Automating Your Code Review: Moving to a Saas Model For

White Paper

Automating Your Code Review:

Moving to a SaaS Model for Application Security

Contents

Overview ...... 3

Executive Summary ...... 3

Code Review and Security Analysis Methods ...... 5 Source Code Review 5 Penetration Testing 6 Binary Code Review 7

Application Rating and Remediation ...... 7

Veracode and Automated Code Reviews ...... 8 Binary application analysis 8 Application Reviews and Ratings for Software Procurement 9 Remediation 9 Multiple Vulnerability Detection Technologies 10

Summary ...... 10

About Veracode ...... 10

Overview Today’s application has become the enterprise’s ‘‘new perimeter’’. With better network‐level security technology hardening the network perimeter, malicious attackers are now focusing their efforts to strike at the least defended points ‐ the application. While hackers were once satisfied with defacing Web sites, unleashing denial‐of‐service attacks and trading illicit files through targeted networks, modern attackers are profit‐driven. Financial and customer data have become valuable commodities and applications must be secure enough to protect them. Executive Summary

Software vulnerabilities have become extremely common, yet inspecting code for security flaws is such a time‐consuming and expensive process that many businesses forgo it entirely. Automated inspection of software using tools or on‐premise products expedites the process, but still requires an enterprise to invest significantly in IT resources, training and maintenance. It also is difficult, if not impossible; to deploy these resources consistently across geographically dispersed development groups, address security risks posed by commercial software, or offshore outsourced application development. Few businesses have the staff, security expertise, time and money necessary to analyze their entire application portfolio in‐house. To complicate matters, source code is often unavailable for externally developed software and those that do have access are wary of exposing their proprietary source code outside of the organization.

In a recent survey of U.S. based software developers, only 12 percent of the developers who responded said that security takes precedence over and less than half have had any formal training on secure coding techniques and processes. This has resulted in over 7,000 new security vulnerabilities disclosed over the last year alone – an all time high. In an effort to combat this growing trend, new compliance requirements from the Payment Card Industry (PCI), the Comptroller of the Currency Administrator of National Banks (OCC) along with recommendations from industry groups and analysts call for code reviews to secure software applications.

On‐demand application security testing offered as an automated service is emerging as a simpler and more cost‐effective way to raise the security level of software. In fact, IT analyst firm Gartner predicts that within two years 50% of enterprises will be using some form of “security‐as‐a‐service” offerings. Application security offered as an on‐demand service – based on binary analysis and dynamic web scanning technologies – allows organizations to review their entire code base for vulnerabilities without exposing their source code. On‐demand application security is a major step toward reducing risk in applications developed in house, commercial‐of‐the‐shelf (COTS) software as well as applications developed by offshore outsourcing providers.

Software: Today’s Biggest Security Risk

Today’s application has become the enterprise’s ‘‘new perimeter’’. With better network‐level security technology hardening the network perimeter, malicious attackers are now focusing their efforts to strike at the least defended points ‐‐‐ ‐ the application. While hackers were once satisfied with defacing Web sites, unleashing denial‐of‐service attacks and trading illicit files through targeted networks, modern attackers are profit‐driven. Financial and customer data have become valuable commodities and applications must be secure enough to protect them.

Recent industry statistics confirm this trend. Data from CERT reveals that the number of software vulnerabilities has risen dramatically and has eclipsed 7,000 new software vulnerability disclosures in the past year – an all time high. Meanwhile, Gartner and NIST report that 95% of all reported vulnerabilities are in software, 75% of threats target business information, and 75% of attacks target the application level. Yet, even with these findings, most enterprises allocate less than 10% of their security spending to application security.

NIST/Gartner Key Facts CERT – Number of Software Vulnerability Disclosures per Year

Code Review and Security Analysis Methods

There are several methods in today’s marketplace for organizations to introduce application security into their businesses either dynamically, with penetration testing, or statically, with source code analysis or binary code analysis:

1. Source Code Review – manual and automated

2. Penetration Testing – manual and automated

3. Binary Code Review – automated, as a service

Source Code Review

Source code scanning comes in two forms – manual and automated analysis. Both allow developers to inspect code for known security vulnerabilities before compilation. Fixing these flaws during coding can reduce the number of builds necessary to produce a secure product and educate internal developers about secure coding practices.

