Blog

Category: Application Security Testing

 

DLP (the traffic cop) vs. DRM (the armored truck)Like digital rights management (DRM) for the enterprise, data loss prevention (DLP) solutions have recently seen a resurgence. Both aim to protect sensitive documents against leakage and exfiltration. Those looking to deploy or expand one or the other frequently weigh DRM vs. DLP. But how helpful is this “either/or” perspective really?

For starters, it risks missing one crucial difference between these two approaches to document protection. Other than DRM, DLP isn’t designed to protect information once it makes it outside an organization’s IT perimeter.

By definition, that’s precisely the scenario DLP purports to prevent in the first place. So this wouldn’t be a problem if DLP worked reliably 100 % of the time. But it doesn’t. Why? 

One answer is that DLP still requires a high degree of human intervention or supervision. This fact doesn’t take away from the advantages of document security automation. I’ll get into the details below. But first, let’s back up a moment and look at the definition of DRM vs. DLP.  

 

What’s the main difference between DRM and DLP?

DRM (a.k.a. IRM, for Information Rights Management) automatically encrypts files and controls file access privileges dynamically at rest, in use, and in motion. 

DLP analyzes document content and user behavior patterns and can restrict movement of information based on preset criteria.

I’ve written about DRM vs. DLP on this blog before, in 2014. While little has changed about the definitions, cloud services and remote work have become ubiquitous since – and IT perimeters more blurred.

Add to that the dramatic rise of (AWS) data leaks, insider threats (such as IP theft), and double-extortion ransomware attacks. Taken together, these trends explain why the main difference between DRM and DLP has become more pronounced recently.

In a nutshell, it’s the difference between a traffic cop and an armored truck. As for the cop part, I’m not the first to draw this analogy; DLP has been compared to an officer posted at an exit ramp before.

In this analogy, only traffic identified as legitimate is waved through and allowed to leave the main drag (i.e., your network) and race off into uncontrolled territory. A police officer may check a car’s license plates, ask for ID, and scan the vehicle’s interior before giving someone permission to pass through.

Image for DRM / DLP comparison: DLP works like a police checkpoint

Traditional DLP works in a similar way. It scans files, detects data patterns, and automatically enforces appropriate actions using contextual awareness to avoid data loss. However, the similarities don’t end here.

 

DLP’s biggest weakness

DLP also faces three significant challenges similar to those of a roadblock cop:

 

    • How can you accurately establish which traffic to allow through and handle the task effectively and expediently, before the exit point becomes a bottleneck?
       
    • What about all the exits not covered? With DLP, those would be USB drives, SaaS file sharing applications, such as Google Drive or Dropbox, or enterprise messaging apps, such as Slack or Microsoft Teams.  Think of them as equivalents of the service road turnoff some locals (i.e., insiders) know and use to avoid a roadblock.  
    • And, last but not least, what happens with the traffic that should never have made it past the checkpoint, but somehow did so anyway? Most companies need to share sensitive data with external contacts, like vendors or customers. A common occurrence is that a confidential document is mistakenly sent to the “wrong” person in a company whose email domain is safelisted as a recipient.

     

    “Not my problem anymore,” says the (DLP) cop. What’s gone is gone, even if it ends up in the wrong hands.  With the first two issues on this shortlist, data loss prevention products have been struggling from the beginning. As for the third item, it exposes DLP’s biggest weakness.

    Here’s what I mean: By promoting a solipsistic focus on internal file downloads and sharing, DLP creates a false sense of security. In reality, once sensitive information moves beyond the point of egress, an organization loses all visibility and control over what happens with its sensitive data.

     

    Has DLP been a failure? 

    I wouldn’t go that far. If that were the case, why did Gartner analysts expect about 90 % of organizations to have “at least one form of integrated DLP” in place by this year? That’s an increase from 50% in 2017. 

