Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Static analysis for security

471 views

Published on

Testing code against common security risks to ensure the quality before release (before attacker access)

Published in: Technology
  • Be the first to comment

  • Be the first to like this

Static analysis for security

  1. 1. Static Analysis for Security JUNE 2016 FABDULWAHAB.COM
  2. 2. Security is Requirement  Testing code against common security risks to ensure the quality before release(before attacker access)  Help in implementation best practices and prioritize the risks  Also called white box testing or source code review
  3. 3. Software developers are the first and best line of defense for the security of their code
  4. 4. Types  Static  Analyze the code before go to run  Automated by tools (also can analyze the binary code or (bytecode) but with limitations)  Also include code review by senior developers and professionals  Find risks like business logic , exception handling and NULLL issues  Dynamic  Analyze the application behavior during the run phase  Automated by tools  Used when no code access or knowledge  Find risks like XSS , Injection or configuration issues  Better to go with both types (defense in depth)
  5. 5. Development Process  Study past security errors and prevent them from happening in the future  All portions of the program must be secure  Still need best practices , training and skills  Whitelist vs. blacklist validation  Good design and good implementation need each other  Manual Code review is very important  Including configuration analysis
  6. 6. Tools  Information security department focus on dynamic analysis tools for pen testing  Development department focus on static analysis and sometime also for dynamic analysis tools  In most cases ,Static analysis tools integrated with IDE  Tools has rules to validate the code like searching for user inputs like Request[] or searching for injection like SQL Command in code …  Remember , running tools doesn’t make application secure
  7. 7. false negatives are more troublesome than false positives
  8. 8. Tools  Static analysis tools categories  Type checking  Style checking (whitespace , naming , program structure …)  Program understanding (find all uses of this methods or variable …)  Program verification and Property checking (check against rules and specifications)  Bug finding  Security review
  9. 9. Tools  Commercial/free  Open source  Support Development Standards and Compliance (PCI , ISO …)  Based on programming Languages  Examples  https://sourceforge.net/projects/visualcodegrepp/  https://sourceforge.net/projects/agnitiotool/  https://www.microsoft.com/en-us/download/details.aspx?id=6544  ttps://www.microsoft.com/en-us/download/details.aspx?id=19968  http://www8.hp.com/us/en/software-solutions/application-security/index.html  https://www.checkmarx.com/  https://samate.nist.gov/index.php/Source_Code_Security_Analyzers.html (list)
  10. 10. Demo 01 – Visual Studio Code Analysis  Identify potential issues based on Microsoft’s rules and best practices  http://nugetmusthaves.com/Tag/CodeAnalysis  http://fxcopaspnetsecurity.codeplex.com/  https://blogs.msdn.microsoft.com/hkamel/2013/10/24/visual-studio-2013-static- code-analysis-in-depth-what-when-and-how/
  11. 11. Demo 02 – WCSA  To analyze the web.config  https://code.google.com/archive/p/wcsa/downloads
  12. 12. References  https://www.owasp.org/index.php/Static_Code_Analysis  Secure Programming with Static Analysis book , By Brian and Jacob

×