Static Code Analysis for Enterprise Applications

Source By: 

The increase in adoption of Social, Mobile, Analytics, and Cloud (SMAC) technologies and growth in data volumes has led to increased concerns about data security. With large enterprises building or deploying new applications using public cloud platforms, there are doubts about the safety of company data. Moreover, the size and scale of an organization’s enterprise applications today are huge, including as they do all Internet facing applications—those accessed by mobile users, SaaS applications, and platform and infrastructure as a service interfaces among others. Against this background, enterprises have succeeded in defending the application perimeter and are now focusing their efforts on securing the application layer, which is where a majority of the attacks are aimed, according to Gartner.

The source code of enterprise applications is often a major source of vulnerabilities that can be exploited by hackers to gain access to confidential information. Static code analysis is one of the security tools that an enterprise can use to identify vulnerabilities in code before the application is deployed. These automated tools review source code (or in some cases object code) line by line to detect coding errors or security vulnerabilities before the code is released into production.

Did you know?
Static analysis tools review code before it goes live, while dynamic analysis tools conduct automated scans of production web applications to uncover vulnerabilities. Some organizations may use both to detect and fix vulnerabilities.

In recent years, code analysis has become standard in software development. Incorporating security earlier in the Software Development Life Cycle (SDLC) helps to uncover vulnerabilities earlier, and reduces costs and increases efficiency when compared to the high cost of finding and patching application flaws after the code is in production. Static code analysis tools scan through source code and look for violations to defined rules; they highlight any potential problem areas in the code relating to security, performance, interoperability etc. that may require the attention of skilled personnel.

Even when organizations use vendor-written code or third party software for which source code may not be provided, this code must be tested to ensure that it is functionally correct and secure. Most static analyzers scan source code, but in cases where source code is not available, binary code (object code or compiled code) scanning is possible using analyzers such as Veracode, HP’s Fortify, WhiteHat Sentinel and IBM, or open source static code analyzers.

Organizations typically use static analyzers at two stages of the development process. They are used by developers within the development environment to check their own code as they are writing it. Developers can look at the warnings generated, determine false positives, and fix potential problems, if any. Static analyzers are also used within the code repository so that any code being checked in is analyzed at check-in time and a report is generated with a list of issues to address. Some organizations might do incremental builds or nightly static code analyzer runs to identify potential vulnerabilities in the code base. The results generated by any open source or proprietary code analysis tools can be aggregated into a dashboard.

While static code analysis is an integral part of application security testing, tools cannot replace processes. Processes have to be in place to ensure that application security is being considered from the beginning of the SDLC, starting with defining requirements and design. To maximize the impact of source code reviews, warnings output by the analyzers have to be addressed and potential problems fixed. Application testing should thus not only include functionality testing, but also check for security vulnerabilities. The importance of incorporating security testing to mitigate an organization’s risk profile cannot be overstated.

Comments: 0



  • Subscribe for Blog Updates