This document discusses static application security testing (SAST) and how it can help detect vulnerabilities in code. It provides background on how code bases and error densities are growing over time. It then discusses various standards and classifications for weaknesses and vulnerabilities, such as CWE, CVE, MISRA, and SEI CERT. It emphasizes that SAST tools can help detect vulnerabilities early and provide coverage of entire code bases, but may produce false positives. Finally, it suggests introducing SAST tools correctly through configuration, continuous integration, and addressing warnings as technical debt.

1. Заголовок
ptsecurity.com
SAST, CWE, SEI CERT
and other smart words
from the information
security world
Sergey Khrenov
PVS-Studio
Developer

2. Заголовок
2
Speaker
Sergey Khrenov
C# developer, PVS-Studio
khrenov@viva64.com
www.viva64.com

3. Заголовок
3
Why you should listen to this talk
S - security

4. Заголовок
4
The issue – code base growth
• Linux 1.0.0 kernel: 176 250 lines of code
• Linux 4.11.7 kernel: 18 373 471 lines of code
• Photoshop 1.0 : 128 000 lines of code
• Photoshop CS 6 : 10 000 000 lines of code
• Density of errors is also growing, but nonlinearly
• Everyone wants SECURE code of high quality
• Old methods of quality control aren’t enough any more

5. Заголовок
5
When size matters

6. Заголовок
6
Error density (per 1 KLOC)
0
20
40
60
80
100
< 2 2-16 16-64 64-512 > 512
"Estimating Software Costs: Bringing Realism to Estimating" (Capers Jones, 2007)

7. Заголовок
7
How to fight with errors
• Do it right from the start (doesn’t work)
• Follow company rules
• Use “best practices”
• Code Review
• Couple development
• Test-driven development (TDD)
• Agile development
• Tools

8. Заголовок
8
A few words about Code Review

9. Заголовок
9
Example from practice (Mono project)

10. Заголовок
10
Example from practice (Mono project)

11. Заголовок
11
Example from practice (Mono project)

12. Заголовок
12
Tools
• Unit tests
• Functional tests
• Load tests
• …
• Dynamic analysers
• Static analysers

13. Заголовок
13
Static analysis is…

14. Заголовок
14
Modern analysers
 Integration into IDE
 Integration into build systems and CI
 Incremental analysis
 Noise suppression mechanisms

15. Заголовок
15
Slow help is no help
0
1000
2000
3000
4000
5000
6000
7000
8000
Development Build QA Release Phase
Cost to Fix a Security Defect ($)
NIST: National Institute of Standards and Technology

16. Заголовок
16
Programming errors and their consequences (Therac-25)
From June 1985 to
January 1987 year this
device has become the
reason for at least 6
radiation overdoses.
Some patients got tens
of thousands radiation
absorbed doses. At
least two people died
directly because of
overdoses.

17. Заголовок
17
Programming errors and their consequences (Ariane-5)
June 4, 1996,
spaceport Kure.
During the first
launch, at the 40th
second of the flight,
the rocket collapsed.
The reason is an error
in the on-board
software.

18. Заголовок
18
DevSecOps and SAST will help us

19. Заголовок
19
Increasing number of detected vulnerabilities
5632
16555
0
2000
4000
6000
8000
10000
12000
14000
16000
18000
2008 2009 2010 2011 2012 2013 2014 2015 2016 2017 2018
https://www.cvedetails.com

20. Заголовок
20
Search for vulnerabilities
For legacy code, search for known vulnerabilities is optimal:
• Analogy - antiviruses
• No false positives
• Only known issues are found
• Especially useful in large old projects
For newly written code, the method of searching code defects in
order to prevent vulnerabilities is more effective.

21. Заголовок
21
SAST - Static Application Security Testing
• Static analysis is aimed at searching and preventing
vulnerabilities
• Vulnerabilities are often ordinary bugs (according to the
data from NIST, more than 60%)
• SAST tools help to prevent vulnerabilities and provide
support of development security standards: CWE,
MISRA, SEI CERT and others.

22. Заголовок
22
SAST - Static Application Security Testing
Pros:
• Early problem detection
• Entire code coverage
• Good at searching typos and errors of the Copy-Paste type
Cons:
• False positives
• Exact error criticality is not defined
• Weak detection of memory leaks and parallel errors

23. Заголовок
23
Path to a real vulnerability
CWE - Common Weakness
Enumeration
CVE - Common Vulnerabilities
and Exposures

24. Заголовок
24
CWE
• CWE™ is a community-developed list of common
software security weaknesses
• https://cwe.mitre.org
• List of more than 800 potential vulnerabilities,
which can become real

25. Заголовок
25
CWE: examples of potential vulnerabilities
• CWE-14: Compiler Removal of Code to Clear Buffers
• CWE-20: Improper Input Validation
• CWE-91: XML Injection
• CWE-457: Use of Uninitialized Variable
• CWE-467: Use of sizeof() on a Pointer Type
• CWE-562: Return of Stack Variable Address

26. Заголовок
26
CWE-14 (Compiler Removal of Code to Clear Buffers)
void win32_dealloc(struct event_base *_base, void *arg) {
struct win32op *win32op = arg;
....
memset(win32op, 0, sizeof(win32op));
free(win32op);
}
The compiler could delete the 'memset' function call, which is used
to flush 'win32op' object.