    While DLP wasn’t the panacea that marketers made it out to be, it still has its place. In the enterprise, DLP has helped establish a baseline for document protection. One example is tagging documents that contain personally identifiable information (PII) to ensure compliance with GDPR [PDF], the General Data Protection Regulation of the European Union.

    DLP deployments require IT and other stakeholders (compliance teams, data owners) to take stock of sensitive information across the board and categorize it. The downside is that it also demands constant tweaking and fine-tuning of filters and policies. 

    If your business deploys DLP, you learned the hard way that most of this burden falls on IT. DLP filters are notorious for generating “false positives”. They are known to cause workflow breakdowns because of mistakenly flagged files. The DLP filter may, for example, identify a 16-digit internal reference number in a document as a credit card number and prevent the file from getting shared. 

    In 2021, DLP describes more a mindset than a unified approach or one specific method to stop data leakage or exfiltration. But DLP modules and add-ons have become part of the point solutions mix. They complement particular applications or tools, such as cloud security services or Microsoft AIP

    And like with many point solutions, blindspots and coverage gaps remain* that you can drive a truck through. Which brings us back to the armored truck. 

     

    Armored truck for confidential data

    If we understand DLP as the cop who creates a bottleneck sorting out which traffic can pass, we can think of enterprise DRM as the equivalent of an armored truck.  Tethered to a C3 (command, control, and communication) center, it can only be unlocked by dispatchers at a remote location.

    In other words, whatever neighborhood the vehicle ends up in once it’s past the exit point, the load remains secure. The owner maintains control over the cargo and who can access it. 

    With Fasoo Enterprise DRM, the C3 center would be the Fasoo server. The cargo is your sensitive data locked down with Fasoo encryption. And the dispatcher would be Enterprise DRM’s centrally managed policy settings.

    So what happens to DLP in this picture? My main point here is that you don’t have to bother with interrogating file content once it is encrypted by Enterprise DRM. That doesn’t mean your existing DLP deployment becomes irrelevant. 

     

    DRM + DLP for the win

    Case in point: sensitive emails. DRM doesn’t automatically encrypt any outgoing email, for example. DLP, on the other hand, can flag content inside of emails for extra protection, or to prevent a message from leaving the organization altogether. 

    Another advantage of DLP is that it helps IT teams gain and maintain a baseline understanding of how sensitive data moves through their network. With adequate calibration, it serves as a low-investment, yet efficient tool for data risk discovery.

    From a pure document security perspective, DRM fills in the remaining blanks. It gives us peace of mind that confidentiality and compliance remain ensured for any file that finds its way past the egress point. Or, to put it differently – if you ran a bank, would you feel comfortable having a bicycle courier handle the money transports?

    Nope, you’d leave it to the pros with proper equipment.

    So, the armored van it is. In summary, deploying an enterprise-scale DRM solution enables your organization to protect its existing DLP investments. It helps you tie up loose ends in a global, multi-cloud, work-from-anywhere IT environment.  

    By combining both methods, you can play to DLP’s actual strengths. Examples include spotting suspicious activities and patterns that indicate possible insider threats, or flagging files – including emails – for DRM protection before they can leave the organization. 

    That way, you don’t have to rely exclusively on the overwhelmed cop at the exit ramp anymore. 

    Would you like to learn more about how Fasoo Enterprise DRM and DLP work together for maximum protection of unstructured data? Connect with our experts!  

    ###

    *For a comprehensive overview, I recommend the post Insider Threat Management: Part 1 – 7 Reasons Not to Settle for DLP on the blog of cybersecurity company Proofpoint.

     

Fasoo Data Security and Intelligence Document Platform on Display at RSA Conference 2017Fasoo has a big presence at the RSA Conference 2017 in San Francisco where we will showcase our newly expanded data security and management framework which helps companies track, manage and secure their data.

Focusing on the business themes of Security, Governance and Productivity, Fasoo is helping executives and boards of directors comply with enhanced cybersecurity regulations while ensuring they can meet the needs of constantly changing business models that demand secure collaboration to get things done.

