Benefits
Employing static analysis tools during testing can drastically reduce the number of bugs which often make their way to the blackbox testing phase. These tools can be executed very quickly, and the scanning is very easy to do before source code check-in.
While not often considered, one of the first things a hacker will attempt to do when compromising a system is to steal source code. Source code will allow the hacker to discover vulnerabilities in the application at the source level very quickly by using security scanning tools. This low hanging vulnerability should be eliminated before ship or it may open a large attack surface if the source is compromised. With the gaining prevalence of Java and .NET applications, decompilers also give the attacker a significant edge to discover vulnerabilities with source code scanners.
Scanning tools can help reduce development and testing costs because they catch problems early in the SDLC. Bugs are expensive to fix later in the lifecycle of software, and security vulnerabilities are infamous for being elusive. Source code scanners are great assets because they discover vulnerabilities that are difficult or time consuming to find by other means, including:
- Buffer overruns. These vulnerabilities are eye candy to intruders. They are often exploitable and may allow the intruder to take complete control over the system. Buffer overflow conditions are difficult to spot in manual code inspection because multiple conditions may be required to trigger the error.
- Least privileges. A process should always run with least privileges, ensuring that if the code is exploited the undesirable code is given limited power.
- Dangerous Functions Some system functions may open your application to possible security flaws; these should be examined and replaced with more secure functions (for instance, replace strcpy with strncpy).
- DACL Problems. A null DACL gives no protection and is a warning sign that an object being used by the application is not as secure as it should be.
- Canonicalization Problems. There are many different ways to represent a file, URL or device. An intruder may be able to gain access to a protected file by using alternate representations of the filename.
- Exception Handling. If an exception handler is not present, the application may terminate or to be left in an unpredictable state when problems occur.
- Format String Problems. Functions such as printf, scanf, sprintf, and others may open an application up for problems when user input is interpreted as the format string. This can lead to an exploitable vulnerability which may let attackers execute code remotely.
- Input Validation. A intruder may be able to cause complete system compromise if improper input exposes a buffer overrun or format string bug.
- Ignored Return Values. Ignoring return values can result in a variety of reliability and security bugs that can be quite hard to debug and reproduce.
- Package Insertion. Package insertion can allow un-trusted code to run in the context of a trusted Java application and may therefore spoof or otherwise attack the user.
- SQL Injection. SQL injection is a technique used by hackers to probe databases, bypass authorization, execute multiple SQL statements and call built-in stored procedures.
Each of these vulnerabilities must be scanned for and discovered. These are some of the most popular vulnerability types for hackers to attack.
