Secure Software Development: How to Check Your Code
In May of 2021, a cybercrime organization called DarkSide successfully locked operators of the Colonial Pipeline, which supplies the east coast with 45% of its petroleum fuel, out of their own software system with a type of malware called “ransomware.” True to its name, ransomware returns access to your software (in theory) if you pay a ransom.
The result—fuel supplies collapsed across the eastern United States, with gas lines, price spikes, and panic. People began hoarding gasoline in states not even served by the Colonial Pipeline. The US government passed emergency legislation. Even DarkSide seemed shocked at the impact of their cyberattack. “Our goal is to make money and not creating problems for society,” they posted on their website.
The DarkSide attack on the Colonial Pipeline is the most dramatic recent example of one of a myriad of threats that cybersecurity experts have been addressing for decades, partially by ensuring secure software development. The cost of software data breaches is expected to surpass $10.5 trillion by 2025. 60% of small businesses that experience a cyberattack will close within six months.
The programming languages used to write sophisticated software applications are inherently vulnerable to cyber attacks. A careless error on one line of code could result in an app that works perfectly but may contain a gaping back door for cybercriminals to enter and wreak havoc.
The fight against cybercriminals, therefore, starts with the code itself. If you aspire to develop custom software, checking your code, rechecking it, and then checking it again for vulnerabilities must become a way of life. In fact, depending on your industry, it may be necessary for regulatory compliance.
Don’t leave your software vulnerable. Here’s how to check your code before you expose your new software to potential danger.
Static Code Analysis
Static code analysis is often the first step in checking your software code. As Liventus notes, static code analysis involves examining the source code before it runs. That means the code is checked before the code has been compiled or when the code is compiled but the application is not running.
The process is typically executed before the application is ever executed, even in test mode. Static code analysis forms a critical component of quality assurance in secure software development.
Static code analysis is typically carried out by automated tools known as static application security testing (SAST) tools. Various SAST tools are available for developers, IT teams, and cybersecurity experts to use to scan their code.
An automated SAST tool checks the code against a series of defined rules programmed into the tool. Different tools are programmed to check the code against different parameters.
Code issues typically exposed by static code analysis include coding standard violations, programming errors, security vulnerabilities, syntax violations, and undefined values.
SAST tools, however, have a tendency to flag false positives—vulnerabilities or errors in the code that aren’t actually problems. A SAST tool can make the process a lot easier and quicker than manually checking each line of code with expert human eyes. However, the tool will spit out a laundry list of “problems” that must then be checked by a human expert to confirm that a problem exists.
Dynamic Code Scanning
Whereas static code analysis examines the software source code while it is not running, dynamic code scanning examines the code while the application is running, searching for compile time vulnerabilities or runtime vulnerabilities. Again, this can be accomplished with a variety of automated software tools known as dynamic application security testing (DAST) tools.
DAST tools essentially poke at the running code with a catalog of known malicious inputs and vulnerabilities. This tests the code within a realistic simulation of its running environment.
Examples of inputs the DAST tool might attempt include:
- SQL Queries. These could expose possible SQL injection vulnerabilities.
- Long Input Strings. These could expose possible buffer overflow vulnerabilities.
- Negative Numbers. These could detect integer underflow vulnerabilities.
- Large Positive Numbers. These could detect integer overflow vulnerabilities.
- Unexpected Inputs. These could expose invalid assumption vulnerabilities.
The DAST tool examines the responses the application returns from these inputs and notes irregularities, like system crashes or invalid responses.
Because it tests the running code, DAST tools can detect vulnerabilities that SAST tools will miss entirely, like problems hiding in memory allocation and configuration.
Interactive Application Security Testing
SAST and DAST testing have been around for decades, but newer on the scene is IAST—interactive application security testing.
In some ways, IAST is similar to DAST. It examines the application while it is running, rather than observing the code in a static state as with SAST.
But whereas DAST tools ping the running application with simulations of malicious inputs, IAST uses software instrumentation to examine the code itself. The tool uses sensors to scan the code and observe its performance and interactions.
Whereas SAST is performed early in the development cycle (usually before the code is compiled) and DAST takes place later, IAST splits the difference. It can be deployed earlier in the development process than DAST and used to identify vulnerabilities that both SAST and DAST might miss.
Software Composition Analysis (SCA)
Software composition analysis (SCA) is especially applicable to software developers using open source code as part of their custom software framework. This is a fairly common situation to be in—most developers don’t design software from scratch. Rather, they use discrete blocks of open source code, arranged in a novel way to produce a novel result.
But SAST, DAST, and IAST might miss vulnerabilities that exist only in the open-source components of the code. SCA is the missing piece—a form of code analysis that identifies open source code components and examines them for known vulnerabilities associated with that source code.
High-profile data breaches tend to leave us with a sense of disquiet—how vulnerable are we every time we launch an app on our computer, tablet, or smartphone? Software developers need to put themselves in their users’ shoes, and take their expectations of software security very seriously.
A combination of SAST, DAST, IAST, and SCA, at the right stages of the development cycle and using the right tools, can help developers comply with regulations, foster public trust, and offer the most breach-resistant software solutions possible to the marketplace.