Today’s business world demands a new look at how we define and protect the borders of our organizations because our data is created, stored and consumed in systems that may be outside the traditional information security and document management models.  Visitors to Fasoo’s booth #S1239 will see demonstrations of the Fasoo Data Security Framework and Wrapsody that together helps organizations consistently control, secure, track and manage documents no matter where they travel.  This new, integrated data-centric approach overcomes legacy solution limitations that comprehensively satisfies organizational demands placed on data security, governance and productivity.

Fasoo will also show its machine learning based static application security tool, SPARROW, that identifies and remediates security vulnerabilities in your software.  With a large focus on embedded systems, IoT (Internet of Things) and ever expanding mobile apps, ensuring that your applications are robust and secure is the best way to protect your users from data breaches, privacy and security concerns.

“It is imperative that organizations have data-centric content management and security traveling with their information,” said Fasoo’s CEO Kyugon Cho. “Our theme at this year’s show highlights the robust nature of our best-in-class software technologies that enable us to truly be “Data-centric Everything” – and address the full range of current and emerging enterprise data demands.”

In addition to the product demonstrations, Fasoo will be hosting presentations throughout the day addressing how companies can win big by targeting data use cases that are at the intersection of multiple organization needs.  Satisfying the competing interests of business productivity and data security and governance has always been a big challenge, since focusing on one can typically cause deficiencies in others.  The Fasoo approach helps satisfy all these needs without sacrificing anything.

Another bonus is that visitors to the Fasoo booth have an opportunity to win an Amazon Echo and some other great prizes.

Fasoo Launches Sparrow on Cloud, SaaS version of SASTSPARROW, a static code analysis application, is now available as a Software as a Service (SaaS) offering to help organizations quickly detect critical software vulnerabilities at the early stages of software development.  “SPARROW on Cloud“, SPARROW’s cloud solution is an agile, flexible, reliable and cost effective solution that allows organizations to easily manage application security challenges.

“IoT has brought an upsurge in new software that connects and operates everything from cars to medical devices and with that, enormous risk at the development level,” said Fasoo’s CEO Dr. Kyugon Cho. “Providing software developers with a cloud based application security testing solution was the logical next step for Fasoo as it is so essential for software to be secure at the code level.”

Unlike other Static application security testing (SAST) solutions, SPARROW analyzes source code with a robust static analysis engine that uses a deep semantic method to find vulnerabilities that other SAST applications may have difficulty identifying.  The solution is designed to enforce multiple policies dynamically to different projects or users/groups, and offers faster analysis speed (1M LOC per hour) with accuracy (OWASP benchmark score: 94.8).  In addition, SPARROW enables organizations to identify and fix issues by leveraging machine learning and automation features like:

  • Intelligent Issue Clustering: SPARROW categorizes similar issues in groups that allow organizations to identify and correct issues efficiently.
  • Active Suggestion: SPARROW not only identifies software vulnerabilities, but also can help remediate code using automated code suggestions.
  • Issue Classification:  SPARROW analyzes, ranks, and prioritizes high priority issues in an easy to read dashboard display.
  • Advanced Issue Filtering: SPARROW provides detailed filter options for the detected issues (e.g., source API, sink API, called method, etc.).

SPARROW is used by government agencies, corporations and anyone developing embedded software that requires a very high level of software quality. The SAST version of SPARROW is also used by government and the financial industry which aim to eliminate security weaknesses from their source code.

Fasoo is offering a limited introductory promotion for the cloud version of SPARROW. By purchasing a subscription between January 17, 2017 and March 30, 2017, customers will get the equivalent amount of extra time at no extra cost. For example, if customers select a one month subscription (Silver) they will receive an extra month free. Please click here for more information about SPARROW on Cloud.

Sparrow helps stop security vulnerabilities while you codeA recent article by Maria Cosgrove in CSO asked the question “Wouldn’t it be nice if software developers had something like spellcheck, but instead of catching simple grammar mistakes, it caught basic security problems?”

