Your Position: Home - Machinery - What are the methods of code scanning?
This is a list of notable tools for static program analysis (program analysis is a synonym for code analysis).
Languages
[
edit
]
Opa
[
edit
]
For broader coverage of this topic, see Duplicate code
Tools that use sound, i.e. over-approximating a rigorous model, formal methods approach to static analysis (e.g., using static program assertions). Sound methods contain no false negatives for bug-free programs, at least with regards to the idealized mathematical model they are based on (there is no "unconditional" soundness). Note that there is no guarantee they will report all bugs for buggy programs, they will report at least one.
See also
[
edit
]
References
[
edit
]
This blog on static and dynamic code scanning in DevSecOps was co-authored by Dr. Ratinder Paul Singh Ahuja, CTO for Security and Networking, and Rajan Yadav, Director of Engineering, CNBU (Portworx), Pure Storage. Dr. Ahuja is a renowned name in the field of security and networking.
In part two of our series exploring our “6-Point Plan,” we delved into the second facet of a comprehensive DevSecOps strategy: threat modeling. We explored the nuances of threat modeling and the intricacies of STRIDE analysis. We dissected prevalent cyber threats, elucidated best practices, and underscored the indispensable nature of threat modeling in the realm of cybersecurity.
In part three, we’ll pivot our focus toward the third element of our strategic framework—static and dynamic code scanning. This will be an in-depth exploration of this critical aspect. And, we’ll also scrutinize the merits and demerits of the plethora of scanning tools available in the security landscape and how you can build a more comprehensive approach toward static and dynamic code scanning.
Code scanning is the automated process of analyzing source code for potential security vulnerabilities, coding errors, and compliance violations. It’s an essential part of the DevSecOps lifecycle that aims to integrate security into the software development process from the start
Code scanning can be performed at various stages of the development lifecycle—from early prototyping to production deployment. Static application security testing (SAST) is the most common type of code scanning. SAST analyzes source code for potential vulnerabilities without executing it. Other types of code scanning include dynamic application security testing (DAST), which executes code and analyzes its behavior for vulnerabilities, and software composition analysis (SCA), which analyzes third-party components for known vulnerabilities.
The Common Weakness Enumeration (CWE) is a category system for hardware and software weaknesses and vulnerabilities that’s operated by the MITRE Corporation with support from US-CERT and the National Cybersecurity Division of the U.S. Department of Homeland Security. CWE is a community project with the goal of understanding flaws in hardware and software and creating tools that can be used to identify, fix, and prevent those flows.
The MITRE CWE Top 25 Most Dangerous Software Weaknesses list is calculated by analyzing public vulnerability data in the National Vulnerability Database (NVD) for root cause mappings to CWE weaknesses for the previous two calendar years. The CWE Top 25 also incorporates updated weakness data for recent CVE records in the data set that are part of CISA’s Known Exploited Vulnerabilities Catalog (KEV).
The 2023 MITRE CWE Top 25 list includes:
# CWE ID Name Impact and Mitigation Recommendations
CWE-787
Out-of-bounds Write
Impact: Arbitrary code execution or crash. Mitigation: Implement bounds checking.
2.
CWE-79
Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’)
Impact: Hijack user sessions, deface websites. Mitigation: Sanitize input, use CSP.
3.
CWE-89
Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’)
Impact: Unauthorized database access. Mitigation: Use prepared statements, parameterized queries.
4.
CWE-416
Use After Free
Impact: Arbitrary code execution. Mitigation: Ensure proper memory management and deallocation.
5
CWE-78
Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’)
Impact: Execution of arbitrary commands. Mitigation: Sanitize inputs, use secure APIs.
6.
CWE-20
Improper Input Validation
Impact: Various, based on exploitation context. Mitigation: Validate all inputs.
7.
CWE-125
Out-of-bounds Read
Impact: Information disclosure, crash. Mitigation: Implement bounds checking.
8.
CWE-22
Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’)
Impact: Unauthorized file access. Mitigation: Sanitize file paths, enforce access controls.
9.
