Whitebox testing is notoriously difficult to do. Without automatic code scanning tools, scanning the source code requires a keen eye, concentration and an enormous amount of time to scan each line for security vulnerabilities. As intruders become more sophisticated at finding security vulnerabilities and writing exploitative code, it becomes more necessary to take every precaution before shipping software.These precautions can range from security training throughout the security development lifecycle (SDLC) to using tools such as source code scanners and vulnerability scanners.
Last year, more vulnerabilities were reported in shipping software than any previous year, according to CERT. Nearly 6000 new vulnerabilities surfaced in shipped software, and the state of the industry seems grim. Despite attempts by the larger and more proactive players in the industry, like Microsoft, IBM, HP and CISCO, to incorporate security in all phases of the SDLC, the number of reported vulnerabilities continues to increase. Where are the greatest weaknesses in software security? Were nearly 2000 more vulnerabilities discovered because security trainers did not transfer their knowledge properly? Or are hackers getting better at discovering these vulnerabilities? Do software corporations rely too much on perimeter defenses, such as firewalls, intrusion detection systems, deep packet inspectors and anti virus solutions? Is it just sheer complacency? Or is it really a combination of all of these things and more?
The final, and most important question, is one we can all think about and help answer: What can we do next to ensure that we ship fewer and fewer security vulnerabilities in the subsequent versions of our software?
The answer is to train every member of the team to think about security in all phases of the SDLC. From the moment the Project Managers are talking to customers and gathering requirements to the final shipping build and deployment, security must remain in focus. This is a difficult task to accomplish considering that most software teams are already stretched thin with more demands on their time than hours in the day. Tightened budgets for development and testing teams make purchasing new tools, even when legitimate, very difficult.
One tool that is invaluable in the development phase of the SDLC is the static analyzer. This tool can discover elusive programming errors before run time when they become much more difficult to find. Static analysis tools can help you discover many logical and security errors in an application before compilation. When choosing static analysis tools, consider the benefits and limitations and what types of bugs they are good at finding.
Successes with Status Analysis Tools
Microsoft has learned how to make static analysis tools work to its advantage. Every major project at Microsoft goes through rigorous testing with static analysis tools. Microsoft employs these tools both at check-in time and at the final build. Each code modification is checked on the developer's computer and in the context of the complete solution before the nightly build. Microsoft has developed its own internal static analysis tools called Prefix and Prefast. These tools have evolved over the years and are quite adept at identifying both security flaws and functional problems before build time. The ability to run static analysis on all of the Windows source code is a testament to how mature these tools have become.
NASA also requires that every code change to mission-critical applications go through static analysis. Every warning and suggestion the analyzer finds must be either fixed, or a comment must be added to the source code explaining why the warning or suggestion required no change to the code.
Most major software companies employ some form of static analysis tool; in fact, it is difficult to find an example where the exercise of these tools has not helped the software company deliver a more robust product at ship time. These tools can help discover obscure vulnerabilities in source code and ensure that a more secure application gets to the customer on time.
