Blog

Tag: SAST

Fasoo Launches Sparrow on Cloud, SaaS version of SASTSPARROW, a static code analysis application, is now available as a Software as a Service (SaaS) offering to help organizations quickly detect critical software vulnerabilities at the early stages of software development.  “SPARROW on Cloud“, SPARROW’s cloud solution is an agile, flexible, reliable and cost effective solution that allows organizations to easily manage application security challenges.

“IoT has brought an upsurge in new software that connects and operates everything from cars to medical devices and with that, enormous risk at the development level,” said Fasoo’s CEO Dr. Kyugon Cho. “Providing software developers with a cloud based application security testing solution was the logical next step for Fasoo as it is so essential for software to be secure at the code level.”

Unlike other Static application security testing (SAST) solutions, SPARROW analyzes source code with a robust static analysis engine that uses a deep semantic method to find vulnerabilities that other SAST applications may have difficulty identifying.  The solution is designed to enforce multiple policies dynamically to different projects or users/groups, and offers faster analysis speed (1M LOC per hour) with accuracy (OWASP benchmark score: 94.8).  In addition, SPARROW enables organizations to identify and fix issues by leveraging machine learning and automation features like:

  • Intelligent Issue Clustering: SPARROW categorizes similar issues in groups that allow organizations to identify and correct issues efficiently.
  • Active Suggestion: SPARROW not only identifies software vulnerabilities, but also can help remediate code using automated code suggestions.
  • Issue Classification:  SPARROW analyzes, ranks, and prioritizes high priority issues in an easy to read dashboard display.
  • Advanced Issue Filtering: SPARROW provides detailed filter options for the detected issues (e.g., source API, sink API, called method, etc.).

SPARROW is used by government agencies, corporations and anyone developing embedded software that requires a very high level of software quality. The SAST version of SPARROW is also used by government and the financial industry which aim to eliminate security weaknesses from their source code.

Fasoo is offering a limited introductory promotion for the cloud version of SPARROW. By purchasing a subscription between January 17, 2017 and March 30, 2017, customers will get the equivalent amount of extra time at no extra cost. For example, if customers select a one month subscription (Silver) they will receive an extra month free. Please click here for more information about SPARROW on Cloud.

Sparrow Static Application Security TestingWhile everyone still draws attention to the need for protection from cyber-attacks and the need for firewalls, intrusion prevention systems, and similar tools, recent highly publicized breaches have been raising awareness on weaknesses in software developed and used. The market is now forced to focus on how to identify and remediate vulnerabilities within applications themselves as things like buffer overruns, SQL injections, cross-site scripting, hard-coded passwords, memory leaks, uninitialized variables, division by zero, and integer overflows can have devastating results.

This is quite a change from the way things used to be. Rather than being an afterthought, security in software design is now becoming an increasingly important concern during development as applications are becoming more and more accessible and hence becoming vulnerable to a wide variety of threats. There is much concern over the likelihood of unauthorized code manipulating applications to access, steal, modify, or delete sensitive data.

You may be looking to incorporate Application Security Testing (AST) into your security program. Perhaps you have heard of various approaches and are trying to determine how best to proceed. As a first step, you may want to be familiar with the different approaches available in the marketplace today:

  • Static AST (SAST) – analyzes source code for vulnerabilities during programming and the testing software life cycle (SLC). Think of this as testing the application from inside out.
  • Dynamic AST (DAST) – analyzes the running state of applications during testing or when application is operational. Think of this approach as testing the application from outside in, probing and prodding it in unexpected ways to find security vulnerabilities.
  • Interactive AST (IAST) – combines SAST and DAST together.
  • Mobile AST – combines SAST and DAST plus behavioral analysis.

 

DAST and SAST are the most widely accepted approaches with high adoption and maturity rates out of the four types today. IAST and Mobile AST have only recently emerged and don’t have the same adoption as of yet.

