Blog

Tag: SPARROW

Fasoo Launches Sparrow on Cloud, SaaS version of SASTSPARROW, a static code analysis application, is now available as a Software as a Service (SaaS) offering to help organizations quickly detect critical software vulnerabilities at the early stages of software development.  “SPARROW on Cloud“, SPARROW’s cloud solution is an agile, flexible, reliable and cost effective solution that allows organizations to easily manage application security challenges.

“IoT has brought an upsurge in new software that connects and operates everything from cars to medical devices and with that, enormous risk at the development level,” said Fasoo’s CEO Dr. Kyugon Cho. “Providing software developers with a cloud based application security testing solution was the logical next step for Fasoo as it is so essential for software to be secure at the code level.”

Unlike other Static application security testing (SAST) solutions, SPARROW analyzes source code with a robust static analysis engine that uses a deep semantic method to find vulnerabilities that other SAST applications may have difficulty identifying.  The solution is designed to enforce multiple policies dynamically to different projects or users/groups, and offers faster analysis speed (1M LOC per hour) with accuracy (OWASP benchmark score: 94.8).  In addition, SPARROW enables organizations to identify and fix issues by leveraging machine learning and automation features like:

  • Intelligent Issue Clustering: SPARROW categorizes similar issues in groups that allow organizations to identify and correct issues efficiently.
  • Active Suggestion: SPARROW not only identifies software vulnerabilities, but also can help remediate code using automated code suggestions.
  • Issue Classification:  SPARROW analyzes, ranks, and prioritizes high priority issues in an easy to read dashboard display.
  • Advanced Issue Filtering: SPARROW provides detailed filter options for the detected issues (e.g., source API, sink API, called method, etc.).

SPARROW is used by government agencies, corporations and anyone developing embedded software that requires a very high level of software quality. The SAST version of SPARROW is also used by government and the financial industry which aim to eliminate security weaknesses from their source code.

Fasoo is offering a limited introductory promotion for the cloud version of SPARROW. By purchasing a subscription between January 17, 2017 and March 30, 2017, customers will get the equivalent amount of extra time at no extra cost. For example, if customers select a one month subscription (Silver) they will receive an extra month free. Please click here for more information about SPARROW on Cloud.

Sparrow helps stop security vulnerabilities while you codeA recent article by Maria Cosgrove in CSO asked the question “Wouldn’t it be nice if software developers had something like spellcheck, but instead of catching simple grammar mistakes, it caught basic security problems?”

Very good question, especially when you think about all the cyber security problems and attacks we’ve seen in recent months.  The reality is that developers are still writing software with security vulnerabilities.  As project timelines contract and more people are involved, the development cycle becomes more complex and is prone to problems.  If the problems were rarely seen bugs, it would be one thing, but why are there so many basic errors inside a lot of software?

Ron Arden, Executive Vice President at Fasoo, was quoted in the article saying, “Today’s integrated development environments can already catch common syntax errors, like missing semicolons.  If there’s a function you’re using, it shows the parameters, but it won’t tell you if there’s a SQL injection or cross-site scripting error.”

So back to the original question of using a tool like a spellchecker that would identify and help eliminate these problems.  This would help developers fix vulnerabilities immediately and also learn to write more secure code in the process.

Traditionally companies test software for vulnerabilities after it has been written during a QA process, but that can be too late, since it introduces too many problems and delays in the development cycle.  A better approach is to use application security testing during the code development process to detect security vulnerabilities using an analysis engine based on semantic and syntactic methods.  This not only improves the code, but also helps meet a strict set of compliance requirements that follows CWE, OWASP, CERT and other international standards.

Cyber attacks typically target network weaknesses causing organizations to protect themselves with firewalls, intrusion prevention systems, and similar tools. These attacks target weaknesses in the software that companies develop and use. It is difficult to stop malware related attacks after software has been developed. It is better to eliminate these attacks before the software is developed by detecting all security vulnerabilities in the source code.

Another issue is the cost to fix vulnerabilities after you release software.  Studies show it can cost less that $1000 to fix a bug during the coding process, but over $14,000 to fix it after it is released.  This doesn’t take into account remediation needed by a customer to address any problems caused by the bugs in the first place.

Checking security vulnerabilities during development is the optimal approach and will help minimize potential problems before deployment.  This will dramatically reduce the security attack surface in a production system and help us all sleep better at night.

Static Application Security TestingMany companies have significant investments in network security, but it’s not enough because a significant chunk of all cyber-attacks are happening on the application layer. Cyber criminals are increasingly targeting the application stack for exploitation.

According to the U.S. Department of Homeland Security (DHS), 90% of security incidents result from exploits against defects in software. The Forrester Wave: Application Security Report says that companies rush to build and use applications without thinking about the security of the application itself.  The Global Information Security Workforce Study published by the International Information Systems Security Certification Con­sortium (ISC)2 claims that 30% of companies never scan for vulnerabilities during code development. These are all astounding findings!

Companies need to improve how they find and fix vulnerabilities and to reduce the risk created by the proliferation of vulnerable applications used on a daily basis. A good application security program has to start with a systematic process for assessing code during an application’s develop­ment stage requiring software assessments at every stage of the development process, rather than at the end of the cycle.  There is a significant amount of pressure on development teams to produce functional applications quickly and the emphasis on functionality and speed means security is generally left behind.