CWE-352
Cross-Site Request Forgery (CSRF)
Impact: Unauthorized actions on behalf of users. Mitigation: Use anti-CSRF tokens.
10.
CWE-434
Unrestricted Upload of File with Dangerous Type
Impact: System compromise, malware upload. Mitigation: Restrict file types, scan for malware.
11.
CWE-862
Missing Authorization
Impact: Unauthorized access to functionality. Mitigation: Implement proper authorization checks.
12.
CWE-476
NULL Pointer Dereference
Impact: Application crash, potential code execution. Mitigation: Validate pointers before use.
13.
CWE-287
Improper Authentication
Impact: Unauthorized access. Mitigation: Strengthen authentication mechanisms.
14.
CWE-190
Integer Overflow or Wraparound
Impact: Memory corruption, arbitrary code execution. Mitigation: Validate integer calculations.
15.
CWE-502
Deserialization of Untrusted Data
Impact: Arbitrary code execution. Mitigation: Avoid deserializing data from untrusted sources.
16.
CWE-77
Improper Neutralization of Special Elements used in a Command (‘Command Injection’)
Suggested reading:Impact: Similar to OS command injection. Mitigation: Input validation, use safe APIs.
17.
CWE-119
Improper Restriction of Operations within the Bounds of a Memory Buffer
Impact: Buffer overflows, arbitrary code execution. Mitigation: Use safe library functions, bounds checking.
18.
CWE-798
Use of Hard-coded Credentials
Impact: Unauthorized access. Mitigation: Use secure storage for credentials, implement dynamic secrets.
19.
CWE-918
Server-Side Request Forgery (SSRF)
Impact: Unauthorized internal network access. Mitigation: Validate and sanitize URLs, restrict URL schemes.
20.
CWE-306
Missing Authentication for Critical Function
Impact: Unauthorized use of critical functions. Mitigation: Ensure authentication for all sensitive functions.
21.
CWE-362
Concurrent Execution using Shared Resource with Improper Synchronization (‘Race Condition’)
Impact: Data corruption, security bypass. Mitigation: Implement proper synchronization mechanisms.
22.
CWE-269
Improper Privilege Management
Impact: Escalation of privileges. Mitigation: Adhere to the principle of least privilege.
23.
CWE-94
Improper Control of Generation of Code (‘Code Injection’)
Impact: Arbitrary code execution. Mitigation: Sanitize inputs, use safe APIs.
24
CWE-863
Incorrect Authorization
Impact: Bypassing of authorization checks. Mitigation: Implement robust authorization checks and audits.
25.
CWE-276
Incorrect Default Permissions
Impact: Unauthorized access, privilege escalation. Mitigation: Set secure defaults, review permissions.
The weaknesses on this list are particularly dangerous because they can be easy to find and exploit. They can also open up opportunities for adversaries to take over a system, steal data, and prevent an application from working.
Code scanning is the process of examining code to identify bugs, errors, and security flaws. It plays an important role in the DevSecOps lifecycle for a variety of reasons, helping to:
This can help to reduce the cost and complexity of fixing vulnerabilities later on. It can also help to prevent vulnerabilities from being introduced into production software.
Code scanning can also identify coding errors and compliance violations, which can help to improve the overall quality of code.
By identifying and fixing security vulnerabilities early on, code scanning can help to reduce the risk of security breaches and data loss.
Specific examples of how code scanning can be used in the DevSecOps lifecycle include:
A developer can use a code scanner to check their code for vulnerabilities before they commit it to the code repository.
A security team can use code scanners to scan the codebase on a regular basis for new vulnerabilities.
A continuous integration (CI) pipeline can include code scanning as a step to ensure that code is secure before it is deployed to production.
