In recent months, there has been a push to adopt software development best practices that result in more secure applications. As Martin Zinaich, information security officer for the City of Tampa and a member of the Wisegate network of expert IT professionals, told eSecurity Planet a few months ago: “When secure code practices are not part of development, you end up with data breaches, a large percentage of which are related to code issues.”
Static analysis tools, which check application code for possible security vulnerabilities and bugs without actually executing the code or using any data, make it easier to adhere to good development practices. They examine all possible execution paths for all data values and look for inconsistencies.
Static analysis is particularly useful because it can be carried out on software code before an application is actually completed. It can be used to try to eliminate all bugs or – more often – to help developers eliminate certain classes of security bugs before code is put into production, effectively establishing a bug bar that has to be surmounted.
These tools are also useful for examining code after a new build or update to ensure that no bugs have been introduced in the release, and to carry out a baseline analysis of completed code to get a better understanding of risk.
The types of issues that static analysis can reveal include buffer overflows, class hierarchy inconsistencies, control flow issues, cross-site scripting (XSS) errors, cross-site request forgery (CSRF) errors, deadlocks, integer overflows, race conditions, SQL injection errors and incorrect expressions.
Most static analysis tools examine source code written in particular languages such as Java, C, or C++. A few vendors such as Veracode also offer tools that can analyze executable compiled binaries. “This can be useful for scanning third-party software which you may want to use, but which you don’t have access to the source code,” explained Chris Wysopal, chief technology officer at Veracode. “The alternatives are getting access to the source code, or (for detecting security issues) carrying out manual penetration testing.”
In some organizations the ability to carry out static analysis on binaries is also useful because it can be easier to access the binaries (on an application server, for example) than to get the source code from the original developers – even if they are in-house.
One problem with static analysis tools is that they tend to highlight large numbers of potential problems, some of which are real and some of which are false positives. It can be a hugely time consuming job to go through the results to establish which potential problems need attention, and how they can be fixed. Even using relatively mature tools, false positive rates are commonly as high as 10 percent.
Static Analysis in the Cloud
Static analysis tools can often be integrated into development environments such as Microsoft Visual Studio or Eclipse, or, increasingly, they can be offered as a service from the cloud. Where they are integrated with the development environment they can be used at any point during development, in the same way that a spell checker can be run at any point during a document’s creation. Most static analysis takes a matter of minutes, so a tool can be set to run while a developer goes to fetch a cup of coffee or a can of Jolt.
The drawback of a cloud-based service is that to use them you have to send your source code or unreleased binaries out of your organization to a third party – something that you may be unwilling to do. However, like most cloud services, these worries can often be addressed by encrypting the software and ensuring the cloud provider has rigorous security measures in place.
The benefit of a cloud service, according to Wysopal, is that you also get access to the expertise of the cloud provider running the test. “Using our product, for example, if a developer doesn’t know how to fix a problem that has been highlighted they can press a button for on-demand expertise.”
Static analysis can be a powerful tool for spotting many security bugs, including most of the OWASP Top 10, but there are certain types of tasks for which it is not useful. “These tools are not good at finding authorization issues, for example,” Wysopal said. “For that, you may need to do manual testing.”
Although static analysis is most commonly used to detect security vulnerabilities, some special static analysis tools such as Contemplate’s ThreadSafe are designed to detect specific non-security related bugs like race conditions caused by concurrency bugs. This type of bug can be extremely difficult to detect and locate since they reveal themselves in tests only rarely, and they are usually not repeatable because of their non-deterministic nature.
“Concurrency bugs are the hardest type to find, so we will find more of them, but we won’t find other types of bugs,” said Contemplate’s Chief Technology officer Don Sannella.
Static Analysis Buying Criteria
Supported languages: Do you need a product which supports just one language such as Java, or do you need one which supports a wide range of languages?
Binary scanning support: Do you have easy access to the source code of the applications you will be analyzing? If not, then consider a tool which supports binary scanning.
Platform: Do you want a development environment-based solution or a cloud-based solution? If your source code or unreleased binaries are particularly valuable, you may wish to avoid a cloud-based solution. If you have little expertise with these tools, then conversely a cloud-based solution may make sense.
Goal of static analysis: If you are hoping to eliminate security vulnerabilities such as buffer overruns and SQL injection issues, a general static analysis tool is ideal. Separate tools that hunt for more specific types of bugs are also available, but they are not as suitable for more general bug hunting duties.
Static Analysis Vendors
Contemplate ThreadSafe? Supported code languages: Java
HP Fortify Static Code Analyzer? Supported code languages: 21 development languages
IBM Rational Software Analyzer? Supported code languages: Java, C++
Parasoft Test? Supported code languages: C, C++, Java, and .NET languages
Veracode? Veracode’s cloud-based service supports scanning of compiled binaries, as well as code languages including: C, C++, Java, .NET bytecode, PHP, ColdFusion, Ruby on Rails, Windows Mobile, BlackBerry, Android, and iOS
Open Source Static Analysis Tools
Clang Static Analyzer Supported code languages: C, C++, and Objective-C
FindBugs Supported code languages: Java
Paul Rubens has been covering enterprise technology for over 20 years. In that time he has written for leading UK and international publications including The Economist, The Times, Financial Times, the BBC, Computing and ServerWatch.