppp
p p p p p p ppppppppp p p p p p p p p p p p
pppppppppppp
p p p p p p ppppppppp p p p p p p p p p
pppppppppppp
p p p p p p ppppppppp p p p p p p p p p p
pppppppppppp
p p p p p p ppppppppp p p p p p p p
pppppppppppp
pppppppppppp
p p p p p p ppppppppp p p p
pppppppppppp
p p p p p p ppppppppp p p p p p p p p p p p p p p p
pppppppppppp
p p p p p p ppppppppp p p p p p p p p p p
pppppppppppp
p p p p p p ppppppppp p p p p p p p p p p p p p p p p p
p p p p p p ppppppppp p p p p p p p p p p
p p p p p p ppppppppp p p p p p p p p
p p p p p p ppppppppp p p p p p
p p p p p p ppppppppp p p p p p p
p p p p p p ppppppppp p p p p p p p
p p p p p p ppppppppp p p p p p p p p
p p p p p p ppppppppp p p
p p p p p p ppppppppp p p p
p p p p p p ppppppppp p
p p p p p p ppppppppp p p p p p
p p p p p p ppppppppp p p p
p p p p p p ppppppppp
p p p p p p pppp
TECHGUIDE
Application Security
pppppppppppp
pppppppppppp
pppppppppppp
pppppppppppp
pppppppppppp
WEB
pppppppppppp
pppppppppppp
APPLICATION
pppppppppppp
pppppppppppp
THREATS
pppppppppppp
pppppppppppp
pppppppppppp
pppppppppppp
pppppppppppp
WEB APPLICATION
THREATS
(XSS) remain among the most targeted, however, security experts say new
technologies like HTML 5 come with their own set of dangerous vulnerabili-
CLOUD-BASED
ANALYSIS TOOLS
ties.
According to a report by Richardson, Texas-based secure cloud hosting firm
STATIC CODE
ANALYSIS
FireHost Inc., SQL injection attacks rose 69% between the first two quarters of
2012. SQL injection occurs when an attacker enters malicious code into a Web
form input box to gain access to resources or make changes to data.
SQL injection is by far the biggest [issue], for instances and data lost, said
Jeremiah Grossman, founder and chief technical officer at WhiteHat Security
in Santa Clara, Calif.
In the WhiteHat Security Website Statistics Report for summer 2012, SQL
injection had an 11% likelihood of appearing in a website at least once. This
number put SQL injection in eighth place for vulnerability prevalence.
Claiming the top spot for prevalence was XSS, with a 55% likelihood of at
least one security vulnerability on a website. XSS occurs when an attacker inserts malicious coding into a link that appears to be from a trustworthy source.
By clicking the link, the user unleashes the embedded programming, which
is submitted as part of the clients Web request and can execute on the users
computer, often allowing the attacker to steal information.
Security experts said other vulnerabilities, less prevalent and less dangerous than the top issues but still pose a threat. Joe Basirico, vice president of
application security services at Wilmington, Mass.-based Security Innovation,
APPLICATION SECURITY
pppppppppppp
pppppppppppp
pppppppppppp
pppppppppppp
pppppppppppp
WEB
pppppppppppp
pppppppppppp
APPLICATION
pppppppppppp
pppppppppppp
THREATS
pppppppppppp
pppppppppppp
pppppppppppp
pppppppppppp
pppppppppppp
said authorization issues, when users can access information above their authorization level, are a growing concern. Grossman pointed to business logic
flawswhen two security steps clash and end up creating a vulnerability, as a
problem.
CLOUD-BASED
ANALYSIS TOOLS
Inc., said the emphasis HTML 5 has on the client side continues to make attacking from the user perspective easy
for cybercriminals. New technology like
STATIC CODE
ANALYSIS
APPLICATION SECURITY
pppppppppppp
pppppppppppp
pppppppppppp
pppppppppppp
pppppppppppp
WEB
pppppppppppp
pppppppppppp
APPLICATION
pppppppppppp
pppppppppppp
THREATS
pppppppppppp
pppppppppppp
pppppppppppp
pppppppppppp
pppppppppppp
But, she added, security falls apart in practice when application creators realize they have to spend more time and money on the product before it can be
released.
Moyle said that when an enterprise IT security team addresses security for
Web apps, the money and focus is often at the network level. The company will
spend money on applications but not specifically on the security of those applications.
