Your source code – along with secure application code practices – is your edge over hackers.
A couple of months back, part of the Checkmarx team, myself included, attended a security conference in India where we presented our solutions and provided demos for attendees who wanted to see how the solution enables detecting and mitigating vulnerabilities in code.
During these conferences we usually use various code projects, intended for demonstration.
At this particular conference, we had an interesting experience. At one point during the conference, a student approached our booth and asked us to show him how we analyze the code. He had his own code with him, a project he said he’d been working on, and wanted to see if we could help him find vulnerabilities that should be addressed.
We were happy to see a student so curious in source code analysis, or SCA, so while he was not a potential customer, we were glad to help.
One of our techies took over and initialized the scan. It was quite a large project – a few tens of thousands of Lines of Code, or LoC, so we asked the student to come back in an hour to see the results. Five minutes into the scan, we realized we were actually scanning a commercial application.
Considering the fact that there was a high chance the code was obtained illegally, we immediately stopped the analysis, deleted the packaged file and all of its results, which had already started coming through.
It was quite obvious that the so-called student was actually trying to locate vulnerabilities in the application’s code, with one of two intentions:
1. Submit the vulnerabilities to a bug bounty program to make some extra cash.
2. Abuse the vulnerabilities for personal gain.
When the “student” came back, we gently asked him where the source code originated, but couldn’t get a straight answer from him. We let him know we do not scan code without the permission of the code owner, and that it wasn’t code written by one man but rather code written by a commercial organization. The student/hacker quickly bailed on us.
Do Hackers Use Source Code Analysis Tools?
Source code analysis tools tests code at its raw state to validate proper business logic, functionality and code security best and common practices. While hackers use a variety of tools and techniques to infiltrate and recognize weak spots within an application, tools that require the source code itself, like source code analysis tools and other static application security testing (SAST) solutions, are used less frequently than other solutions as they require both the source code and additional skills.
Even if the source code is obtained, a good source code analysis solution that covers multiple programming languages and frameworks would not be something a hacker could easily put their hands on.
Considering the above, it is quite safe to say that source code analysis and access to the full application code is a significant edge organizations have over hackers. It may be the only edge.