Blog

Tag: Static Application Security Testing

Fasoo Launches Sparrow on Cloud, SaaS version of SASTSPARROW, a static code analysis application, is now available as a Software as a Service (SaaS) offering to help organizations quickly detect critical software vulnerabilities at the early stages of software development.  “SPARROW on Cloud“, SPARROW’s cloud solution is an agile, flexible, reliable and cost effective solution that allows organizations to easily manage application security challenges.

“IoT has brought an upsurge in new software that connects and operates everything from cars to medical devices and with that, enormous risk at the development level,” said Fasoo’s CEO Dr. Kyugon Cho. “Providing software developers with a cloud based application security testing solution was the logical next step for Fasoo as it is so essential for software to be secure at the code level.”

Unlike other Static application security testing (SAST) solutions, SPARROW analyzes source code with a robust static analysis engine that uses a deep semantic method to find vulnerabilities that other SAST applications may have difficulty identifying.  The solution is designed to enforce multiple policies dynamically to different projects or users/groups, and offers faster analysis speed (1M LOC per hour) with accuracy (OWASP benchmark score: 94.8).  In addition, SPARROW enables organizations to identify and fix issues by leveraging machine learning and automation features like:

  • Intelligent Issue Clustering: SPARROW categorizes similar issues in groups that allow organizations to identify and correct issues efficiently.
  • Active Suggestion: SPARROW not only identifies software vulnerabilities, but also can help remediate code using automated code suggestions.
  • Issue Classification:  SPARROW analyzes, ranks, and prioritizes high priority issues in an easy to read dashboard display.
  • Advanced Issue Filtering: SPARROW provides detailed filter options for the detected issues (e.g., source API, sink API, called method, etc.).

SPARROW is used by government agencies, corporations and anyone developing embedded software that requires a very high level of software quality. The SAST version of SPARROW is also used by government and the financial industry which aim to eliminate security weaknesses from their source code.

Fasoo is offering a limited introductory promotion for the cloud version of SPARROW. By purchasing a subscription between January 17, 2017 and March 30, 2017, customers will get the equivalent amount of extra time at no extra cost. For example, if customers select a one month subscription (Silver) they will receive an extra month free. Please click here for more information about SPARROW on Cloud.

Sparrow Static Application Security TestingWhile everyone still draws attention to the need for protection from cyber-attacks and the need for firewalls, intrusion prevention systems, and similar tools, recent highly publicized breaches have been raising awareness on weaknesses in software developed and used. The market is now forced to focus on how to identify and remediate vulnerabilities within applications themselves as things like buffer overruns, SQL injections, cross-site scripting, hard-coded passwords, memory leaks, uninitialized variables, division by zero, and integer overflows can have devastating results.

This is quite a change from the way things used to be. Rather than being an afterthought, security in software design is now becoming an increasingly important concern during development as applications are becoming more and more accessible and hence becoming vulnerable to a wide variety of threats. There is much concern over the likelihood of unauthorized code manipulating applications to access, steal, modify, or delete sensitive data.

You may be looking to incorporate Application Security Testing (AST) into your security program. Perhaps you have heard of various approaches and are trying to determine how best to proceed. As a first step, you may want to be familiar with the different approaches available in the marketplace today:

  • Static AST (SAST) – analyzes source code for vulnerabilities during programming and the testing software life cycle (SLC). Think of this as testing the application from inside out.
  • Dynamic AST (DAST) – analyzes the running state of applications during testing or when application is operational. Think of this approach as testing the application from outside in, probing and prodding it in unexpected ways to find security vulnerabilities.
  • Interactive AST (IAST) – combines SAST and DAST together.
  • Mobile AST – combines SAST and DAST plus behavioral analysis.

 

DAST and SAST are the most widely accepted approaches with high adoption and maturity rates out of the four types today. IAST and Mobile AST have only recently emerged and don’t have the same adoption as of yet.

Most organizations with limited resources have traditionally taken the route to implement DAST, primarily due to the thinking that it is cheaper and does not take a long time to implement and train the developers. However, this approach has usually fallen short in the more progressive development methods due to its inherent limitations. DAST tools can’t be used on source code or un-compiled application code, delaying the security deployment till the latter stages of development.

While the norm today in the market is that performing some application security testing is better than not performing any at all, organizations should consider combining SAST with DAST to combat the security challenges they face today. After all, application-layer attacks are growing at a stunning pace while organizations are trying to figure out how to adequately improve application security programs giving the bad guys the upper hand to do harm.

Static Application Security TestingMany companies have significant investments in network security, but it’s not enough because a significant chunk of all cyber-attacks are happening on the application layer. Cyber criminals are increasingly targeting the application stack for exploitation.

