versus-1

Source Code versus Bytecode Analysis

May 11, 2016 By Paul Curran

In the world of software security, there is an ongoing battle over which category of code analysis delivers a higher level of security into the software development lifecycle (SDLC): source code versus bytecode analysis.

While both bytecode analysis (BCA) and source code analysis (SCA) seem to offer organizations a high level of security when it comes to gauging inherent software risk, which method will expose more vulnerabilities? Which method should your organization be using?

Source Code versus Bytecode

bloggraphic

One of the attractive aspects of bytecode analysis is that it can save organizations some code analysis efforts due to compiler automation. Additionally, bytecode analysis can also find flaws introduced due to compiler bugs, something that source code analysis in unable to do. Bytecode Analysis.

Losing the Source

Despite these benefits, however, bytecode analysis comes with a large number of disadvantages. The most fundamental disadvantage of bytecode analysis is, without a doubt, its inability to track back found flaws to the actual source code.

 

To put this flaw into perspective, try to imagine that, as a developer, you’re doing a results review and you need to understand if something that was found is a real vulnerability or not. This is something that you need to determine based on the decompiled bytecode where you don’t see the method names, variable names, comments in the code,etc.

 

Without access to the application’s source code, this task is nearly impossible to execute in an efficient way. Developers need to be able to understand and remediate scan results and doing this using bytecode is not the best way.

 

“Imagine you get 100 results and you’re asked to check if they are true findings. It’s already not always easy when looking at the source code and data flow to decide if something is exploitable. I cannot imagine doing that without looking at the source code.” – Carsten Huth, Ph.D., CISSP, CSSLP, CISM.

 

Missing Passwords

Yet another disadvantage of bytecode analysis is the fact there are certain findings which are not detectable at all using this method. An example that is relevant to multiple sectors, especially the digital banking industry, is the inability to detect hardcoded passwords and passwords in comments which can render bytecode analysis useless to these organizations.

 

Too Late to Fix

When using bytecode analysis, another major issue is how vulnerabilities are exposed too late during development. Application security, when scanning bytecode, comes at later stages of the SDLC because all of the code needs to be compiled before being scanned. At this stage, pressure from tight schedules, project managers and budget constraints can lead to the application shipping with uncovered vulnerabilities to production.

 

Painful Optimization

Finally, since one of the compiler’s roles is to optimize the code for performance, as well as size, elements of the code may be discarded by the compiler which are crucial to the application’s performance. These could be lines of code added as a part of the debugging process and breaches of corporate standards can occur when they are removed.

 

Source Code Analysis

 

Source Code Analysis

As opposed to only scanning code once it has been compiled, scanning the source code offers a number of benefits which not only allow organizations to implement application security early on, and seamlessly, in their SDLCs, but also provide the programmers with real time security feedback on their code.

 

The Case for Source Code Analysis

Low Cost, High Returns

Fixing code at the source, early on in the SDLC makes an impressive impact, not only on the security posture of the application, but also on the budget and overall time frame for the project.

 

The later a vulnerability is exposed during the SDLC, the more time and money is needed to fix it. Vulnerabilities that are remediated at the source, during the development stage, can be up to 100 times cheaper to fix than ones discovered at later stages or on production.

 

Since source code analysis is done in real time, the developer interacts with immediate feedback on the code and its security and can fix the vulnerabilities on the go, while they are “in the zone” on that specific piece of code.

 

A large drawback to amending vulnerabilities in the late stages of the SDLC, as is the case when using bytecode analysis, is the additional time needed for the developer to refamiliarize themselves with the insecure code. Usually, the original coder is working on another project, or feature, and it will take time for them to reacquaint themselves with the code that they need to fix which may have been written weeks, or even months, before.

 

Incremental Scanning

Since source code scanning isn’t dependant on a compiled build, source code scanning can analyse fragments of code without syntactic or compilation errors getting in the way as they would during a bytecode analysis.

 

More Benefits

Flaws in the code are also much easier to track back to the original code and source code analysis works in multi-compiler environments. Additionally, source code analysis is platform agnostic and allows for seamless integration in any operating system of development environment.

 

Conclusion

As application security awareness increases across all sectors in response to the growing number of threats, organizations must choose between using bytecode analysis and source code analysis to secure their applications.
While both offer numerous benefits, it’s clear that source code analysis has a clear edge over the drawbacks and flaws contained in bytecode analysis which can lessen the security posture of applications scanned using bytecode analysis.

 

Looking for more information on the benefits of source code analysis? Download our whitepaper “The 5 Key Benefits of Source Code Analysis.”

 

 

 

The following two tabs change content below.

Paul Curran

Content Specialist at Checkmarx
With a background in mobile applications, Paul brings a passion for creativity reporting on application security trends, news and security issues facing developers, organizations and end users to Checkmarx's content.

Latest posts by Paul Curran (see all)

Stay Connected

Sign up today & never miss an update from the Checkmarx blog

Get a Checkmarx Free Demo Now

Interested in trying CxSAST on your own code? You can now use Checkmarx's solution to scan uncompiled / unbuilt source code in 18 coding and scripting languages and identify the vulnerable lines of code. CxSAST will even find the best-fix locations for you and suggest the best remediation techniques. Sign up for your FREE trial now.

Checkmarx is now offering you the opportunity to see how CxSAST identifies application-layer vulnerabilities in real-time. Our in-house security experts will run the scan and demonstrate how the solution's queries can be tweaked as per your specific needs and requirements. Fill in your details and we'll schedule a FREE live demo with you.