Static and dynamic code scanning are two complementary techniques for identifying security vulnerabilities and other defects in software. Static code scanning analyzes source code without executing it and can be used to identify a wide range of issues, including:
Coding errors
Security vulnerabilities
Compliance violations
Performance problems
Design issues
Dynamic code scanning analyzes running code. It’s typically used to identify vulnerabilities that are only exploitable when the code is running, such as:
Buffer overflows
Race conditions
Injection vulnerabilities
Cross-site scripting (XSS) vulnerabilities
Static code scanning is best used early in the software development lifecycle, during the coding and design phases. It can be used to identify and fix issues before they are introduced into the codebase, which can save time and money in the long run. Static code scanning can also be used to:
Enforce coding standards
Improve the overall quality of code
Reduce the risk of security breaches
Dynamic code scanning is best used later in the software development lifecycle, during the testing and deployment phases. It can be used to identify vulnerabilities that may not be detected by static code scanning, such as vulnerabilities that are only exploitable when the code is running in a specific environment. Dynamic code scanning can also be used to:
Test the security of running applications
Validate the results of static code scanning
Identify vulnerabilities in third-party software
The rise of open source has revolutionized the software landscape, offering a wide range of benefits alongside nuanced security implications. Embracing open source code fosters innovation, collaboration, and cost-efficiency. Developers leverage a vast community’s collective expertise, accelerating development and customization. Moreover, transparency enables scrutiny, enhancing code quality and reliability.
However, this openness presents challenges. While advantageous, reliance on open source dependencies can introduce potential risks. Developers may unwittingly incorporate outdated or unpatched libraries, leaving systems vulnerable to exploits. Real-world breaches underscore this risk. Notable instances include the Equifax breach in 2017, where attackers exploited an unpatched Apache Struts vulnerability, affecting millions. Thus, while open source offers unparalleled advantages, diligent management and constant vigilance are imperative to navigate its complex security landscape.
There are a variety of tools available for dynamic and static code scanning. The following table, though not comprehensive, lists some of the common tools that can be used in DevSeCops pipelines for static and dynamic code scanning.
There are valuable learnings from our adoption of these tools and making them work at scale. First, early integration in the CI/CD pipeline is essential. In the true spirit of left-shifting security, the CI pipelines should be able to give feedback on code quality from a security standpoint as the developer is writing code. For this to happen, the integrated development environments (IDEs) used by developers must be integrated with code scanning tools that the company/team has adopted.
Automating vulnerability remediation is also necessary. The integrated scan with IDEs should provide recommendations on fixes. You’ll then want verification if vulnerabilities have been remediated. Services like GitHub Advanced Security can then be leveraged to verify if the developer has addressed all the identified security issues in the code when a PR is submitted to the CI pipelines.
It’s expected that the tool of choice has continuous monitoring and updating of vulnerability databases. Ensuring developer training and awareness is essential for proactive vulnerability management.
There are common misconceptions about proprietary code security. For example, one technical misconception is that proprietary code doesn’t require regular vulnerability scanning because it’s not widely used or targeted like popular open source software. This overlooks a critical fact: The complexity and uniqueness of proprietary software can often lead to specific, hard-to-detect vulnerabilities.
For instance, proprietary software may use unique algorithms or data structures that haven’t been as thoroughly vetted for security flaws as their open source counterparts. This lack of external review can leave hidden vulnerabilities, such as buffer overflows or SQL injection points, which are only discovered when they are exploited. The reality is there is a need for rigorous scanning and testing, even for in-house developed code.
In the realm of proprietary code, one technical challenge is the integration of third-party libraries or APIs that may not be fully scanned for vulnerabilities. Developers often use these components for efficiency, but they can introduce security risks if not properly vetted. A technical example is the use of custom encryption methods in proprietary software. While in-house encryption algorithms might seem secure, they often lack the rigorous testing that standard encryption methods undergo. This can lead to vulnerabilities in cryptographic implementations, making the software susceptible to attacks like side-channel attacks or cryptographic bypasses. Rigorous scanning and penetration testing are crucial to uncover these technical vulnerabilities, ensuring the integrity and security of the proprietary software.
