Practical aspects of software vulnerability detection
It is well known that any information attack is implemented by an attacker based on a vulnerability that is present in the attacked system. According to standards, vulnerability is understood as a property of information system that makes it possible to implement security threats to the information processed in it. Today we can distinguish various types of vulnerabilities, but in this article we will talk about those that relate to software.
It’s no secret that the number of vulnerabilities detected in application software increases every year. At the same time, not only their number, but also their type is growing. For example, according to Hewlett Packard, we can currently identify over 500 classes of vulnerabilities in software. Examples of these vulnerabilities are buffer overflow, SQL injection, Cross Site Scripting, and many others.
It is also extremely important to note that the sooner the vulnerability is discovered, the less funding will be needed to fix it. This fact is graphically illustrated in the table below.
Cost of vulnerability mitigation at different stages of software development
№ | Description of stage of software development | Cost of vulnerability mitigation |
---|---|---|
1 | Requirements specification development | $ 139 |
2 | Software design | $ 455 |
3 | Software development (programming) | $ 977 |
4 | Software testing | $ 7136 |
5 | Software technical support | $ 14 102 |
Search for vulnerabilities in software can be done manually or with automation tools. At present, to detect software vulnerabilities either static or dynamic analysis tools can be used, which are described in detail below.
Static analysis tools
Static analysis implies search for potentially unsafe constructions in software source code. This type of analysis allows you to detect technological vulnerabilities occurring at the stage of software development because of the developer’s carelessness or malicious intent.
The process of deploying static analysis tools requires participation not only of the information protection department but also of the department responsible for software development. This is due to the fact that only the developers will be able to analyze the results of source code scanning and to make the necessary corrections in the source code of the application.
The figure below shows a generalized process of using the static security analysis tool. As part of this process, the static analysis tool launches the source code scanning process at the moment of centralized building of the whole application. This process usually takes place at the end of the day. Information about the vulnerabilities identified during the scanning process goes to the management server, to which the representative of the development department responsible for software security has access. After analyzing the scanning results, he or she identifies the relevant vulnerabilities and creates corresponding requests for them in the Bug Tracker. At the next stage, the manager of the entire software development process appoints the developers responsible for fixing the identified vulnerabilities based on the created requests. These developers then make changes to the source code to eliminate the identified vulnerabilities. Then this process is repeated on a regular basis until the application development process is completed. At the same time, the security officer monitors at specified intervals that all vulnerabilities detected by static analysis are successfully fixed by the development team.
Process of using static software security analysis tool
Examples of systems that implement this analysis method are HP Fortify and IBM AppScan. These solutions allow you to fully automate the process of source code analysis, integrate into all the most popular software development environments, and identify specific code fragments containing vulnerabilities and offer recommendations on eliminating them. As recommendations, they contain examples of source code fragments showing how to fix this or that vulnerability. Typically, solutions of this class support the ability to analyze source code written in different programming languages. For instance, HP Fortify supports over 20 different programming languages from COBOL to C#.
Dynamic analysis tools
Dynamic analysis implies the testing of already compiled software running in a specific environment. This can be achieved using specialized security scanners, which simulate possible attacks of intruders and also analyze configuration files of the software. Dynamic analysis allows to detect not only technological but also exploitation vulnerabilities caused by incorrect software configuration. Such vulnerabilities include: weak and unguessable passwords, unused accounts, improperly configured software security features, etc. Max Patrol (Positive Technologies) and Qualis (Qualys, Inc.) solutions can be cited as examples of products that implement dynamic analysis functionality.
Another type of dynamic analysis is fuzzing. Fuzzing is the process of sending intentionally incorrect data to the program input in order to cause a failure or error situation. Thus, this technology allows to detect vulnerabilities in the application being analyzed.
Using dynamic analysis tools does not require the source code of the software and does not require the developers to be involved in the security analysis of the application.
Comprehensive approach
To provide the most efficient software security assessment it is necessary to use both static and dynamic analysis tools, as they complement each other. For example, static analysis allows detecting up to 80% of existing vulnerabilities that can be identified from the source code. At the same time, dynamic analysis allows to detect additionally the remaining 20% of vulnerabilities, which are connected with the software configuration and the environment in which it operates. It should also be noted that these software security analysis solutions can be used both as specialized products installed in a company’s LAN and as cloud services.
At the same time, software security analysis should certainly become a part of an integrated approach towards information security of the company as a whole. The requirement to perform such analysis is already stipulated in a number of information security standards, such as PCI DSS. That means that besides using static or dynamic analysis tools, one must have documented procedures describing the processes related to security software development. Such procedures can be based on the recommendations of leading software companies, such as Microsoft or EMC, which have implemented and created special recommendations for organizing the security software development process – SDL (Security Development Lifecycle). These recommendations include, among other things, procedures for increasing developer awareness of the issues involved in creating insecure code. The end result of implementing all these procedures should be to improve the quality of the code being developed, including from an information security point of view.