Practicing DevSecOps: Source Code Security Analysis

Developers need to think not only about the security of the digital infrastructure in use but also about the security of the code.

David Balaban

July 12, 2021

8 Min Read
Practicing DevSecOps: Source Code Security Analysis
(Source: Image by Pete Linforth from Pixabay)

Source code security is an inalienable component of a safe software engineering workflow. There is a separate category of tools geared toward checking applications for vulnerabilities at the development stage. These solutions are currently booming and getting more sophisticated, partially due to the increasing regulatory pressure.

This article will go over the common types of source code testing instruments. It will explain the difference between different tools representing the Static, Dynamic, and Interactive Application Security Testing clusters (SAST, DAST, and IAST) and shed light on the growingly popular Runtime Application Self-Protection (RASP) technology. You will also learn what tasks can be solved using these scanners and how this market niche may evolve in the near future.

The whys and wherefores of checking code for security issues

Organizations have mastered the key techniques to address vulnerabilities inside their perimeter by patching commonplace software environments such as operating systems and database management tools. However, there can be unique solutions in use – ones that are tailor-made for solving specific tasks. To prevent such programs from becoming entry points for malicious actors, companies need to find and fix security flaws in them.

It is important for organizations to know what fragments of software code are being used in different segments of their IT infrastructure while keeping track of code authorship details. When errors are found in a specific fragment, companies need to determine what systems they affect and fix them without delay, preferably by assigning this task to the developer who wrote the buggy code.

Building the defenses from the ground up is paramount because all levels of an enterprise digital architecture are mutually dependent. Therefore, each one of them affects the overall security of the organization. To keep the costs down, it is a good idea to set an objective that will be achieved through code assessment. It could boil down to compliance with regulatory requirements or a desire to reduce the risks of hacking and malware attacks.

Code assessment solutions allow a developer to avoid the costs of eliminating vulnerabilities detected after the system is released. The earlier a company’s management realizes the importance of code security, the less time, money, and other resources are required for applying patches down the road.

Some services and applications are intertwined with an organization’s revenue model. Financial and trading programs are a few examples. When attackers compromise these systems, the consequences go beyond reputational issues and entail a direct monetary loss for the company.

Of course, scanning code for loopholes is not the only element of secure software engineering, but it is the first and necessary step that allows the developer to stay on top of the process. If an IT team relies solely on patches, this tactic is always reactive rather than proactive, and thus adversaries get more time and opportunities to infiltrate the network. The “Shift Left” principle (shifting security analysis as close as possible to the beginning of the development process) reduces the potential costs of dealing with problems for both the developer and the customer afterward.

It is also noteworthy that ignoring legal risks can be a slippery slope. A company should understand what code it owns, who will possess the rights to the code in case the business is split up, and what the licensing requirements of third-party components are. In these scenarios, code assessment can be a means of facilitating lawyers’ work.

Are open-source scanners worthwhile?

There is no such thing as entirely free software, let alone cheap security. At the same time, you cannot say for sure which scanner is better – a commercial or a free one. Instead, you can only argue which tool is the most appropriate for a specific task. You can combine different kernels to analyze code at different stages of a project and use different scanners for different development workflows.

Open-source tools can provide a basic level of security, but you will most likely need specialized InfoSec products to pinpoint more complex vulnerabilities. Commercial tools often provide advanced recommendation functionality. This is important because simply reporting a problem is not enough in some cases. It may also be necessary to explain what must be done, all the way up to fixing the shoddy code automatically.

The authors of such scanners need to make a good deal of effort and invest a lot of money to integrate detailed vulnerability descriptions along with hands-on recommendation features into their products. Many makers of open-source tools do not have such resources.

What are SAST, DAST, and IAST? And which one to choose?

To grasp the current categorization of code security scanners, you need to remember five acronyms. The traditional approaches include static (SAST), dynamic (DAST), and hybrid (IAST) analysis. Additionally, there is Feedback-based Application Security Testing (FAST), also known as fuzzing. Another technology on the list is RASP, which operates as a kind of internal application firewall and is used to identify and block attacks in real-time.

Software Composition Analysis (SCA) tools are worth mentioning, too. Their purpose is to vet third-party components used in a system. Entry-level variants of these solutions list third-party libraries integrated into the development process and spot vulnerabilities in them. Advanced SCA tools can additionally assess the functioning of proprietary code and figure out whether the discovered vulnerabilities can be exploited in a specific system.

Each of these tools should be used at a particular stage of the development, security, and operations (DevSecOps) routine. A static analyzer helps write secure code and form the application’s architectural backbone, while dynamic assessment and IAST are useful when the program is being compiled and tested. None of these tools ensures ultimate code security but using a combination of them can provide decent results. The choice of the most appropriate assessment solution depends on the customers’ privileges – whether they can access the code or only use the application.

In any case, static analysis is a good starting point, but other instruments should be considered as well. Different companies treat the development process differently, but SAST is undoubtedly one of the fundamental tools as long as code security is a priority. Furthermore, instead of contraposing static and dynamic analysis, organizations should combine the two for stronger security. Some types of vulnerabilities can only be discovered in a static condition, others are detectable in dynamics, and many issues are somewhere in between.

What hampers the deployment of code security assessment tools?

The complexity of interaction between InfoSec specialists and developers is a significant obstacle to deploying source code analysis solutions. Programmers often have their own perspectives on how critical a vulnerability is and whether fixing it is an urgent task.

In some cases, vulnerability databases can help come to a common denominator, but even the most comprehensive database is not always applicable to a particular development framework. Furthermore, every application has its unique threat model, and the vulnerability severity evaluation should be performed in the context of a specific software engineering workflow. Interactive analysis can help you prioritize what needs patching. It is also necessary to come up with security requirements at an early stage of development when the application’s architecture and functionality are being formed.

Company executives should keep in mind that an error is not necessarily a vulnerability. To correctly build a dialogue with the developers, they need to provide as much structured information as possible about the detected problem with references to international practices and other sources.

What does this market’s future hold?

In the future, code analyzers will migrate to the cloud. This process is already underway, and many vendors are generating up to 50% of their revenue from cloud-based code security systems.

Another trend comes down to strengthening regulatory requirements that relate to code security. Developers used to be primarily concerned about compliance with functional requirements, but things have changed. Nowadays, to deliver solutions to critical industries, they need to think not only about the security of the digital infrastructure in use but also about the security of the code.

A mix of increased reliance on open-source components and the growing code complexity may also define the evolution of this market for the next few years. All of this will stimulate demand for solutions potent enough to analyze a larger number of nesting levels and dependencies.

About the Author(s)

David Balaban

David Balaban is a computer security researcher with over 17 years of experience in malware analysis and antivirus software evaluation. David runs and projects that present expert opinions on contemporary information security matters, including social engineering, malware, penetration testing, threat intelligence, online privacy, and white hat hacking. David has a strong malware troubleshooting background, with a recent focus on ransomware countermeasures.

Stay informed! Sign up to get expert advice and insight delivered direct to your inbox

You May Also Like

More Insights