Security Verification is a process through which Code can be analyzed. However, as prerequisite it needs to be addressed with due consideration of What the application is and the business operation that it supports. The main reason for this is that it would be very difficult to prioritize and address the weaknesses. The threat modeling is an important tool and along with the threat model a security review would be an indispensable tool in identifying the root cause of vulnerabilities – CODE.
Based on the prioritized functions and possible attack vectors – For example - Protocol Errors may be a potential area for Input validation problems. Based on the preliminary build, it is possible for a preliminary scan of the code base. This should provide a base input that can again be cleaned up to remove unwanted areas to concentrate the efforts and to move to areas of potential weaknesses. The easiest way to achieve this is to use a Static Code Analyzer, a lot of tools are available both open source and proprietary that can look for common coding errors, design flaws or other areas that we can configure the tool to achieve.
One of the important use of the tool is to find issues with the process. If we find areas of concern specific to a vulnerability we can check it against the process followed. It is immaterial what language is used but provides a major input as to the nature of the code base.
The static analysis tools major input in addition to the coding weaknesses is that it drills down to the area of weaknesses, whether the problem is at the design stage or at the earlier stage. If a vulnerability is found – for example, an update is automatically pushed without verifying the source, this can considered a major weakness that is not in the code but in the specifications , which did not specify that the update needs to be taken from a source that is trusted or from a data source that is signed.
The metrics generated by such tool is also an valuable input as it is useful in tracking the performance over time. Time series analysis provides inputs as to the number of vulnerabilities to lines of code and this ratio is important to understand the maturity of the coding process.
Based on the prioritized functions and possible attack vectors – For example - Protocol Errors may be a potential area for Input validation problems. Based on the preliminary build, it is possible for a preliminary scan of the code base. This should provide a base input that can again be cleaned up to remove unwanted areas to concentrate the efforts and to move to areas of potential weaknesses. The easiest way to achieve this is to use a Static Code Analyzer, a lot of tools are available both open source and proprietary that can look for common coding errors, design flaws or other areas that we can configure the tool to achieve.
One of the important use of the tool is to find issues with the process. If we find areas of concern specific to a vulnerability we can check it against the process followed. It is immaterial what language is used but provides a major input as to the nature of the code base.
The static analysis tools major input in addition to the coding weaknesses is that it drills down to the area of weaknesses, whether the problem is at the design stage or at the earlier stage. If a vulnerability is found – for example, an update is automatically pushed without verifying the source, this can considered a major weakness that is not in the code but in the specifications , which did not specify that the update needs to be taken from a source that is trusted or from a data source that is signed.
The metrics generated by such tool is also an valuable input as it is useful in tracking the performance over time. Time series analysis provides inputs as to the number of vulnerabilities to lines of code and this ratio is important to understand the maturity of the coding process.
Comments