Should Developers Have a Spellchecker for Security?

A recent article by Maria Cosgrove in CSO asked the question “Wouldn’t it be nice if software developers had something like spellcheck, but instead of catching simple grammar mistakes, it caught basic security problems?”

Very good question, especially when you think about all the cyber security problems and attacks we’ve seen in recent months. The reality is that developers are still writing software with security vulnerabilities. As project timelines contract and more people are involved, the development cycle becomes more complex and is prone to problems. If the problems were rarely seen bugs, it would be one thing, but why are there so many basic errors inside a lot of software?

Ron Arden, Executive Vice President at Fasoo, was quoted in the article saying, “Today’s integrated development environments can already catch common syntax errors, like missing semicolons. If there’s a function you’re using, it shows the parameters, but it won’t tell you if there’s a SQL injection or cross-site scripting error.”

So back to the original question of using a tool like a spellchecker that would identify and help eliminate these problems. This would help developers fix vulnerabilities immediately and also learn to write more secure code in the process.

Traditionally companies test software for vulnerabilities after it has been written during a QA process, but that can be too late, since it introduces too many problems and delays in the development cycle. A better approach is to use application security testing during the code development process to detect security vulnerabilities using an analysis engine based on semantic and syntactic methods. This not only improves the code, but also helps meet a strict set of compliance requirements that follows CWE, OWASP, CERT and other international standards.

Cyber attacks typically target network weaknesses causing organizations to protect themselves with firewalls, intrusion prevention systems, and similar tools. These attacks target weaknesses in the software that companies develop and use. It is difficult to stop malware related attacks after software has been developed. It is better to eliminate these attacks before the software is developed by detecting all security vulnerabilities in the source code.

Another issue is the cost to fix vulnerabilities after you release software. Studies show it can cost less that $1000 to fix a bug during the coding process, but over $14,000 to fix it after it is released. This doesn’t take into account remediation needed by a customer to address any problems caused by the bugs in the first place.

Checking security vulnerabilities during development is the optimal approach and will help minimize potential problems before deployment. This will dramatically reduce the security attack surface in a production system and help us all sleep better at night.

What is Lurking Inside Your Applications?

While everyone still draws attention to the need for protection from cyber-attacks and the need for firewalls, intrusion prevention systems, and similar tools, recent highly publicized breaches have been raising awareness on weaknesses in software developed and used. The market is now forced to focus on how to identify and remediate vulnerabilities within applications themselves as things like buffer overruns, SQL injections, cross-site scripting, hard-coded passwords, memory leaks, uninitialized variables, division by zero, and integer overflows can have devastating results.

This is quite a change from the way things used to be. Rather than being an afterthought, security in software design is now becoming an increasingly important concern during development as applications are becoming more and more accessible and hence becoming vulnerable to a wide variety of threats. There is much concern over the likelihood of unauthorized code manipulating applications to access, steal, modify, or delete sensitive data.

You may be looking to incorporate Application Security Testing (AST) into your security program. Perhaps you have heard of various approaches and are trying to determine how best to proceed. As a first step, you may want to be familiar with the different approaches available in the marketplace today:

Static AST (SAST) – analyzes source code for vulnerabilities during programming and the testing software life cycle (SLC). Think of this as testing the application from inside out.
Dynamic AST (DAST) – analyzes the running state of applications during testing or when application is operational. Think of this approach as testing the application from outside in, probing and prodding it in unexpected ways to find security vulnerabilities.
Interactive AST (IAST) – combines SAST and DAST together.
Mobile AST – combines SAST and DAST plus behavioral analysis.

DAST and SAST are the most widely accepted approaches with high adoption and maturity rates out of the four types today. IAST and Mobile AST have only recently emerged and don’t have the same adoption as of yet.

Most organizations with limited resources have traditionally taken the route to implement DAST, primarily due to the thinking that it is cheaper and does not take a long time to implement and train the developers. However, this approach has usually fallen short in the more progressive development methods due to its inherent limitations. DAST tools can’t be used on source code or un-compiled application code, delaying the security deployment till the latter stages of development.

While the norm today in the market is that performing some application security testing is better than not performing any at all, organizations should consider combining SAST with DAST to combat the security challenges they face today. After all, application-layer attacks are growing at a stunning pace while organizations are trying to figure out how to adequately improve application security programs giving the bad guys the upper hand to do harm.

Blog

Should Developers Have a Spellchecker for Security?

What is Lurking Inside Your Applications?