hacker-sca-02

Do Hackers Use Source Code Analysis?

Apr 27, 2016 By Amit Ashbel

Your source code – along with secure application code practices – is your edge over hackers. 

 

A couple of months back, part of the Checkmarx team, myself included, attended a security conference in India where we presented our solutions and provided demos for attendees who wanted to see how the solution enables detecting and mitigating vulnerabilities in code.

During these conferences we usually use various code projects, intended for demonstration.

 

At this particular conference, we had an interesting experience. At one point during the conference, a student approached our booth and asked us to show him how we analyze the code. He had his own code with him, a project he said he’d been working on, and wanted to see if we could help him find vulnerabilities that should be addressed.

 

We were happy to see a student so curious in source code analysis, or SCA, so while he was not a potential customer, we were glad to help.

 

One of our techies took over and initialized the scan. It was quite a large project – a few tens of thousands of Lines of Code, or LoC, so we asked the student to come back in an hour to see the results. Five minutes into the scan, we realized we were actually scanning a commercial application.

 

Considering the fact that there was a high chance the code was obtained illegally, we immediately stopped the analysis, deleted the packaged file and all of its results, which had already started coming through.

 

It was quite obvious that the so-called student was actually trying to locate vulnerabilities in the application’s code, with one of two intentions:

 

1. Submit the vulnerabilities to a bug bounty program to make some extra cash.
2. Abuse the vulnerabilities for personal gain.

 

When the “student” came back, we gently asked him where the source code originated, but couldn’t get a straight answer from him. We let him know we do not scan code without the permission of the code owner, and that it wasn’t code written by one man but rather code written by a commercial organization. The student/hacker quickly bailed on us.

 

Do Hackers Use Source Code Analysis Tools?

 

Source code analysis tools tests code at its raw state to validate proper business logic, functionality and code security best and common practices. While hackers use a variety of tools and techniques to infiltrate and recognize weak spots within an application, tools that require the source code itself, like source code analysis tools and other static application security testing (SAST) solutions, are used less frequently than other solutions as they require both the source code and additional skills.

 

Even if the source code is obtained, a good source code analysis solution that covers multiple programming languages and frameworks would not be something a hacker could easily put their hands on.

 

Considering the above, it is quite safe to say that source code analysis and access to the full application code is a significant edge organizations have over hackers. It may be the only edge.

 

The following two tabs change content below.

Amit Ashbel

Cyber Security Evangelist at Checkmarx
Amit Ashbel has been with the security community for more than a decade where he has taken on multiple tasks and responsibilities, including technical and Senior Product lead positions. Amit adds valuable product knowledge including experience with a wide range of security platforms and familiarity with emerging threats. Amit also speaks at high profile events and conferences such as Blackhat, Defcon, OWASP, and others.

Stay Connected

Sign up today & never miss an update from the Checkmarx blog

Get a Checkmarx Free Demo Now

Interested in trying CxSAST on your own code? You can now use Checkmarx's solution to scan uncompiled / unbuilt source code in 18 coding and scripting languages and identify the vulnerable lines of code. CxSAST will even find the best-fix locations for you and suggest the best remediation techniques. Sign up for your FREE trial now.

Checkmarx is now offering you the opportunity to see how CxSAST identifies application-layer vulnerabilities in real-time. Our in-house security experts will run the scan and demonstrate how the solution's queries can be tweaked as per your specific needs and requirements. Fill in your details and we'll schedule a FREE live demo with you.