Week 3

Security in any industry today is a major competitive advantage. Any attack on organization can reduce its credibility, decrease profits, reduce productivity and cost a lot of money. Source code analysis means to analyze the application code for security flaws and vulnerabilities. The purpose of analyzing source code for security flaws is to find backdoor in the application that may be used by the attackers to inject malicious code.

Until few years back majority of the applications were desktop based which would mean for an attacker to get access to the application they will need to first get access to the workstation. However with the web applications taking over as a norm and most application exposing web based APIs the importance of analyzing source code for security flaws is more important than ever. The web opens up the application to a wider audience making it a prime target for attacks.

Over the years a number of tools have existed in analyzing source code but most have been inadequate. The main challenge for these tools remain detecting real problems rather than false positives that developers may spend a lot of time diagnosing. Another challenge for such tools is to support a wide variety of development languages. Java, C#, C++, Python, Ruby, VB, iOS, PHP, JavaScript are only some of the languages the tools must support. Traditionally speaking the software development group will finish up their coding, release the application to QA which will run security tests as part of their process. However the real benefit of source analysis tools is when it is used during the software development process. Some tools are starting to integrate right into the integrated development environment (IDE) which will run code analysis in real time providing feedback to the developer right away.

There are quite a few source code analysis tools out there and the following two in my opinion are the best of them.

Klocwork
Veracode

References:

https://www.veracode.com/
http://www.klocwork.com/
https://www.owasp.org/index.php/Source_Code_Analysis_Tools

Advertisements