Source Code Analysis Suite

Paladion
By Paladion

April 11, 2006

We are seeing a lot of application attacks recently. Most of the vulnerabilities being exploited are a result of insecure coding. The need of the hour is secure code in applications. For applications still in the design or coding stage, developers can follow secure coding guidelines. But what about applications those are already in use? Time to call in the source code detective.

Fortify Audit Workbench

We are seeing a lot of application attacks recently. Most of the vulnerabilities being exploited are a result of insecure coding. The need of the hour is secure code in applications. For applications still in the design or coding stage, developers can follow secure coding guidelines. But what about applications those are already in use? Time to call in the source code detective.

The job of the code review tool is to automate the identification, prioritizing and resolution of the flaws in the application. The Fortify Source Code Analysis Suite (SCA) is one such tool that performs comprehensive analysis of the code for discovering security vulnerabilities and flaws in the code.

It covers a range of platforms such as Windows, Solaris, Linux and covers a wide range of technologies like .NET, Java, C, C++, PL/SQL.

The source code analysis engine makes use of four analyzers to scan the source code for the root cause of vulnerabilities and the symptoms of flaws.

  1. The first one is the Data Flow Analyzer. This detects the flow of malicious data such as user inputs.
  2. The second, the Semantic Analyzer, searches for vulnerable functions used in the code, for example printStackTrace() which throws the application errors to the user.
  3. The Control Flow Analyzer tracks the sequence of operations to detect improper coding constructs such as opening and closing of connection resources or file.
  4. Finally the Configuration Analyzer parses and analyzes the application deployment / environment settings in configuration files, such as web.config in .NET or web.xml for J2EE.

With the help of these analyzers, all the functions used in the source code are compared against an inbuilt database of known vulnerable functions. It detects several vulnerabilities and flaws like various injection attacks, hard coded authentication credentials, improper handling of resources, use of vulnerable functions, cross site scripting, etc.  The finding and the risk rating is the combination of the four analyzer output.

A really neat feature of the tool is the Audit Workbench which allows viewing the findings in a customized manner for better analysis. It categorizes the findings as per the vulnerabilities, allows navigation to the respective file and pin pointing the line number where the flaw has occurred.

The interesting part is its analysis trace module which shows how that particular vulnerability has occurred by navigating though the code. For example, let us take SQL Injection. Fortify not only identifies a SQL injection vulnerability but also shows the flow of the malicious input. From the point the user entered it, to the point it was assigned to a variable, to where it was passed as a parameter to a function call to the SQL query, the trace module displays it all. In addition to this Fortify also rates the risk depending on the type of input used to build the SQL query. If the input came directly from the user, then it is high risk, whereas if the input is from another function, it is low risk.

Given on the top is the screen shot of the Audit workbench which shows the findings in a sample vulnerable application.

What I liked most is the plug-and-play capability of the tool which can be quite helpful for the developer to find the security flaws in the code early in the development cycle and reinforce the secure coding practice. It can be integrated in most of the popular IDEs like Microsoft Visual Studio etc. The rule pack builder helps in adding more customized rules for detecting known vulnerable functions or coding practices.

One thing it lacks is detecting the absence of error handling for critical database functions and resource handling operations.

This tool can also be useful for the security auditors and software tester to ensure that all important security vulnerabilities are eliminated before the release and subsequent deployment of the application.

By Santosh Kumar


Tags: Review

About

Paladion