Most organizations with limited resources have traditionally taken the route to implement DAST, primarily due to the thinking that it is cheaper and does not take a long time to implement and train the developers. However, this approach has usually fallen short in the more progressive development methods due to its inherent limitations. DAST tools can’t be used on source code or un-compiled application code, delaying the security deployment till the latter stages of development.

While the norm today in the market is that performing some application security testing is better than not performing any at all, organizations should consider combining SAST with DAST to combat the security challenges they face today. After all, application-layer attacks are growing at a stunning pace while organizations are trying to figure out how to adequately improve application security programs giving the bad guys the upper hand to do harm.

Achieving Software Quality and Secure Coding Concurrently

Major National Bank Achieves Software Quality and Secure Coding Concurrently through SPARROW

Expansion in electronic financial services requires advancement in software quality and secure coding

Report from the Financial Supervisory Service in 2012 states that half of the financial data processing errors were caused while modifying the program. For businesses related handling of financial transactions, the quality assurance of the software for the IT service is more important than in any other businesses. Furthermore, recently there are continuous and new means of cyber terror threats and in result, businesses are demanding security reinforcement through secure coding.

As the bank started to offer more diverse products and the workload got larger, they found limitations in relying on manpower to test development of software for the IT service. The bank found the necessity of detecting and removing potential SW vulnerabilities in outsourced programs of cooperative firms and all internally developing programs through a source code analyzer to strengthen automated quality testing and acquire security verification with secure coding.

Standards, performance and supporting systems of the source code analyzer

The bank selected the product SPARROW of Fasoo which has received praise for its detection performance and supporting system from a benchmarking test (BMT). SPARROW offers a semantic-based analysis, and shows great performance in detecting critical and hidden run-time errors. SPARROW not only follows development security guidelines from the Ministry of Security and Public Administration (MOSPA), but also international standard guidelines such as OWASP and CERT, and recently acquired the CWE certification for the first time in Korea. SPARROW was acknowledged for its ability to minimize security vulnerabilities set by these international standards. Currently, members from the biggest Korean research lab in the area of static analysis, Research on Software Error-free Computing Center of Seoul National University, are part of the team, committed in consulting and providing technical support.

Applied to all development work of the IT Department

For a successful integration, it was important to make the source code testing process smooth when developing, maintaining and operating various programs by more than 1,000 employees of the bank’s IT Department.

Developers check their source code frequently through the client analyzing manager and IDE plug-ins, and the person in charge of the quality manages the gathered analysis reports from the central manage system to ensure quality and security in the early developmental stage of the SDLC.

Furthermore, they have a development process that includes a configuration management system when developing a project with the cooperation of many developers. They create a workflow by linking the SPARROW analysis server and the configuration management system. Only source code verified by SPARROW is allowed to be transferred to the main server.

SPARROW composes of a deep source code analysis engine, a manager (Whistle) that performs analysis in the client, a plug-in that performs analysis in the IDE, and a central system NEST that gathers and manages the analysis results. Each module can easily be applied to different development environments anywhere in the SDLC.

Change central system to a combination of management and operation

Developed a central unified management system to inspect more than 100 project source codes from the bank’s IT Department that are split in developer or module scale. SPARROW’s unified management system NEST is an efficient web based system that inspects the quality and security of different business units and shows a statistical analysis of the result so that the present state of projects can easily be understood.

For work that requires more control, developers and checker groups can be set separately, and access privilege for each project can be controlled, overall enabling systematic management for the entire enterprise. Furthermore, efficiency was increased by tracking previous errors and making sure same errors do not appear twice.

It was important for them to develop a long-term standard system to manage source code from different developers. Before transferring to a different system, source code testing was mandatory and a subdivided standard system was also developed for continuous management and control.

Acquire quality and security together

International Internet security institution, CERT, released the ‘Top 10 Secure Coding Practices’, and the 9th guideline states to ‘Use effective quality assurance techniques’ for greater IT service quality improvement, as it is required to improve both quality and security.

The bank’s use of SPARROW will change the domestic financial IT service to acquiring both quality and security. Ultimately, SPARROW will upgrade the quality of all financial IT services.

