Securing Web Application Code at the Source
New technology from Coverity goes a step beyond best practices with a white box fuzzer and remediation advice for web application vulnerabilities.
SQL Injection is among the most common attack vectors against web applications. It's also an attack that can be mitigated with the right knowledge and skills.
That's the idea behind a new technology from static analysis vendor Coverity. The Coverity Development Testing for Web Application Security technology goes beyond Coverity's traditional static analysis tools. Coverity's core static analysis tools find common software flaws like null pointers and race conditions that can potentially lead to exploitation. The new web application security tool goes further, providing a white box fuzzer that can help developers find common web app vulnerabilities.
"What the white box fuzzer does is it validates data sanitization routines and it ensures that they are performing sanitization correctly for the context in which they are used," Andy Chou, CTO of Coverity, told eSecurityPlanet.
Static analysis is sometimes referred to as 'black box' testing, while 'white box' refers to dynamic analysis of running code. Fuzzing is a technique that injects random code into an application in an effort to find vulnerabilities.
With SQL Injection and other types of injection attacks, the root cause is often a lack of input sanitization. Sanitization provides input checks to ensure the validity of the incoming query and the data set.
Simply doing the check isn't enough, as a developer would still be on the hook to actually figure out how to implement the fix. To solve that problem, Coverity has included remediation advice.
"Developers aren't security experts and they don't understand how to fix problems, even if they understand the problem," Chou said. "So we give them very actionable advice, so they know where the problem is in the code as well as how to fix the problem properly."
For example, with a SQL Injection vulnerability, fixing the problem in the source code often depends on the context. Chou noted that in general, the best practice when it comes to mitigating SQL Injection attacks is to change queries to prepared queries. With prepared queries, a SQL statement is specifically defined, which can limit the risk from random queries. Chou stressed that his company's new tool is going a step further by visually showing developers where the SQL statement is in their code and how they should actually go about changing it within the context of the application.
Coverity has been performing static analysis for years, including a high-visibility project originally sponsored by the U.S. Department of Homeland Security (DHS). In that effort, which debuted in 2006 and has continued ever since, open source projects are scanned for software defects in an effort to improve overall code quality.
As opposed to static analysis, the new web application effort is focused exclusively on web applications. Chou explained that the line between applications and what Coverity defines as web applications is a bit blurry. In his view, web applications are applications that use web application technologies and architectures, including items such as Java servlets, Spring and other components that are used to process web based requests and responses.
When it comes to web applications, code quality and security issues don't overlap as much, according to Chou. For example, for embedded software development, a buffer overflow condition can be both a software quality issue as well as a security problem. In contrast, web application flaws like Cross Site Scripting (XSS) is not a quality problem, according to Cho, though it is a security problem.
"The distinction is, however, fairly arbitrary," Chou said. "Really, they are all about software defects and they all converge in that sense."
Sean Michael Kerner is a senior editor at eSecurityPlanetInternetNews.com, the news service of the IT Business Edge Network, the network for technology professionals Follow him on Twitter @TechJournalist.