WEB APPLICATION
THREATS
Some experts have found a general lack of security people in the industry.
CLOUD-BASED
ANALYSIS TOOLS
Theres no one around to do the job, Grossman said. He added that many
SQL injection and XSS attacks are targeting legacy code because old code has
weaknesses left out of newer versions.
STATIC CODE
ANALYSIS
tion attacks. With parameterized statements, Grossman said only specific entries would be accepted in a Web form
input box, based on the restrictions put in place by developers. In an example,
he said a good statement would be My name is Jeremiah while My name is
Jeremiah; would be rejected. Because punctuation is not accepted, this prevents attackers from entering code into an input box.
For XSS, Grossman named context-aware output encoding as a good defense. Input validation is another step that can be used in securing Web applications against both XSS and SQLi.
APPLICATION SECURITY
pppppppppppp
pppppppppppp
pppppppppppp
pppppppppppp
pppppppppppp
WEB
pppppppppppp
pppppppppppp
APPLICATION
pppppppppppp
pppppppppppp
THREATS
pppppppppppp
pppppppppppp
pppppppppppp
pppppppppppp
pppppppppppp
CLOUD-BASED
ANALYSIS TOOLS
When security is
considered through
out the Web applica
tion creation process,
it can ultimately save
time and money.
it and write extra code for security measures like input validation will only happen if it is mandated by executives,
said SecurityCurves Kelley. Software developers are hired to do a job, she said,
STATIC CODE
ANALYSIS
and if those who employ them emphasize expediency and the experience of
writing a Web application, then the final product will reflect that. Instead, Kelley said executives should give clear instructions on what security measures
they want implemented.
When security is considered throughout the Web application creation process, it can ultimately save time and money, although it initially does not seem
that way at the time, Kelley said. There have been instances at the end of the
development process when an auditor has said that the Web application does
not meet certain requirements. The auditor stops production, making the development team go back and fix problems. Under these circumstances, Kelley
said production could be delayed up to a week, where if the proper security
steps had been taken initially, it would have only been a day or two.
Ultimately, Kelley said executives need to decide what is important to the
final product. If security is important, then an enterprise needs to take every
step to protect its Web application. n
APPLICATION SECURITY
pppppppppppp
pppppppppppp
pppppppppppp
pppppppppppp
pppppppppppp
pppppppppppp
CLOUD-BASED
pppppppppppp
pppppppppppp
ANALYSIS TOOLS
pppppppppppp
pppppppppppp
pppppppppppp
pppppppppppp
pppppppppppp
pppppppppppp
WEB APPLICATION
THREATS
AN INCREASING NUMBER
velopment tools such as static code analysis. Cloud-based static code analysis
tools offer organizations convenience and cost-savings, but their effectiveness
CLOUD-BASED
ANALYSIS TOOLS
STATIC CODE
ANALYSIS
tional functionality of reviewing code for security issues and you rely on a
third-party vendor to take your code and scan it in the cloud for you, said
Frank Kim, principal security consulting firm ThinkSec and curriculum lead
for application security at the SANS Institute. With the SaaS model, organizations upload executables to the vendor, he said.
According to Ed Adams, president and CEO, Security Innovation Inc., a
Wilmington, Mass.-based firm that provides software security training and assessment services, market demand for application security has breathed new
life into static analysis. Every day, were analyzing some piece of software or
recommending how organizations can improve their software development
lifecycle, and a critical component to that is static analysis. And over the last
couple of years weve seen a fair amount of movement from desktop [tools] to
an automated service, he said.
Using cloud-based tools relieves the security team from some of the burden
associated with static analysis. A big hurdle with any application security
process or tool is getting the expertise in-house to maintain that capability. Getting the infrastructure up and running, evaluating results, false positivesan
expert has to read through all of that. If you can offload some of that intensive
APPLICATION SECURITY
pppppppppppp
pppppppppppp
pppppppppppp
pppppppppppp
pppppppppppp
pppppppppppp
CLOUD-BASED
pppppppppppp
pppppppppppp
ANALYSIS TOOLS
pppppppppppp
pppppppppppp
pppppppppppp
pppppppppppp
pppppppppppp
pppppppppppp
labor stuff, then you can direct resources into more valuable areas, Kim said.