According to the U.S. Department of Homeland Security (DHS), 90% of security incidents result from exploits against defects in software. The Forrester Wave: Application Security Report says that companies rush to build and use applications without thinking about the security of the application itself.  The Global Information Security Workforce Study published by the International Information Systems Security Certification Con­sortium (ISC)2 claims that 30% of companies never scan for vulnerabilities during code development. These are all astounding findings!

Companies need to improve how they find and fix vulnerabilities and to reduce the risk created by the proliferation of vulnerable applications used on a daily basis. A good application security program has to start with a systematic process for assessing code during an application’s develop­ment stage requiring software assessments at every stage of the development process, rather than at the end of the cycle.  There is a significant amount of pressure on development teams to produce functional applications quickly and the emphasis on functionality and speed means security is generally left behind.

Companies face adversaries who are motivated by money, politics and other reasons to find vulnerabilities two they can steal sensitive and valuable information. One of the ways cyber criminals are doing this is by exploiting security vulnerabilities introduced or not remedied during the development cycle of the software. Many companies often require their developers only do the bare minimum for security; scanning code once rather than continuously.

Static and dynamic analyses are two of the most popular types of security tests.  There are many vendors in the market specializing in the field of application testing and security: some are big and others are smaller providing niche solutions. Companies must choose carefully which security testing to implement.

Typically, vulnerabilities found through the use of static analysis have a higher fix rate than those found by dynamic analysis. Static analysis compared with dynamic analysis is a more thorough and a more cost-efficient approach because of its ability to detect bugs at an early phase of the software development life-cycle.

Current times and challenges require companies to be vigilant in securing sensitive data to avoid costly and embarrassing data breaches. As part of an overall security posture, companies must not overlook the value of static application security testing. Given the inherent risk involved, an application vulnerability can cripple customer trust.  Static application security testing is a must have tool in any environment developing applications.

Pants DownTechnology has changed the way we live our lives. Whether we are at work, home or outside, we have become dependent on our computers, mobile phones and the internet. On a daily basis, we all interact with a significant number of applications.

Demand for technology has led to an explosion of software we use daily, whether these are applications used in the office or at home. Demand for new or updated functionality has shortened software release cycles and application developers need to rapidly introduce new features to outpace competition and meet customer demand. With this reality, application security risk management can no longer be treated as a nice-to-have element.  It must be a mission-critical requirement at every company that develops software.

Gone are the days with long release cycles and infrequent updates.  Application developers are faced with increased pressure to release software, updates and new features and this presents a significant issue with security. While software companies primarily focus on user experience and business value, often they miss the importance of ensuring the applications are truly secure without vulnerabilities.

Surveys like the recent Ponemon Institute 2016 Application Security Risk Management Study indicate that basic security steps are often neglected – 48% of respondents said their organizations don’t take basic security measures. How can applications be secure without appropriate security testing?

Application security testing ensures that potential application security vulnerabilities are remedied prior to the release and consumption by users. Static Application Security Testing (SAST) is one of the tools that must be part of every application development company’s security risk management process.

Often, companies think of SAST with high volume of vulnerability findings making remediation ineffective and time consuming. Learn about Fasoo’s SPARROW capabilities.

  • SPARROW enables developers and quality/security managers to remediate flaws reported through code suggestions.
  • SPARROW’s Intelligent Alarm Clustering groups related vulnerabilities in source code with a unique ID enabling faster remediation.

Organizations must utilize SAST in the scope of their application security preparedness to reduce risks that are introduced by application infrastructures. SAST must be part of security risk management practices in every company developing applications.

Achieving Software Quality and Secure Coding Concurrently

Major National Bank Achieves Software Quality and Secure Coding Concurrently through SPARROW

Expansion in electronic financial services requires advancement in software quality and secure coding

Report from the Financial Supervisory Service in 2012 states that half of the financial data processing errors were caused while modifying the program. For businesses related handling of financial transactions, the quality assurance of the software for the IT service is more important than in any other businesses. Furthermore, recently there are continuous and new means of cyber terror threats and in result, businesses are demanding security reinforcement through secure coding.

As the bank started to offer more diverse products and the workload got larger, they found limitations in relying on manpower to test development of software for the IT service. The bank found the necessity of detecting and removing potential SW vulnerabilities in outsourced programs of cooperative firms and all internally developing programs through a source code analyzer to strengthen automated quality testing and acquire security verification with secure coding.