Companies face adversaries who are motivated by money, politics and other reasons to find vulnerabilities two they can steal sensitive and valuable information. One of the ways cyber criminals are doing this is by exploiting security vulnerabilities introduced or not remedied during the development cycle of the software. Many companies often require their developers only do the bare minimum for security; scanning code once rather than continuously.

Static and dynamic analyses are two of the most popular types of security tests.  There are many vendors in the market specializing in the field of application testing and security: some are big and others are smaller providing niche solutions. Companies must choose carefully which security testing to implement.

Typically, vulnerabilities found through the use of static analysis have a higher fix rate than those found by dynamic analysis. Static analysis compared with dynamic analysis is a more thorough and a more cost-efficient approach because of its ability to detect bugs at an early phase of the software development life-cycle.

Current times and challenges require companies to be vigilant in securing sensitive data to avoid costly and embarrassing data breaches. As part of an overall security posture, companies must not overlook the value of static application security testing. Given the inherent risk involved, an application vulnerability can cripple customer trust.  Static application security testing is a must have tool in any environment developing applications.

Pants DownTechnology has changed the way we live our lives. Whether we are at work, home or outside, we have become dependent on our computers, mobile phones and the internet. On a daily basis, we all interact with a significant number of applications.

Demand for technology has led to an explosion of software we use daily, whether these are applications used in the office or at home. Demand for new or updated functionality has shortened software release cycles and application developers need to rapidly introduce new features to outpace competition and meet customer demand. With this reality, application security risk management can no longer be treated as a nice-to-have element.  It must be a mission-critical requirement at every company that develops software.

Gone are the days with long release cycles and infrequent updates.  Application developers are faced with increased pressure to release software, updates and new features and this presents a significant issue with security. While software companies primarily focus on user experience and business value, often they miss the importance of ensuring the applications are truly secure without vulnerabilities.

Surveys like the recent Ponemon Institute 2016 Application Security Risk Management Study indicate that basic security steps are often neglected – 48% of respondents said their organizations don’t take basic security measures. How can applications be secure without appropriate security testing?

Application security testing ensures that potential application security vulnerabilities are remedied prior to the release and consumption by users. Static Application Security Testing (SAST) is one of the tools that must be part of every application development company’s security risk management process.

Often, companies think of SAST with high volume of vulnerability findings making remediation ineffective and time consuming. Learn about Fasoo’s SPARROW capabilities.

  • SPARROW enables developers and quality/security managers to remediate flaws reported through code suggestions.
  • SPARROW’s Intelligent Alarm Clustering groups related vulnerabilities in source code with a unique ID enabling faster remediation.

Organizations must utilize SAST in the scope of their application security preparedness to reduce risks that are introduced by application infrastructures. SAST must be part of security risk management practices in every company developing applications.

Achieving Software Quality and Secure Coding Concurrently

Major National Bank Achieves Software Quality and Secure Coding Concurrently through SPARROW

Expansion in electronic financial services requires advancement in software quality and secure coding

Report from the Financial Supervisory Service in 2012 states that half of the financial data processing errors were caused while modifying the program. For businesses related handling of financial transactions, the quality assurance of the software for the IT service is more important than in any other businesses. Furthermore, recently there are continuous and new means of cyber terror threats and in result, businesses are demanding security reinforcement through secure coding.

As the bank started to offer more diverse products and the workload got larger, they found limitations in relying on manpower to test development of software for the IT service. The bank found the necessity of detecting and removing potential SW vulnerabilities in outsourced programs of cooperative firms and all internally developing programs through a source code analyzer to strengthen automated quality testing and acquire security verification with secure coding.

Standards, performance and supporting systems of the source code analyzer

The bank selected the product SPARROW of Fasoo which has received praise for its detection performance and supporting system from a benchmarking test (BMT). SPARROW offers a semantic-based analysis, and shows great performance in detecting critical and hidden run-time errors. SPARROW not only follows development security guidelines from the Ministry of Security and Public Administration (MOSPA), but also international standard guidelines such as OWASP and CERT, and recently acquired the CWE certification for the first time in Korea. SPARROW was acknowledged for its ability to minimize security vulnerabilities set by these international standards. Currently, members from the biggest Korean research lab in the area of static analysis, Research on Software Error-free Computing Center of Seoul National University, are part of the team, committed in consulting and providing technical support.

Applied to all development work of the IT Department

For a successful integration, it was important to make the source code testing process smooth when developing, maintaining and operating various programs by more than 1,000 employees of the bank’s IT Department.

Developers check their source code frequently through the client analyzing manager and IDE plug-ins, and the person in charge of the quality manages the gathered analysis reports from the central manage system to ensure quality and security in the early developmental stage of the SDLC.

Furthermore, they have a development process that includes a configuration management system when developing a project with the cooperation of many developers. They create a workflow by linking the SPARROW analysis server and the configuration management system. Only source code verified by SPARROW is allowed to be transferred to the main server.