Very good question, especially when you think about all the cyber security problems and attacks we’ve seen in recent months.  The reality is that developers are still writing software with security vulnerabilities.  As project timelines contract and more people are involved, the development cycle becomes more complex and is prone to problems.  If the problems were rarely seen bugs, it would be one thing, but why are there so many basic errors inside a lot of software?

Ron Arden, Executive Vice President at Fasoo, was quoted in the article saying, “Today’s integrated development environments can already catch common syntax errors, like missing semicolons.  If there’s a function you’re using, it shows the parameters, but it won’t tell you if there’s a SQL injection or cross-site scripting error.”

So back to the original question of using a tool like a spellchecker that would identify and help eliminate these problems.  This would help developers fix vulnerabilities immediately and also learn to write more secure code in the process.

Traditionally companies test software for vulnerabilities after it has been written during a QA process, but that can be too late, since it introduces too many problems and delays in the development cycle.  A better approach is to use application security testing during the code development process to detect security vulnerabilities using an analysis engine based on semantic and syntactic methods.  This not only improves the code, but also helps meet a strict set of compliance requirements that follows CWE, OWASP, CERT and other international standards.

Cyber attacks typically target network weaknesses causing organizations to protect themselves with firewalls, intrusion prevention systems, and similar tools. These attacks target weaknesses in the software that companies develop and use. It is difficult to stop malware related attacks after software has been developed. It is better to eliminate these attacks before the software is developed by detecting all security vulnerabilities in the source code.

Another issue is the cost to fix vulnerabilities after you release software.  Studies show it can cost less that $1000 to fix a bug during the coding process, but over $14,000 to fix it after it is released.  This doesn’t take into account remediation needed by a customer to address any problems caused by the bugs in the first place.

Checking security vulnerabilities during development is the optimal approach and will help minimize potential problems before deployment.  This will dramatically reduce the security attack surface in a production system and help us all sleep better at night.

Sparrow Static Application Security TestingWhile everyone still draws attention to the need for protection from cyber-attacks and the need for firewalls, intrusion prevention systems, and similar tools, recent highly publicized breaches have been raising awareness on weaknesses in software developed and used. The market is now forced to focus on how to identify and remediate vulnerabilities within applications themselves as things like buffer overruns, SQL injections, cross-site scripting, hard-coded passwords, memory leaks, uninitialized variables, division by zero, and integer overflows can have devastating results.

This is quite a change from the way things used to be. Rather than being an afterthought, security in software design is now becoming an increasingly important concern during development as applications are becoming more and more accessible and hence becoming vulnerable to a wide variety of threats. There is much concern over the likelihood of unauthorized code manipulating applications to access, steal, modify, or delete sensitive data.

You may be looking to incorporate Application Security Testing (AST) into your security program. Perhaps you have heard of various approaches and are trying to determine how best to proceed. As a first step, you may want to be familiar with the different approaches available in the marketplace today:

  • Static AST (SAST) – analyzes source code for vulnerabilities during programming and the testing software life cycle (SLC). Think of this as testing the application from inside out.
  • Dynamic AST (DAST) – analyzes the running state of applications during testing or when application is operational. Think of this approach as testing the application from outside in, probing and prodding it in unexpected ways to find security vulnerabilities.
  • Interactive AST (IAST) – combines SAST and DAST together.
  • Mobile AST – combines SAST and DAST plus behavioral analysis.

 

DAST and SAST are the most widely accepted approaches with high adoption and maturity rates out of the four types today. IAST and Mobile AST have only recently emerged and don’t have the same adoption as of yet.

Most organizations with limited resources have traditionally taken the route to implement DAST, primarily due to the thinking that it is cheaper and does not take a long time to implement and train the developers. However, this approach has usually fallen short in the more progressive development methods due to its inherent limitations. DAST tools can’t be used on source code or un-compiled application code, delaying the security deployment till the latter stages of development.