Standards, performance and supporting systems of the source code analyzer

The bank selected the product SPARROW of Fasoo which has received praise for its detection performance and supporting system from a benchmarking test (BMT). SPARROW offers a semantic-based analysis, and shows great performance in detecting critical and hidden run-time errors. SPARROW not only follows development security guidelines from the Ministry of Security and Public Administration (MOSPA), but also international standard guidelines such as OWASP and CERT, and recently acquired the CWE certification for the first time in Korea. SPARROW was acknowledged for its ability to minimize security vulnerabilities set by these international standards. Currently, members from the biggest Korean research lab in the area of static analysis, Research on Software Error-free Computing Center of Seoul National University, are part of the team, committed in consulting and providing technical support.

Applied to all development work of the IT Department

For a successful integration, it was important to make the source code testing process smooth when developing, maintaining and operating various programs by more than 1,000 employees of the bank’s IT Department.

Developers check their source code frequently through the client analyzing manager and IDE plug-ins, and the person in charge of the quality manages the gathered analysis reports from the central manage system to ensure quality and security in the early developmental stage of the SDLC.

Furthermore, they have a development process that includes a configuration management system when developing a project with the cooperation of many developers. They create a workflow by linking the SPARROW analysis server and the configuration management system. Only source code verified by SPARROW is allowed to be transferred to the main server.

SPARROW composes of a deep source code analysis engine, a manager (Whistle) that performs analysis in the client, a plug-in that performs analysis in the IDE, and a central system NEST that gathers and manages the analysis results. Each module can easily be applied to different development environments anywhere in the SDLC.

Change central system to a combination of management and operation

Developed a central unified management system to inspect more than 100 project source codes from the bank’s IT Department that are split in developer or module scale. SPARROW’s unified management system NEST is an efficient web based system that inspects the quality and security of different business units and shows a statistical analysis of the result so that the present state of projects can easily be understood.

For work that requires more control, developers and checker groups can be set separately, and access privilege for each project can be controlled, overall enabling systematic management for the entire enterprise. Furthermore, efficiency was increased by tracking previous errors and making sure same errors do not appear twice.

It was important for them to develop a long-term standard system to manage source code from different developers. Before transferring to a different system, source code testing was mandatory and a subdivided standard system was also developed for continuous management and control.

Acquire quality and security together

International Internet security institution, CERT, released the ‘Top 10 Secure Coding Practices’, and the 9th guideline states to ‘Use effective quality assurance techniques’ for greater IT service quality improvement, as it is required to improve both quality and security.

The bank’s use of SPARROW will change the domestic financial IT service to acquiring both quality and security. Ultimately, SPARROW will upgrade the quality of all financial IT services.

From the Customer

“Since detection of run-time errors and security vulnerabilities is clearly evident, SPARROW is able to earn a justifiable reason to be used as a static application security testing tool and successfully be integrated into our systems.”

“After actually using the tool, the biggest advantage was that systematic management was possible through the analysis tool. The detected errors are divided into 5 levels: level 1 has errors that are certainly going to produce a problem, level 2 has errors that might produce unexpected results, and level 3 has errors that are recommended to be changed for maintenance and efficiency. This helps us to get rid of vulnerabilities and manage clean source code”

“We made a coding standard for us and customized SPARROW to suit the coding standard. Rule sets are delivered to developers by a centralized system, all developers used SPARROW on their own for identifying and managing SW vulnerabilities according to the corresponding rule set. The analysis is performed on IDE with the SPARROW plug-in or on build servers with command line scripts. The configuration management system is integrated with SPARROW for controlling the quality and security level of the source code. Only source code which has no SW vulnerability issues or which is granted by the QA manager can be transferred into the central server.”

“The most important factor to select a tool on BMT with various products is finding SW vulnerabilities accurately. Finding many issues with low false positive ratio is essential. Secondly, is finding SW defects which our QA departments want to find and identifying SW security vulnerabilities all in one tool. Thirdly, the analysis tool has to be easily integrated into the developer environments without modification and the analysis speed should equally as fast. Furthermore, the remediation guide for handling issues should be understandable. Lastly, we require robust control on quality and security level of source code for each project. Statistics and audit on each SW project are required.”

“It was useful to manage exceptions separately when transferring source code from the configuration management system to the operating server. We expect to use the statistical data from each team to increase quality and security of development in the SDLC. We also believe that the developing workforce will realize the importance of quality and security and bring overall improvement into both of these areas.”

– Manager, Quality Management Department-

 

About the bank

For the past 50 years, this bank has promoted educational supported projects, financial/credit businesses, and economic businesses to stimulate and provide balance for Korean’s agriculture and national economy. They have the largest financial network and one of the leading financial institutions in Korea.

Categories
fasoo_logo
Contact Us
Your data security journey starts from here!
See how Fasoo can help your data privacy and security.