Software Security Assessment Tools Review
Total Page:16
File Type:pdf, Size:1020Kb
Software Security Assessment Tools Review Software Security Assessment Tools Review 2 March 2009 Jointly funded by: Assistant Secretary of the Navy Chief System Engineer 197 Isaac Hull Washington Navy Yard, DC and Naval Ordnance Safety & Security Activity Box 47, Bldg D-323 3817 Strauss Avenue Indian Head, MD 20640 Prepared by: Booz Allen Hamilton McLean, VA Software Security Assessment Tools Review Table of Contents 1. Executive Summary .................................................................................................... 1-1 2. Purpose, Scope, and Background ................................................................................ 2-1 3. Problem Space ............................................................................................................. 3-1 3.1 Threat Environment ..................................................................................................... 3-1 3.2 Properties of Interest in the Software to be Analyzed ................................................. 3-1 3.3 Nature of Software to be Analyzed ............................................................................. 3-1 3.4 Techniques for Testing ................................................................................................ 3-1 3.5 Business Case for Security Testing ............................................................................. 3-2 4. Tool Technologies ....................................................................................................... 4-1 4.1 Analysis of Source Code ............................................................................................. 4-3 4.1.1 Static Analysis Code Scanning .................................................................................... 4-3 4.1.1.1 When to Use Static Analysis Tools ............................................................................. 4-3 4.1.1.2 Required Skills ............................................................................................................ 4-4 4.1.1.3 Potential Benefits ........................................................................................................ 4-4 4.1.1.4 Drawbacks ................................................................................................................... 4-5 4.1.1.5 Static Analysis Tools ................................................................................................... 4-5 4.1.2 Source Code Fault Injection ........................................................................................ 4-9 4.1.2.1 When to Use Source Code Fault Injection .................................................................. 4-9 4.1.2.2 Required Skills .......................................................................................................... 4-10 4.1.2.3 Benefits ...................................................................................................................... 4-10 4.1.2.4 Drawbacks ................................................................................................................. 4-10 4.1.2.5 Specific Tools ............................................................................................................ 4-10 4.1.3 Dynamic Analysis ..................................................................................................... 4-11 4.1.3.1 When to Use Dynamic Analysis ............................................................................... 4-12 4.1.3.2 Required Skills .......................................................................................................... 4-12 4.1.3.3 Benefits ...................................................................................................................... 4-12 4.1.3.4 Drawbacks ................................................................................................................. 4-12 4.1.3.5 Tools .......................................................................................................................... 4-12 4.1.4 Architectural Analysis ............................................................................................... 4-13 4.1.4.1 Asset Identification .................................................................................................... 4-14 4.1.4.2 Risk Analysis ............................................................................................................. 4-14 4.1.4.3 Threat Analysis .......................................................................................................... 4-16 4.1.4.4 Architectural Risk Analysis ....................................................................................... 4-18 4.1.4.5 Organizing Risk Information ..................................................................................... 4-19 4.1.4.6 Risk Likelihood Determination ................................................................................. 4-20 4.1.4.7 Risk Impact Determination ....................................................................................... 4-21 4.1.4.8 Risk Exposure Statement ........................................................................................... 4-22 4.1.4.9 Risk Mitigation .......................................................................................................... 4-22 4.1.4.10 When to Apply Risk Analysis ................................................................................... 4-23 4.1.4.11 Tools .......................................................................................................................... 4-25 4.1.5 Pedigree Analysis ...................................................................................................... 4-27 4.1.5.1 When to Use Pedigree Analysis ................................................................................ 4-27 4.1.5.2 Benefits of Pedigree Analysis ................................................................................... 4-28 4.1.5.3 Drawbacks of Pedigree Analysis ............................................................................... 4-28 i Software Security Assessment Tools Review Table of Contents (cont'd) 4.1.5.4 Pedigree Analysis Tools ............................................................................................ 4-28 4.2 Analysis of Executables ............................................................................................ 4-29 4.2.1 Binary Code Analysis ................................................................................................ 4-29 4.2.1.1 When to Use Binary Analysis ................................................................................... 4-29 4.2.1.2 Required Skills .......................................................................................................... 4-29 4.2.1.3 Benefits ...................................................................................................................... 4-30 4.2.1.4 Drawbacks ................................................................................................................. 4-30 4.2.1.5 Specific Tools and Services ...................................................................................... 4-30 4.2.2 Disassembler Analysis Tools .................................................................................... 4-31 4.2.2.1 When to Use Disassembler Analysis ......................................................................... 4-31 4.2.2.2 Benefits ...................................................................................................................... 4-31 4.2.2.3 Drawbacks ................................................................................................................. 4-31 4.2.2.4 Specific Tools and Services for Hire ......................................................................... 4-32 4.2.3 Binary Fault Injection ................................................................................................ 4-32 4.2.3.1 When to Use Binary Fault Injection .......................................................................... 4-33 4.2.3.2 Required Skills .......................................................................................................... 4-33 4.2.3.3 Benefits ...................................................................................................................... 4-33 4.2.3.4 Drawbacks ................................................................................................................. 4-34 4.2.3.5 Tools .......................................................................................................................... 4-34 4.2.4 Fuzzing ...................................................................................................................... 4-34 4.2.4.1 When to Use Fuzzing ................................................................................................ 4-34 4.2.4.2 Required Skills .......................................................................................................... 4-35 4.2.4.3 Benefits of Fuzzing ................................................................................................... 4-35 4.2.4.4 Drawbacks ................................................................................................................. 4-36 4.2.4.5 Tools: ......................................................................................................................... 4-36 4.2.5 Malicious Code Detectors ........................................................................................