Because cloud services eliminate capital expenditures, cloud-based static
code analysis tools also offer more flexibility. The different vendors have different capabilities depending on the language and nature of the application, said
Kim. It might behoove you, if you are a
large organization and you have apps written in different languages and platforms, to
WEB APPLICATION
THREATS
A cloud-based tool is
worthless if develop
ers are not applying
the results.
CLOUD-BASED
ANALYSIS TOOLS
Adams said his company chooses a tool based on its strengths for a given
project. It may lease a tool for a month, use it as much as needed and then turn
it off. Thats really the beauty of cloud provisioning: You turn it on when you
STATIC CODE
ANALYSIS
need it, and you turn it off when you dont, as opposed to a desktop tool where
you pay for a licensing fee whether or not youre using it, he said.
APPLICATION SECURITY
pppppppppppp
pppppppppppp
pppppppppppp
pppppppppppp
pppppppppppp
pppppppppppp
CLOUD-BASED
pppppppppppp
pppppppppppp
ANALYSIS TOOLS
pppppppppppp
pppppppppppp
pppppppppppp
pppppppppppp
pppppppppppp
pppppppppppp
ment is critical. Like anything else, it turns into shelfware if you dont have
the process and people to support it internally. You need a sustainable software security initiative already in place. You need the appropriate people and
processes lined up to make sure they can take full advantage of it, Kim said.
The cloud brings with it security concerns, and that is no different for cloudWEB APPLICATION
THREATS
based static code analysis. When you have a product behind your firewall, on
desktops, you dont have to worry about sending sensitive data outside your
firewalled network. If youre using a cloud
CLOUD-BASED
ANALYSIS TOOLS
STATIC CODE
ANALYSIS
APPLICATION SECURITY
pppppppppppp
pppppppppppp
pppppppppppp
pppppppppppp
pppppppppppp
pppppppppppp
STATIC CODE
pppppppppppp
pppppppppppp
ANALYSIS
pppppppppppp
pppppppppppp
pppppppppppp
pppppppppppp
pppppppppppp
pppppppppppp
WEB APPLICATION
THREATS
CLOUD-BASED
ANALYSIS TOOLS
Indian companies are increasingly realizing that identifying and fixing bugs
and issues in software right at the outset, in the coding phase itself, is exponentially cheaper than patching a live production environment; an acknowledg-
STATIC CODE
ANALYSIS
ment that is resulting in static code analysis tools making their presence felt in
the Indian market.
While black-box or dynamic testing tools and methods help identify issues
in a live runtime environment, they have no way of examining the source code
to pinpoint the lines or sections of code that are causing the problem. Thats
where static analysis tools, which help determine defects and vulnerabilities
within the software code but without executing that code, come into the picture. Both types of analysis are required to ensure robust application security.
APPLICATION SECURITY
pppppppppppp
pppppppppppp
pppppppppppp
pppppppppppp
pppppppppppp
pppppppppppp
STATIC CODE
pppppppppppp
pppppppppppp
ANALYSIS
pppppppppppp
pppppppppppp
pppppppppppp
pppppppppppp
pppppppppppp
pppppppppppp
tion with most vendors amalgamating both these functionalities into their tools.
Static analysis tools are generally procured by companies that are involved
in software development, given that they already have the source code available on hand. There is a very clear cost-benefit emerging since the process
becomes a part of the development life cycle, said Mookhey. However, static
analysis is also becoming relevant to companies planning to develop in-house
softwareeither internally or by outsourcing.
WEB APPLICATION
THREATS
According to Rohan Patil, manager for risk and security services at Vista InfoCLOUD-BASED
ANALYSIS TOOLS
sec, Indian firms today increasingly request both VA/PT and code review for
in-house apps. While Indian companies might not always acquire the tools
themselves, subscribing to static analysis as a managed service is gaining pop-
STATIC CODE
ANALYSIS
ularity. Patil said that Indian companies are amenable to sharing the source
code as long as confidentiality is assured (under nondisclosure agreements and
contractual clauses).
Most static analysis tools in the market cover just about all programming
languages that one might use today. The USP for each then becomes the familiarity and comfort with the operator/vendor, and any unique features that
sweeten the deal.
Further, with each static analysis tool, the extent and manner in which false
positives (code wrongly tagged as a vulnerability) are identified and remediated differs. Given that many organizations today use customized frameworks
and methods for coding, a significant amount of hand-holding is required for
every static analyzer. As long as the coders stick to standard frameworks and
methods of coding, its possible to expect good results from a static analysis tool
in the standard configuration.