There have been several high-profile incidents where vulnerabilities in proprietary code led to significant security breaches. For example, the Equifax breach in 2017, one of the largest data breaches in history, was due to an unpatched vulnerability in proprietary web application software. Another instance is the SolarWinds hack, a sophisticated cyber-espionage campaign discovered in 2020, which was perpetrated through malicious code inserted into the company’s proprietary software updates. These cases highlight the critical need for stringent security measures in proprietary code to prevent such devastating incidents.
False positives in code scanning refer to instances where the scanning tools incorrectly identify a piece of code as vulnerable or problematic when it is not. This can lead to unnecessary alarm and waste of developer resources. To mitigate this, organizations can implement machine learning-based algorithms that learn from past scanning results to improve accuracy. For example, tools like SonarQube use sophisticated pattern recognition to distinguish between true and false positives. Additionally, integrating human reviews and cross-referencing with vulnerability databases can help filter out false positives. Regularly updating the scanning tools’ rulesets and algorithms based on real-world feedback also ensures that the tools stay relevant and accurate.
In contrast, false negatives occur when scanning tools fail to detect actual vulnerabilities, which is a significant risk as it leaves systems exposed to potential breaches. To address this, organizations should adopt a layered scanning approach, combining multiple tools like static application security testing (SAST), dynamic application security testing (DAST), and interactive application security testing (IAST) to cover different aspects and stages of the development lifecycle. This comprehensive approach increases the likelihood of detecting vulnerabilities that might be missed by a single tool. Additionally, incorporating manual penetration testing into the security strategy helps uncover vulnerabilities that automated tools might overlook. Regularly updating and configuring the tools to keep up with emerging threats and changing codebase structures is crucial to minimize false negatives.
Timely patching of vulnerabilities is crucial, but it must be balanced with maintaining efficient development workflows. A technical approach to achieve this is the implementation of automated scan and patch management frameworks. These frameworks can be integrated into continuous integration/continuous deployment (CI/CD) pipelines.
For instance, using tools like Dependabot or Snyk, which automatically detect and suggest fixes for vulnerabilities in dependencies, greatly reduces the effort required by developers. These tools can be configured to automatically create pull requests for patching, allowing developers to review and merge them with minimal disruption.This integration ensures that security updates are handled proactively, without adding significant overhead to the development process. At Pure Storage, we leverage multiple scanning tools and have built a proprietary algorithm to reduce developer toil by filtering out unfixable vulnerabilities (vulnerabilities that don’t have fixes available). This allows developers to focus only on fixable vulnerabilities.
Achieving a harmonious balance between security and development speed hinges on the seamless integration of security protocols within the development cycle. This integration is a cornerstone of the DevSecOps approach, ensuring that security considerations are embedded at each phase of the software development process. Modern tools like GitHub Copilot, which leverages AI to assist in code writing, can be harnessed to provide real-time insights and suggestions, including security-related advice, directly within the integrated development environment (IDE).
This immediate feedback loop enables developers to concurrently address potential security issues while writing code, thereby reducing the likelihood of extensive revisions later on. This approach not only preserves the pace of development but also embeds security as a fundamental aspect of the coding process. Moreover, the utilization of advanced interactive application security testing (IAST) tools further augments this strategy by merging the strengths of both static and dynamic analyses, delivering prompt and accurate security feedback as the development unfolds.
Vulnerability management middleware is emerging as a solution to streamline the handling of security vulnerabilities in complex software systems. This middleware acts as an intermediary layer that aggregates, analyzes, and prioritizes vulnerabilities from various scanning tools and sources. By providing a centralized view and actionable insights, it helps organizations to more effectively manage their vulnerability landscape.
An example is the use of middleware platforms that leverage machine learning algorithms to prioritize vulnerabilities based on their potential impact and the likelihood of exploitation. This approach ensures that the most critical vulnerabilities are addressed first, enhancing the overall security posture without overwhelming the development team with a high volume of alerts. The middleware not only simplifies the process but also ensures a more accurate and efficient vulnerability management process, reducing the noise of false positives and focusing on truly impactful security issues.