While the norm today in the market is that performing some application security testing is better than not performing any at all, organizations should consider combining SAST with DAST to combat the security challenges they face today. After all, application-layer attacks are growing at a stunning pace while organizations are trying to figure out how to adequately improve application security programs giving the bad guys the upper hand to do harm.

Static Application Security TestingMany companies have significant investments in network security, but it’s not enough because a significant chunk of all cyber-attacks are happening on the application layer. Cyber criminals are increasingly targeting the application stack for exploitation.

According to the U.S. Department of Homeland Security (DHS), 90% of security incidents result from exploits against defects in software. The Forrester Wave: Application Security Report says that companies rush to build and use applications without thinking about the security of the application itself.  The Global Information Security Workforce Study published by the International Information Systems Security Certification Con­sortium (ISC)2 claims that 30% of companies never scan for vulnerabilities during code development. These are all astounding findings!

Companies need to improve how they find and fix vulnerabilities and to reduce the risk created by the proliferation of vulnerable applications used on a daily basis. A good application security program has to start with a systematic process for assessing code during an application’s develop­ment stage requiring software assessments at every stage of the development process, rather than at the end of the cycle.  There is a significant amount of pressure on development teams to produce functional applications quickly and the emphasis on functionality and speed means security is generally left behind.

Companies face adversaries who are motivated by money, politics and other reasons to find vulnerabilities two they can steal sensitive and valuable information. One of the ways cyber criminals are doing this is by exploiting security vulnerabilities introduced or not remedied during the development cycle of the software. Many companies often require their developers only do the bare minimum for security; scanning code once rather than continuously.

Static and dynamic analyses are two of the most popular types of security tests.  There are many vendors in the market specializing in the field of application testing and security: some are big and others are smaller providing niche solutions. Companies must choose carefully which security testing to implement.

Typically, vulnerabilities found through the use of static analysis have a higher fix rate than those found by dynamic analysis. Static analysis compared with dynamic analysis is a more thorough and a more cost-efficient approach because of its ability to detect bugs at an early phase of the software development life-cycle.

Current times and challenges require companies to be vigilant in securing sensitive data to avoid costly and embarrassing data breaches. As part of an overall security posture, companies must not overlook the value of static application security testing. Given the inherent risk involved, an application vulnerability can cripple customer trust.  Static application security testing is a must have tool in any environment developing applications.

Pants DownTechnology has changed the way we live our lives. Whether we are at work, home or outside, we have become dependent on our computers, mobile phones and the internet. On a daily basis, we all interact with a significant number of applications.

Demand for technology has led to an explosion of software we use daily, whether these are applications used in the office or at home. Demand for new or updated functionality has shortened software release cycles and application developers need to rapidly introduce new features to outpace competition and meet customer demand. With this reality, application security risk management can no longer be treated as a nice-to-have element.  It must be a mission-critical requirement at every company that develops software.

Gone are the days with long release cycles and infrequent updates.  Application developers are faced with increased pressure to release software, updates and new features and this presents a significant issue with security. While software companies primarily focus on user experience and business value, often they miss the importance of ensuring the applications are truly secure without vulnerabilities.

Surveys like the recent Ponemon Institute 2016 Application Security Risk Management Study indicate that basic security steps are often neglected – 48% of respondents said their organizations don’t take basic security measures. How can applications be secure without appropriate security testing?

Application security testing ensures that potential application security vulnerabilities are remedied prior to the release and consumption by users. Static Application Security Testing (SAST) is one of the tools that must be part of every application development company’s security risk management process.

Often, companies think of SAST with high volume of vulnerability findings making remediation ineffective and time consuming. Learn about Fasoo’s SPARROW capabilities.

  • SPARROW enables developers and quality/security managers to remediate flaws reported through code suggestions.
  • SPARROW’s Intelligent Alarm Clustering groups related vulnerabilities in source code with a unique ID enabling faster remediation.