The reporting/recommendation mechanism in static analysis tools also differs. While some may merely provide straight reports, others link to knowledge-base articles. Some may even offer concise recommendations on how to
rewrite the code. Other features to consider when evaluating static code analy10
APPLICATION SECURITY
pppppppppppp
pppppppppppp
pppppppppppp
pppppppppppp
pppppppppppp
pppppppppppp
STATIC CODE
pppppppppppp
pppppppppppp
ANALYSIS
pppppppppppp
pppppppppppp
pppppppppppp
pppppppppppp
pppppppppppp
pppppppppppp
sis tools include how well the solution integrates with the development platform/environment, the internal knowledge-base, and, of course, pricing.
Heres a brief look at some static analysis tools popular with Indian
companies:
D 1. Checkmarx
Checkmarx is the tool of choice for many a security tester and owes this not
only to its level of accuracy but also its capability to handle large chunks of
WEB APPLICATION
THREATS
code. Checkmarx supports a wide range of analyzed languages and has excellent false positive remediation.
Checkmarx comes with LDAP integration and role-based access and also
CLOUD-BASED
ANALYSIS TOOLS
STATIC CODE
ANALYSIS
aged service.
D 2. Veracode
Veracode is a completely cloud-based solution. The code scan is done on Veracode servers, received and scanned in the binary format ensuring an inability
to recompile the code. Veracode is reputed to be highly accurate in its reports,
with false positive remediation performed in its own environment. This static
analysis tool also works with EXEs, DLLs and compiled code. A subscription
to Veracodes service obtains access to the entire product suite online, with no
local installation of software or hardware required.
One disadvantage with Veracode is that it cannot be used on the fly, as with
a local static code analyzer in your development environment. Veracode makes
good sense if you are looking for a service and dont have a very large app-sec
environment.
APPLICATION SECURITY
pppppppppppp
pppppppppppp
pppppppppppp
pppppppppppp
pppppppppppp
pppppppppppp
STATIC CODE
pppppppppppp
pppppppppppp
ANALYSIS
pppppppppppp
pppppppppppp
pppppppppppp
pppppppppppp
pppppppppppp
pppppppppppp
pScan) offers both dynamic and static testing capabilities. AppScan has formidable bug finding and false positive remediation capabilities. The reporting
console correlates the results of dynamic and static tests.
AppScan supports nearly all languages but demands a level of expertise,
suffering from a steep learning curve, according to users. AppScan is known to
integrate well with different development platforms and is a good bet if you are
already subscribed to IBMs Rational application lifecycle management solutions, since this might net you significant discounts.
WEB APPLICATION
THREATS
D 4. Armorize CodeSecure
Starting as a niche player, Armorize was originally an appliance-based solu-
CLOUD-BASED
ANALYSIS TOOLS
tion but is offered today as on-premises licensed software. A Web-based solution is also available. Armorizes engine incorporates WAF and a malware
alerting and monitoring service. User feedback indicates that Armorizes false
STATIC CODE
ANALYSIS
positive mitigation is effective, albeit tricky, while the reports are crisp and legible. Armorize has a very strong focus on security and static code analysis of
Web applications. According to industry sources, Armorize costs close to Rs 4
Lakh ($ 7,000), a price point much below most of the leading solutions on the
market today.
D 5. HP Fortify
Another leader in the static analysis tools space, Fortify was acquired by HP
in 2010 and has since replaced HPs DevInspect static analysis product. Fortify
offers innovative features such as runtime software protection for vulnerable
sections of cde and tools like program trace analyzer that analyzes the logic
flow to determine if additional controls are required.
Fortify integrates with most SLC platforms and offers the largest number of
analyzed languages in the market today. The Fortify suite offers static and dynamic analysis and correlation features. Fortify is apparently the most expensive solution on the market; however, industry sources state that HPs pricing
model is negotiable. n
12
APPLICATION SECURITY
pppppppppppp
pppppppppppp
pppppppppppp
pppppppppppp
pppppppppppp
pppppppppppp
ABOUT THE
pppppppppppp
pppppppppppp
AUTHORS
pppppppppppp
pppppppppppp
pppppppppppp
pppppppppppp
pppppppppppp
pppppppppppp
WEB APPLICATION
THREATS
CLOUD-BASED
ANALYSIS TOOLS
STATIC CODE
ANALYSIS
13
APPLICATION SECURITY