AS ATTACKERS TARGET APPLICATION CODING ERRORS, ARE STATIC ANALYSIS TOOLS THE ANSWER?

Transcription

1 E-Guide AS ATTACKERS TARGET APPLICATION CODING ERRORS, ARE STATIC ANALYSIS TOOLS THE ANSWER? SearchSecurity

2 A pplication development teams often prioritize timely delivery of software above all other concerns including security. In order to ensure that you deliver highquality applications on time, without bugs, you need a security strategy that can be implemented without interrupting development. This expert e-guide discusses the pros and cons of static code analysis tools for application security, according to Tivo s director of security Adam Ely, Web application security expert Caleb Sima, and others. Ahead, we also reveal the 5 most common application security threats and provide links to expert resources on how to counter them. PAGE 2 OF 7

3 STATIC ANALYSIS TOOLS BOOST SECURITY, BUT INTEGRATION STILL AN ISSUE Every organization has its application development culture. Depending on the industry, one organization will work much harder to make sure applications are built securely, while for others speed is of the essence, and security is an afterthought. Once you educate people about security it comes down to implementation, said Adam Ely, director of security at digital video recorder software maker, Tivo Inc. For some software companies or consumer products companies, it can be more difficult to get these things in place. With attackers targeting application coding errors, security experts are pushing enterprises to emphasize a greater need for software security improvements. Static code analysis tools scan software source code and identify potential security vulnerabilities. Once errors are identified they can be fixed very early in the development lifecycle, eliminating vulnerabilities at production. Ramon Krikken, an analyst at the Burton Group sees a vendor landscape in flux. Tools are available from a variety of vendors and include Armorize PAGE 3 OF 7

4 Technologies Inc., Klocwork Inc., Coverity Inc., Fortify Software Inc. and Veracode Inc. Large vendors are also taking interest, Krikken said. IBM is integrating its acquisition of Ounce Labs to provide its customers code analysis capabilities. HP currently partners with Fortify. In the last couple of years there have been significant advances in the usability of the tools, Krikken said. People are at the point where they re still evaluating their processes and the tools. Like any technology, static analysis tools have their drawbacks. While they are getting easier to use and return fewer false positives, experts say more work needs to be done to ensure the tools can be introduced without paralyzing the software building process. The tools need to be tuned properly to get a usable analysis of the vulnerabilities within the application and sometimes that can bog down the process, Krikken said. Also, getting developers to use security testing tools may always be a challenge, because development teams are under pressure to get the job done and generally don t want their processes interrupted, said Tivo s Ely. Some static analysis tools help ease that pressure. Those offered by San Mateo, Calif.-based Fortify and Santa Clara, Calif.-based Armorize Technologies Inc., for example, enable code testing to take place during the code compiling PAGE 4 OF 7

5 process, making it simpler to implement, Ely said. Armorize s technology almost acts as a spell checker, identifying potential errors during code compiling and suggesting changes. One of the biggest challenges using code analysis tools is when they sometimes return hundreds and even thousands of errors, overwhelming the development teams. Depending on the code complexity, the process of addressing each one of the problems can potentially extend the project completion date, Ely said. Someone has to manually evaluate every one of those s, Ely said The problem is that a lot of times security flaws involve multiple pieces of code and it takes time to sort out and find where all the errors are. Though tools are improving, false positives continue to be a major hindrance to adoption of source code analysis, said Web application security expert Caleb Sima, who co-founded and served as chief technology officer of SPI Dynamics Inc., now part of HP Software Inc. Today Sima runs Armorize as the application security vendor s CEO. It requires a lot of manual work and services in order to tune the code analysis tool to be able to identify valid and actionable s, Sima said. Sima, a developer, said security isn t easy for software coders. Often the PAGE 5 OF 7

6 tools are introduced by the company security team to the development organization. The security team then enforces a gate in which code is analyzed for vulnerabilities. The introduction of the tools can often cause friction between the two teams, he said. When you come in with a tool that gives me more things that I need to accomplish, that is a very difficult thing for me to accept, said Sima. The fact that the tool may not be accurate enough or producing actionable results is something that could add more time to the development cycle and is just another phase of things that developers have to get accomplished. The tools are being simplified to help ease the integration pain, said Chris Wysopal, co-founder and chief technology officer of Burlington, Mass.-based Veracode. Early static analysis tools were aimed at security experts who were doing code review, he said. The tools really are focused on the developers now, Wysopal said. This is the only way we re going to secure software, because there aren t enough security experts to go around. PAGE 6 OF 7

7 FREE RESOURCES FOR TECHNOLOGY PROFESSIONALS TechTarget publishes targeted technology media that address your need for information and resources for researching products, developing strategy and making cost-effective purchase decisions. Our network of technology-specific Web sites gives you access to industry experts, independent content and analysis and the Web s largest library of vendor-provided white papers, webcasts, podcasts, videos, virtual trade shows, research reports and more drawing on the rich R&D resources of technology providers to address market trends, challenges and solutions. Our live events and virtual seminars give you access to vendor neutral, expert commentary and advice on the s and challenges you face daily. Our social community IT Knowledge Exchange allows you to share real world information in real time with peers and experts. WHAT MAKES TECHTARGET UNIQUE? TechTarget is squarely focused on the enterprise IT space. Our team of editors and network of industry experts provide the richest, most relevant content to IT professionals and management. We leverage the immediacy of the Web, the networking and face-to-face opportunities of events and virtual events, and the ability to interact with peers all to create compelling and actionable information for enterprise IT professionals across all industries and markets. PAGE 7 OF 7