The integration is not merely an enhancement; it’s an essential strategy for ensuring the security and reliability of software products in a digital world where threats are increasingly sophisticated and pervasive. The adoption of both static and dynamic code scanning methods provides a comprehensive defense mechanism, proactively identifying potential vulnerabilities and ensuring that they are addressed before they can be exploited.
Organizations must recognize that the journey toward robust software security is continuous and demands a proactive approach. Embracing a culture where security is not an afterthought, but rather a fundamental aspect of the development process, is critical. This approach requires a paradigm shift from reactive to proactive vulnerability management—a shift that can significantly reduce the risk of security breaches and enhance the overall trustworthiness of software systems.
As we look to the future, the role of static and dynamic code scanning in DevSecOps will only grow in importance. It’s incumbent upon organizations to not only adopt these practices but also to continuously evolve them, staying ahead of emerging threats and fostering an environment of relentless improvement in software security. The path forward is clear. A steadfast commitment to proactive security measures, underpinned by advanced code scanning techniques, is essential for the creation of secure, resilient, and trustworthy software in the modern digital era.
Stay tuned for the next installment in our DevSecOps blog series where we’ll dive into the critical realm of configuration hardening. We’ll focus on the essential strategies for securing operating systems, build environments, secret management, and container images—a cornerstone in safeguarding your CI/CD infrastructure.
Do you want to delve deeper? The following resources can help you further your understanding and learning into this vital field:
A rich resource for understanding web application security, including guidelines on static and dynamic code analysis.
Offers a wealth of knowledge on integrating security into DevOps practices, with a focus on code scanning methodologies.
Provides insights and tools for code scanning and vulnerability management, particularly in the context of GitHub repositories.
Provides insights on container security, including the hardening of container images and environments.
We invite you to share your insights and experiences with the tools we’ve discussed. Your stories are a valuable resource for others within our community, and your thoughts and queries are vital to us. Please feel free to provide feedback or ask questions at rahuja@purestorage.com.
169
0
0
Comments
All Comments (0)
Related Articles
What is a welding table stop
Welding table stops are essential fixtures in welding workshops, designed to assist welders in achieving accurate and repeatable welds. These stops are strategically positioned on welding tables to serve as physical barriers that limit the movement of workpieces, ensuring consistent positioning during the welding process.
By Hou
221
0
0
How Long to Wait After Using Ozone Generator?
Odor stinks – and yes, pun intended. It might be that musty basement, the lingering smell of cigarette smoke, pet odor, or an awful skunk smell that gives your home a characteristic odor that you can't seem to get rid of. If that's your current dilemma, then an ozone generator might be just what you need to improve the indoor air quality in your home or workspace.
By Hou
218
0
0
A Comprehensive Guide to Brass Laser Cutting Machine
In the realm of precision manufacturing, brass laser cutting machines have emerged as indispensable tools, offering unparalleled accuracy and versatility in working with brass materials. This comprehensive guide aims to provide an in-depth understanding of the capabilities, applications, and benefits associated with brass laser cutting machines.
By Hou
105
0
0
What you need to know about Fiber Laser Tube Cutting Machine
In the ever-evolving landscape of manufacturing technology, fiber laser tube cutting machines have emerged as a game-changer, revolutionizing the precision and efficiency of tube processing. This article is your comprehensive guide to understanding the intricacies, benefits, and applications of fiber laser tube cutting machines.
By Hou
107
0
0
What is a paint mixer used for?
In the realm of painting and coatings, a paint mixer emerges as an indispensable tool, playing a crucial role in achieving uniformity, consistency, and optimal performance of paints. This comprehensive guide aims to elucidate the multifaceted uses and benefits of paint mixers across various industries and applications.
By Hou
203
0
0
How do I know which air filter to buy?
By Hou
98
0
0
What is Video Metrology and How Does it Work?
By Marina
177
0
0
What You Need to Know Before Buying a Plate Rolling Machine
Owing to the vast models and types of plate rolling machines in the market, sometimes it can be daunting to know where to begin when buying a machine that best fits your bending application needs. While cost considerations are essential when deciding the type of plant rolling machine you’ll purchase, you must also pay attention to many other things.
By May
199
0
0