Organizations must utilize SAST in the scope of their application security preparedness to reduce risks that are introduced by application infrastructures. SAST must be part of security risk management practices in every company developing applications.

Stay One Step Ahead Of The App HackersI recently wrote an article about hackers getting iOS App developers to use a bogus Xcode development kit downloaded from a Chinese site to create applications.  The development kit contained malicious code that caused all types of security problems in iPhone and iPad apps.  Read the entire article here.

This is a new frontier for hackers.  Rather than attacking perimeter security defenses, like firewalls and end point encryption applications, the hackers are getting developers to embed security vulnerabilities into their code.  This essentially bypasses the middle man, since the applications are already compromised.  Hackers just need to activate malicious capabilities to steal sensitive information or compromise systems.  It’s a clever ploy and takes these attacks to a new level.

Fortunately there is a way to thwart these attacks.  Using a semantic-based static analysis tool helps developers discover and eliminate these security vulnerabilities in the source code.  It can analyze millions of lines of code quickly and locate bugs, security holes, runtime errors, hard-coded passwords, cross-site scripting, SQL injections and more at the early stages of software development.

Most organizations and regulations now demand that developers follow secure coding compliance requirements for software development. This is in reaction to major incidents of cyber terrorism and events like the compromised App Store applications.  According to NIST, if organizations detect and remove security weaknesses before completing development, they can reduce a maximum of 30 times of the expense compared to finding and removing security weaknesses after development. The use of a semantic-based static analysis tool is the only way to detect all of these security weaknesses within the source code before it is released.

As everyone relies more heavily on apps, especially with the emergence of IoT (Internet of Things), hackers will go where the sensitive and private information lives.  Your phone and tablet can access a lot of sensitive personal and business information, giving attackers a lot of bang for the buck.  Stopping bugs and security vulnerabilities before you create and release your apps, ensures that users of those apps can do so safely without concern for a data breach.  Stop the bugs before they stop you and your users.

 

Photo credit Brian Klug

Fasoo Sparrow Static Source Code Analysis ToolI have been in the security and privacy industries throughout my entire career. I started my journey many years ago as a software developer and moved into the business side of things gradually. All these years, it has always been painful to see companies spend enormous amount of dollars on firewalls and anti-virus software year after year, but vulnerabilities in software remain unidentified or unfixed in applications. We are living in a world built on software and not a single day goes by without headlines about enterprising intruders exploiting weaknesses to steal massive amounts of data or to inflict damage. Current cyber-attacks target weaknesses in the software organizations develop and use.  After software has been developed, it is generally difficult to stop malware related attacks.

Below are the top ten reasons why software developers should use static code analysis:

1. Meet mandatory requirements – In recent years, software code quality and security started to go through a transformation. Financial services firms, including investment banks, have made it mandatory to pass static code analysis tests, penetration and security testing before they put source code into production.  Most organizations and regulations now demand that developers follow secure coding compliance requirements for software development. This is a direct result of major incidents and cyber terrorism all over the world.

2. Really understand your application – As you are building your application, static code analysis can provide you with insight into how it is progressing.

3. Code simplification and sanitizing – Your code may be a collection of several programmers working on different parts, each programmer reusing different components from different sources, which makes it a complex process to pinpoint any existing defects.

4. Identifying and fixing potential vulnerabilities, bugs and security threats – Static code analysis is one of the tools used to analyze source code without executing it and helps find potential vulnerabilities, bugs and security threats. The tool looks for patterns, defined as rules, which can cause security vulnerabilities or other code quality problems.

5. Checking to see if your code complies with best practices and coding standards – Coding standards and best practices when programming yield substantial benefits. With static code analysis you can check things automatically to find problems like repeating the same name for two variables of different scopes.

6. Detect errors in your code before someone else finds them – Buffer overruns, SQL injection, cross-site scripting, information leakage, TOCTOU race condition and hard-coded passwords, memory/resource leaks, null dereference, uninitialized variables, division by zero, use after free and integer overflow errors can be problematic.

