Imagine you are given the source code for a JAVA web application with about a million lines and were asked to review the code for any vulnerabilities and report back in a week. This can turn into an interesting exercise if you are a team of one. What are your options: crowdsource, ask for mercy, do your best? Thankfully there are other options, such as automated code review software. In this post I’ll talk about Checkmarx‘s cloud based solution that does security code analysis and use OWASP’s WebGoat (v5.4) project to see how it measures up.
Generally speaking automated source code analysis is used to assess compliance based on a predefined set of rules or best practices. The analysis tool may provide the means for team collaboration and suggestions to fix the issues detected. The detected flaws may be displayed in a developer friendly interface quite similar to popular IDEs. Most tools use OWASP 10 and SANS Top 25 as benchmarks for application security flaws when performing their audits. Using a documentation tool, such as Doxygen to view the general structure and call graphs will provide and better understanding when tracking the issues detected by the analysis tool. As with any automated security solutions, an analyst should expect to have false positives in the results and be ready to eliminate them. Also the analyst should keep in mind that business logic flaws or insecure use of software libraries will not be detected by these automated tools.
Read full review here: http://siliconblade.blogspot.co.il/2013/06/automated-secure-code-review-anyone.html
About the Author
Cem Gurkok, CISSP, CISA is the Threat Intelligence R&D Manager Verizon Terremark. He specializes in cloud computing security, system security architecture, incident response, digital forensics, malware analysis, litigation consulting, research and development of security software. He has worked with various Fortune 500 companies throughout the world.
Cem has recently presented at the Open Source Memory Forensics Workshop (OMFW), EuroForensics Conference on Windows Incident Response, has published a paper about automated evidence extraction and malware behavior analysis at the International Security and Cryptology Conference, and has written articles about cloud computing security and incident response for ComputerWorld Online. He maintains a blog at siliconblade.blogspot.com.
Sign up today & never miss an update from the Checkmarx blog
Interested in trying CxSAST on your own code? You can now use Checkmarx's solution to scan uncompiled / unbuilt source code in 18 coding and scripting languages and identify the vulnerable lines of code. CxSAST will even find the best-fix locations for you and suggest the best remediation techniques. Sign up for your FREE trial now.
Checkmarx is now offering you the opportunity to see how CxSAST identifies application-layer vulnerabilities in real-time. Our in-house security experts will run the scan and demonstrate how the solution's queries can be tweaked as per your specific needs and requirements. Fill in your details and we'll schedule a FREE live demo with you.