27. Заголовок
27
CWE-687 (Function Call With Incorrectly Specified Argument Value)
void win32_dealloc(struct event_base *_base, void *arg) {
struct win32op *win32op = arg;
....
memset(win32op, 0, sizeof(win32op));
free(win32op);
}
The memset function receives the pointer and its size as arguments.
It is possibly a mistake. Inspect the third argument.

28. Заголовок
28
CWE-563 (Assignment to Variable without Use)
public string Region
{
get {....}
set
{
if (String.IsNullOrEmpty(value))
{
this.linker.s3.region = "us-east-1";
}
this.linker.s3.region = value;
}
}
The 'this.linker.s3.region' variable is assigned values twice
successively. Perhaps this is a mistake.

29. Заголовок
29
CWE-674 (Uncontrolled Recursion)
OnFailure? onFailure = null;
public OnFailure? OnFailure
{
get { return this.OnFailure; }
set { this.onFailure = value; }
}
Possible infinite recursion inside 'OnFailure' property.

30. Заголовок
30
CVE
• CVE® is a list of publicly known cybersecurity
vulnerabilities
• https://cve.mitre.org/
• List of more than 114 000 actual vulnerabilities found in
applications

31. Заголовок
31
CVE-2012-2122
typedef char my_bool;
my_bool
check_scramble(const char *scramble_arg, const char *message,
const uint8 *hash_stage2)
{
....
return memcmp(hash_stage2, hash_stage2_reassured, SHA1_HASH_SIZE);
}
[CWE-197] Saving the 'memcmp' function result inside the 'char' type
variable is inappropriate. The significant bits could be lost
breaking the program's logic.

32. Заголовок
32
CVE-2013-4258
if (NasConfig.DoDaemon) {
openlog("nas", LOG_PID, LOG_DAEMON);
syslog(LOG_DEBUG, buf);
closelog();
} else {
errfd = stderr;
}
[CWE-134] It's dangerous to call the 'syslog' function in such
a manner, as the line being passed could contain format
specification. The example of the safe code: printf("%s", str).
Network Audio System

33. Заголовок
33
CVE-2014-1266
static OSStatus
SSLVerifySignedServerKeyExchange(....)
{
....
if ((err = SSLHashSHA1.update(&hashCtx, &signedParams)) != 0)
goto fail;
goto fail;
if ((err = SSLHashSHA1.final(&hashCtx, &hashOut)) != 0)
goto fail;
....
fail:
....
}
[CWE-483] The code's operational logic does not correspond with its formatting.
[CWE-561] Unreachable code detected. It is possible that an error is present.

34. Заголовок
34
MISRA C/C++
• Motor Industry Software Reliability Association
• Coding standard, which reduces the likelihood of making an
error for highly dependable embedded systems
• Proprietary
• MISRA C 2012 contains 143 rules
• MISRA C++ 2008 contains 228 rules

35. Заголовок
35
MISRA C/C++ (some rules)
• Don’t use octal constants
• Don’t use goto
• Function has to be single-exit
• Don’t use functions of the standard library
(atof/…/abort/exit/getenv/system/…)
• Don’t use dynamic allocations
• Don’t use unions
• Each case has to end with break or throw

36. Заголовок
36
MISRA C/C++ (Toyota)
• NHTSA: during 2000 - 2010
years 89 people died in
accidents, 57 were injured
• NHTSA and NASA made an
investigation
• 7 134 MISRA violations are
detected
• Toyota denies the guilt, but pays 16 billion dollars in the pre-trial
order

37. Заголовок
37
SEI CERT
• Coding standard
• Developed by CERT (CERT Coordination Center,
CERT/CC)
• Meant to C, C++, Java, Perl languages
• Quite similar to CWE

38. Заголовок
38
SEI CERT (some rules)
• MSC06-C: Beware of compiler optimizations
• INT33-C: Ensure that division and remainder operations
do not result in divide-by-zero errors
• EXP33-C, EXP53-CPP: Do not read uninitialized memory
• ARR01-C: Do not apply the sizeof operator to a pointer
when taking the size of an array
• DCL30-C: Declare objects with appropriate storage
durations

39. Заголовок
39
Introduce and use SAST correctly
• Chose an appropriate analyser
• Configure it
• Check a project, consider current warnings as a
technical debt
• Work with new warnings
• Introduce SAST in CI systems
• Set SAST on the machines
• ….
• PROFIT!!!

40. Заголовок
40
Mistaken beliefs related to SAST
• Expensive
• Not for newbies
• Difficult to introduce in a large project
• Silver bullet

41. Заголовок
41
Decrease losses
• Vulnerability occurrence
• Direct and indirect losses:
• Exploitation by intruders
• Bug bounty
• Reputation
• Correction
• Release update
$
$
$
$
$
$
$

42. Заголовок
42
Decrease losses
• Vulnerability occurrence
• Detection using SAST, correction
• Direct and indirect losses:
• Exploitation by intruders
• Bug bounty
• Reputation
• Correction
• Update release
$
$
$
$
$
$
$

43. Заголовок
43
Takeaway
 Security issues are expensive if they get in the final product
 SAST tools are one of the ways to detect vulnerabilities
 However, we recommend using any other available methods
 If your company earns money using programming code, you
have to think about its security

44. Заголовок
ptsecurity.com
Спасибо!
Спасибо!