7. Code documentation – Code that is not well documented can be extremely difficult to work with and consume unnecessary time. By running static analysis you can get to know what you missed to comment or where you need to put further comments.

8. Improve application performance – Static code analysis can make you aware of some inefficiencies that would impact your application performance and give you the opportunity to fix them in a timely manner.

9. Better resource utilization – Finding the bugs and issues early in a development cycle means your costs will be less to fix them.

10. It is good practice and your clients will appreciate it – Along with unit testing, code reviews, and continuous integration, static code analysis is another tool to help you produce a better quality software product.

Stopping an App Attack with a semantic-based static analysis toolApple was cleaning up its iOS App Store on Sunday to remove malicious iPhone and iPad programs identified in the first large-scale attack on the mobile software outlet.  Apparently the source of the problem was a bogus Xcode development kit that developers downloaded from a Chinese site.  Many app and Mac developers use the Apple Xcode tools to develop iOS and OSX applications.

The hackers convinced developers to use its version of the Xcode tools rather than Apple’s official software.  One theory is that Apple’s servers are slow to download from inside China, so developers used this alternative mirror download for convenience and speed.  This is fairly common for downloading software, but the developers were unaware that the tools were not real.

Cyber-attacks typically target network weaknesses causing organizations to protect themselves with firewalls, DLP, intrusion prevention systems and similar tools, but more recent attacks target weaknesses in the software organizations develop and use.  It is difficult to stop malware related attacks after software has been developed.  Hackers are realizing that if they can get a developer to embed malicious code into an application, it is easier to carry out an attack.  This is very simple if the malicious code is in an app that might be downloaded by millions of users.

The attack on Apple’s iOS App Store by rogue code embedded in apps could have been prevented by using a semantic-based static analysis tool.  These cyber-attacks target weaknesses in software and these tools let you virtually eliminate them by detecting all security vulnerabilities in the source code.  This would have detected the XcodeGhost malicious program and could have eliminated the vulnerabilities before the developers submitted their apps to the App Store.

Software vulnerabilities in apps are the next frontier of attacks for hackers and anyone intent on stealing information.  Stopping the malware and other bugs before the apps are compiled and distributed is the best way to stop these attacks.

 

Photo credit K?rlis Dambr?ns

Achieving Software Quality and Secure Coding Concurrently

Major National Bank Achieves Software Quality and Secure Coding Concurrently through SPARROW

Expansion in electronic financial services requires advancement in software quality and secure coding

Report from the Financial Supervisory Service in 2012 states that half of the financial data processing errors were caused while modifying the program. For businesses related handling of financial transactions, the quality assurance of the software for the IT service is more important than in any other businesses. Furthermore, recently there are continuous and new means of cyber terror threats and in result, businesses are demanding security reinforcement through secure coding.

As the bank started to offer more diverse products and the workload got larger, they found limitations in relying on manpower to test development of software for the IT service. The bank found the necessity of detecting and removing potential SW vulnerabilities in outsourced programs of cooperative firms and all internally developing programs through a source code analyzer to strengthen automated quality testing and acquire security verification with secure coding.

Standards, performance and supporting systems of the source code analyzer

The bank selected the product SPARROW of Fasoo which has received praise for its detection performance and supporting system from a benchmarking test (BMT). SPARROW offers a semantic-based analysis, and shows great performance in detecting critical and hidden run-time errors. SPARROW not only follows development security guidelines from the Ministry of Security and Public Administration (MOSPA), but also international standard guidelines such as OWASP and CERT, and recently acquired the CWE certification for the first time in Korea. SPARROW was acknowledged for its ability to minimize security vulnerabilities set by these international standards. Currently, members from the biggest Korean research lab in the area of static analysis, Research on Software Error-free Computing Center of Seoul National University, are part of the team, committed in consulting and providing technical support.

Applied to all development work of the IT Department

For a successful integration, it was important to make the source code testing process smooth when developing, maintaining and operating various programs by more than 1,000 employees of the bank’s IT Department.