From the Customer

“Since detection of run-time errors and security vulnerabilities is clearly evident, SPARROW is able to earn a justifiable reason to be used as a static application security testing tool and successfully be integrated into our systems.”

“After actually using the tool, the biggest advantage was that systematic management was possible through the analysis tool. The detected errors are divided into 5 levels: level 1 has errors that are certainly going to produce a problem, level 2 has errors that might produce unexpected results, and level 3 has errors that are recommended to be changed for maintenance and efficiency. This helps us to get rid of vulnerabilities and manage clean source code”

“We made a coding standard for us and customized SPARROW to suit the coding standard. Rule sets are delivered to developers by a centralized system, all developers used SPARROW on their own for identifying and managing SW vulnerabilities according to the corresponding rule set. The analysis is performed on IDE with the SPARROW plug-in or on build servers with command line scripts. The configuration management system is integrated with SPARROW for controlling the quality and security level of the source code. Only source code which has no SW vulnerability issues or which is granted by the QA manager can be transferred into the central server.”

“The most important factor to select a tool on BMT with various products is finding SW vulnerabilities accurately. Finding many issues with low false positive ratio is essential. Secondly, is finding SW defects which our QA departments want to find and identifying SW security vulnerabilities all in one tool. Thirdly, the analysis tool has to be easily integrated into the developer environments without modification and the analysis speed should equally as fast. Furthermore, the remediation guide for handling issues should be understandable. Lastly, we require robust control on quality and security level of source code for each project. Statistics and audit on each SW project are required.”

“It was useful to manage exceptions separately when transferring source code from the configuration management system to the operating server. We expect to use the statistical data from each team to increase quality and security of development in the SDLC. We also believe that the developing workforce will realize the importance of quality and security and bring overall improvement into both of these areas.”

– Manager, Quality Management Department-

 

About the bank

For the past 50 years, this bank has promoted educational supported projects, financial/credit businesses, and economic businesses to stimulate and provide balance for Korean’s agriculture and national economy. They have the largest financial network and one of the leading financial institutions in Korea.

The Application Security Testing Tool Every Enterprise Should Have

Software security faces a variety of challenges before to ensuring that the software is secure. The first is to correct the security defects no matter what the category is. The second is being able to cover a big enterprise-wide based portfolio of applications to ensure their security as well. Source code analysis, more specifically, static application security testing or otherwise known as SAST has come a long way since its induction back in the late 90s early 2000s.

When it comes to correcting defects in you software, if you are aware where in the source code the problem exists, it is much easier to fix the problem before the software is released. In addition, if you are suggested with how to fix the problem it becomes that much easier and quicker to fix the problem. Since developers are ultimately responsible for developing software with few or no defects, any tool that helps developers directly are the most useful. Although automation is convenient, it may miss fixing some of the bugs that need to be fixing or create additional false positives that deter the success of an application security testing tool.

Fasoo, well known for the data-centric security solutions, also provides a static application security testing tool called SPARROW. This is a static analysis tool for enterprise software development process. It can be deployed on both the development and testing phases in the software development life cycle or SDLC for all security-related participants in the quality control process. SPARROW accurately and quickly detects software vulnerabilities with root cause explanations and suggesting code examples for remediation to developers with ACTIVE SUGGESTION.

It has received many praises with awards and follows international standard guidelines such as OWASP, CWE/SANS, CERT, HIS, HICPP, MISRA and most recently acquired CWE certification as well ISO 26262. SPARROW offers a semantic-based analysis, which shows great performance in detecting critical and hidden run-time errors.

Most recently, in September of this year, SPARROW was showcased in front of developers, auditors, risk managers, technologists and entrepreneurs at AppSec USA 2014 in Denver, CO.

Make sure when you are thinking about what security testing tool you should have for your software, you think about SPARROW and let us know.

Categories
fasoo_logo
Contact Us
Your data security journey starts from here!
See how Fasoo can help your data privacy and security.