Increased awareness around security protocols is motivating hackers to exploit other weak points that often go unprotected. As a result, the most common source of data breaches is now application vulnerabilities.
Regardless of how secure your network perimeter may be, if an attacker is able to tunnel through all of your infrastructure security by exploiting flaws in the application layer itself, you’re still in considerable danger.
Code reviews can help identify vulnerable spots within applications, allowing engineers to fix problems before a breach can occur. There are several methods and tools to choose from.
Code Review Tools
There are several tools that companies can use to assess their code security. Some require more manual work than others.
Automated Dynamic Scanners
These scanners are programmed to look for specific vulnerabilities by simulating an attack and attempting to gain unauthorized access, infiltrate sensitive data, or gain administrative privileges on a running application.
These can be useful tools for determining the status of specific vulnerabilities, but the scanners are limited in scope as they can only find what they’re programmed to look for.
Manual Penetration Tests
Performed by testing engineers, manual penetration tests simulate attacks just like automated dynamic scanners, but these tests can overcome some of the limitations of dynamic scanners simply because they’re performed by humans.
While engineers can use more ingenuity and care in their testing, they typically can only spend a limited amount of time and money on each test. Real attackers, on the other hand, are incentivized to spend as much time as necessary to break in, especially if the application handles valuable and sensitive data or financial transactions.
Static Analysis Scanners
Working with source code, static analysis scanners compile and analyze code by performing a data flow analysis, which traces potentially tainted external inputs from their point of entry, known as the source, to the point where the data could trigger a security issue, known as the sink.
These scanners interact well with many languages and frameworks, but they aren’t always accurate. Their output requires examination and vetting by an experienced security engineer to determine which results are real and which are false positives.
Security Code Review
Security code reviews combine the ease of automated scanners with the in-depth analysis of a manual review.
In addition to vetting scan results for false positives, the engineer performing a security code review will examine the application looking for structural, logic, and control flow errors that could lead to a serious security breach. These could include broken authentication and authorization algorithms that might allow a hacker to perform an unauthorized login. They could also potentially give hackers the ability to access accounts they shouldn’t be able to by escalating privileges from an ordinary user account to an administrator role. Even the best scanners typically can’t catch these dangerous vulnerabilities.
A security code review is considered the gold standard of application security, given the limitations of dynamic scanning and penetration testing. Automated static analysis scans, meanwhile, are necessary but insufficient when securing an application. A manual review component is also necessary.
Keep in mind that you aren’t limited to just one tool. There are advantages to combining all of the above procedures into the same assessment. Here’s a breakdown for what a combined procedure, often referred to a gray box assessment, might look like:
- Security code review. This remains the central component.
- Static analysis scanners. This review goes beyond just automated inspection. A scan can help trace potentially tainted external inputs from their point of entry to where the data could trigger a security issue. This will assist the engineer in tracing and confirming issues spotted in the code itself.
This approach can make the whole process more efficient, accurate, and ultimately less expensive than an examination of the code alone.
We’re Here to Help
Contact your Moss Adams professional for more information on assessing the security of your running or legacy applications, performing a security code review prior to deployment of a new application, or training your engineers to integrate these processes into your existing software development lifecycle.