2. Security is Requirement
Testing code against common security risks to ensure the quality before
release(before attacker access)
Help in implementation best practices and prioritize the risks
Also called white box testing or source code review
4. Types
Static
Analyze the code before go to run
Automated by tools (also can analyze the binary code or (bytecode) but with limitations)
Also include code review by senior developers and professionals
Find risks like business logic , exception handling and NULLL issues
Dynamic
Analyze the application behavior during the run phase
Automated by tools
Used when no code access or knowledge
Find risks like XSS , Injection or configuration issues
Better to go with both types (defense in depth)
5. Development Process
Study past security errors and prevent them from happening in the future
All portions of the program must be secure
Still need best practices , training and skills
Whitelist vs. blacklist validation
Good design and good implementation need
each other
Manual Code review is very important
Including configuration analysis
6. Tools
Information security department focus on dynamic analysis tools for pen testing
Development department focus on static analysis and sometime also for dynamic
analysis tools
In most cases ,Static analysis tools integrated with IDE
Tools has rules to validate the code like searching for user inputs like Request[] or
searching for injection like SQL Command in code …
Remember , running tools doesn’t make application secure
8. Tools
Static analysis tools categories
Type checking
Style checking (whitespace , naming , program structure …)
Program understanding (find all uses of this methods or variable …)
Program verification and Property checking (check against rules and specifications)
Bug finding
Security review
9. Tools
Commercial/free
Open source
Support Development Standards and Compliance (PCI , ISO …)
Based on programming Languages
Examples
https://sourceforge.net/projects/visualcodegrepp/
https://sourceforge.net/projects/agnitiotool/
https://www.microsoft.com/en-us/download/details.aspx?id=6544
ttps://www.microsoft.com/en-us/download/details.aspx?id=19968
http://www8.hp.com/us/en/software-solutions/application-security/index.html
https://www.checkmarx.com/
https://samate.nist.gov/index.php/Source_Code_Security_Analyzers.html (list)
10. Demo 01 – Visual Studio Code Analysis
Identify potential issues based on Microsoft’s rules and best practices
http://nugetmusthaves.com/Tag/CodeAnalysis
http://fxcopaspnetsecurity.codeplex.com/
https://blogs.msdn.microsoft.com/hkamel/2013/10/24/visual-studio-2013-static-
code-analysis-in-depth-what-when-and-how/
11. Demo 02 – WCSA
To analyze the web.config
https://code.google.com/archive/p/wcsa/downloads