SPARROW composes of a deep source code analysis engine, a manager (Whistle) that performs analysis in the client, a plug-in that performs analysis in the IDE, and a central system NEST that gathers and manages the analysis results. Each module can easily be applied to different development environments anywhere in the SDLC.

Change central system to a combination of management and operation

Developed a central unified management system to inspect more than 100 project source codes from the bank’s IT Department that are split in developer or module scale. SPARROW’s unified management system NEST is an efficient web based system that inspects the quality and security of different business units and shows a statistical analysis of the result so that the present state of projects can easily be understood.

For work that requires more control, developers and checker groups can be set separately, and access privilege for each project can be controlled, overall enabling systematic management for the entire enterprise. Furthermore, efficiency was increased by tracking previous errors and making sure same errors do not appear twice.

It was important for them to develop a long-term standard system to manage source code from different developers. Before transferring to a different system, source code testing was mandatory and a subdivided standard system was also developed for continuous management and control.

Acquire quality and security together

International Internet security institution, CERT, released the ‘Top 10 Secure Coding Practices’, and the 9th guideline states to ‘Use effective quality assurance techniques’ for greater IT service quality improvement, as it is required to improve both quality and security.

The bank’s use of SPARROW will change the domestic financial IT service to acquiring both quality and security. Ultimately, SPARROW will upgrade the quality of all financial IT services.

From the Customer

“Since detection of run-time errors and security vulnerabilities is clearly evident, SPARROW is able to earn a justifiable reason to be used as a static application security testing tool and successfully be integrated into our systems.”

“After actually using the tool, the biggest advantage was that systematic management was possible through the analysis tool. The detected errors are divided into 5 levels: level 1 has errors that are certainly going to produce a problem, level 2 has errors that might produce unexpected results, and level 3 has errors that are recommended to be changed for maintenance and efficiency. This helps us to get rid of vulnerabilities and manage clean source code”

“We made a coding standard for us and customized SPARROW to suit the coding standard. Rule sets are delivered to developers by a centralized system, all developers used SPARROW on their own for identifying and managing SW vulnerabilities according to the corresponding rule set. The analysis is performed on IDE with the SPARROW plug-in or on build servers with command line scripts. The configuration management system is integrated with SPARROW for controlling the quality and security level of the source code. Only source code which has no SW vulnerability issues or which is granted by the QA manager can be transferred into the central server.”

“The most important factor to select a tool on BMT with various products is finding SW vulnerabilities accurately. Finding many issues with low false positive ratio is essential. Secondly, is finding SW defects which our QA departments want to find and identifying SW security vulnerabilities all in one tool. Thirdly, the analysis tool has to be easily integrated into the developer environments without modification and the analysis speed should equally as fast. Furthermore, the remediation guide for handling issues should be understandable. Lastly, we require robust control on quality and security level of source code for each project. Statistics and audit on each SW project are required.”

“It was useful to manage exceptions separately when transferring source code from the configuration management system to the operating server. We expect to use the statistical data from each team to increase quality and security of development in the SDLC. We also believe that the developing workforce will realize the importance of quality and security and bring overall improvement into both of these areas.”

– Manager, Quality Management Department-

 

About the bank

For the past 50 years, this bank has promoted educational supported projects, financial/credit businesses, and economic businesses to stimulate and provide balance for Korean’s agriculture and national economy. They have the largest financial network and one of the leading financial institutions in Korea.

The Application Security Testing Tool Every Enterprise Should Have

Software security faces a variety of challenges before to ensuring that the software is secure. The first is to correct the security defects no matter what the category is. The second is being able to cover a big enterprise-wide based portfolio of applications to ensure their security as well. Source code analysis, more specifically, static application security testing or otherwise known as SAST has come a long way since its induction back in the late 90s early 2000s.

When it comes to correcting defects in you software, if you are aware where in the source code the problem exists, it is much easier to fix the problem before the software is released. In addition, if you are suggested with how to fix the problem it becomes that much easier and quicker to fix the problem. Since developers are ultimately responsible for developing software with few or no defects, any tool that helps developers directly are the most useful. Although automation is convenient, it may miss fixing some of the bugs that need to be fixing or create additional false positives that deter the success of an application security testing tool.

Fasoo, well known for the data-centric security solutions, also provides a static application security testing tool called SPARROW. This is a static analysis tool for enterprise software development process. It can be deployed on both the development and testing phases in the software development life cycle or SDLC for all security-related participants in the quality control process. SPARROW accurately and quickly detects software vulnerabilities with root cause explanations and suggesting code examples for remediation to developers with ACTIVE SUGGESTION.

It has received many praises with awards and follows international standard guidelines such as OWASP, CWE/SANS, CERT, HIS, HICPP, MISRA and most recently acquired CWE certification as well ISO 26262. SPARROW offers a semantic-based analysis, which shows great performance in detecting critical and hidden run-time errors.

Most recently, in September of this year, SPARROW was showcased in front of developers, auditors, risk managers, technologists and entrepreneurs at AppSec USA 2014 in Denver, CO.

Make sure when you are thinking about what security testing tool you should have for your software, you think about SPARROW and let us know.

Categories
Book a meeting