Developers check their source code frequently through the client analyzing manager and IDE plug-ins, and the person in charge of the quality manages the gathered analysis reports from the central manage system to ensure quality and security in the early developmental stage of the SDLC.

Furthermore, they have a development process that includes a configuration management system when developing a project with the cooperation of many developers. They create a workflow by linking the SPARROW analysis server and the configuration management system. Only source code verified by SPARROW is allowed to be transferred to the main server.

SPARROW composes of a deep source code analysis engine, a manager (Whistle) that performs analysis in the client, a plug-in that performs analysis in the IDE, and a central system NEST that gathers and manages the analysis results. Each module can easily be applied to different development environments anywhere in the SDLC.

Change central system to a combination of management and operation

Developed a central unified management system to inspect more than 100 project source codes from the bank’s IT Department that are split in developer or module scale. SPARROW’s unified management system NEST is an efficient web based system that inspects the quality and security of different business units and shows a statistical analysis of the result so that the present state of projects can easily be understood.

For work that requires more control, developers and checker groups can be set separately, and access privilege for each project can be controlled, overall enabling systematic management for the entire enterprise. Furthermore, efficiency was increased by tracking previous errors and making sure same errors do not appear twice.

It was important for them to develop a long-term standard system to manage source code from different developers. Before transferring to a different system, source code testing was mandatory and a subdivided standard system was also developed for continuous management and control.

Acquire quality and security together

International Internet security institution, CERT, released the ‘Top 10 Secure Coding Practices’, and the 9th guideline states to ‘Use effective quality assurance techniques’ for greater IT service quality improvement, as it is required to improve both quality and security.

The bank’s use of SPARROW will change the domestic financial IT service to acquiring both quality and security. Ultimately, SPARROW will upgrade the quality of all financial IT services.

From the Customer

“Since detection of run-time errors and security vulnerabilities is clearly evident, SPARROW is able to earn a justifiable reason to be used as a static application security testing tool and successfully be integrated into our systems.”

“After actually using the tool, the biggest advantage was that systematic management was possible through the analysis tool. The detected errors are divided into 5 levels: level 1 has errors that are certainly going to produce a problem, level 2 has errors that might produce unexpected results, and level 3 has errors that are recommended to be changed for maintenance and efficiency. This helps us to get rid of vulnerabilities and manage clean source code”

“We made a coding standard for us and customized SPARROW to suit the coding standard. Rule sets are delivered to developers by a centralized system, all developers used SPARROW on their own for identifying and managing SW vulnerabilities according to the corresponding rule set. The analysis is performed on IDE with the SPARROW plug-in or on build servers with command line scripts. The configuration management system is integrated with SPARROW for controlling the quality and security level of the source code. Only source code which has no SW vulnerability issues or which is granted by the QA manager can be transferred into the central server.”

“The most important factor to select a tool on BMT with various products is finding SW vulnerabilities accurately. Finding many issues with low false positive ratio is essential. Secondly, is finding SW defects which our QA departments want to find and identifying SW security vulnerabilities all in one tool. Thirdly, the analysis tool has to be easily integrated into the developer environments without modification and the analysis speed should equally as fast. Furthermore, the remediation guide for handling issues should be understandable. Lastly, we require robust control on quality and security level of source code for each project. Statistics and audit on each SW project are required.”

“It was useful to manage exceptions separately when transferring source code from the configuration management system to the operating server. We expect to use the statistical data from each team to increase quality and security of development in the SDLC. We also believe that the developing workforce will realize the importance of quality and security and bring overall improvement into both of these areas.”

– Manager, Quality Management Department-

 

About the bank

For the past 50 years, this bank has promoted educational supported projects, financial/credit businesses, and economic businesses to stimulate and provide balance for Korean’s agriculture and national economy. They have the largest financial network and one of the leading financial institutions in Korea.

Categories
Book a meeting