Manual source code analysis, though very in‐depth, is labor intensive and requires highly skilled application security experts. Because of this, it lacks repeatability and is generally not considered practical. Automated source code analysis is becoming more prevalent in the marketplace, but because source code is proprietary, most businesses are wary of submitting it for off‐site third‐party analysis. As a result, these scanning tools are deployed as “on‐premises” software, requiring dedicated infrastructure and staff with application security expertise. Automated scanning tools shorten testing times, but require dedicated hardware, installation, configuration, training, and frequent updates, making it costly and time consuming for organizations.

Most business cannot justify hiring dedicated application security experts to perform source code reviews. Thus, whether manual or automated, source code scanning forces organizations to re‐task developers and QA personnel who may be have limited expertise in application security. Additionally, modern software development practices may limit the effectiveness of source code scanning. By definition, a source code scan can only be as effective as the amount of source code available to it. Businesses frequently integrate code from third‐parties, such as libraries, commercial off‐the‐shelf (COTS) software, and open‐source software. Enforcing secure coding standards with outsourced and offshore development partners is typically difficult, and enforcing these standards for COTS components from third‐party vendors is impossible using source code analysis alone.

Penetration Testing

Manual penetration testing involves a human tester simulating an actual external attack. During a test, a security expert attempts to compromise a target application using exactly the same methods as a hacker. Manual penetration testing is usually conducted in a “black box” setting – tested from the outside in, with no knowledge of source code or internal processes. Businesses can safely outsource most black box testing, but outsourcing more valuable “white box” testing, performed with specific knowledge of source code or software design documentation, risks compromising proprietary assets.

Manual penetration testing can provide valuable spot checks and perhaps detect some “low hanging fruit” vulnerabilities, but the tester’s level of knowledge and the inability to achieve adequate coverage of the application’s code from its external interfaces limits its effectiveness. Even a team of the best testers would be unable to perform comprehensive tests on repeated builds of an application without slowing the SDLC and adding substantial costs. Manual penetration testing can be non‐deterministic, with testers continuing to find flaws when given an unlimited amount of time. As a result, manual penetration testing, while valuable, can be costly and time consuming for organizations looking to introduce security into their applications or analyzing third party applications for security flaws.

To address the limitations of manual penetration testing, software vendors now offer tools that automate the most common scans and penetration attempts. Automated penetration testing provides a faster, more consistent scan of common external vulnerabilities than manual testing. However, these tools are not fully automated. They require a human to “guide” or “teach” the tool about the application and require a human with security knowledge to investigate false positives.

Despite its cost and time advantages, automated penetration testing is not a replacement for manual testing. Some applications behave unpredictably and automated test tools cannot predict how a human attacker might react to those behaviors. Both manual and automated penetration testing require application security analysts with deep expertise in design, development and deployment. In addition, both tests come late in the SDLC. Organizations are faced with a difficult choice – delay the software release in order to fix vulnerabilities and lose revenue or deploy the application and plan to issue a potentially expensive patch.

Binary Code Review

The analysis of compiled applications is a recent development in security testing. Similar to source code reviews, binary reviews fall under the category of static analysis, also commonly called ”white‐box” testing and have the same distinct advantages in that it can evaluate both web and non‐web applications and through advanced modeling, can detect flaws in the software’s inputs and outputs that cannot be seen through penetration testing alone. By examining a compiled form of an application in its runtime environment, this technique can provide a much more comprehensive picture of real‐world vulnerabilities. While integrating other forms of security testing requires significant process modifications, analyzing at the binaries requires very few such modifications. The standard SDLC provides a window for binary analysis during build acceptance testing. Developers can run security analysis and functional testing in parallel from the same compiled binary. Binary analysis creates a behavioral model by analyzing an application’s control and data flow through executable machine code – the way an attacker sees it. Unlike source code tools, this approach accurately detects issues in the core application and extends coverage to vulnerabilities found in 3rd party libraries, pre‐packaged components, and code introduced by compiler or platform specific interpretations. Another advantage of binary analysis is the ability to detect growing types of threats – such as those coming from malicious code and backdoors – which are impossible to spot with traditional tools because they are not visible in source code. Perhaps the biggest advantage of binary code reviews is that static binaries are fully complied, and therefore safer to release to third‐party security services for analysis without risking proprietary assets. Performing binary code reviews removes concerns surrounding intellectual property contained in source code and is applicable to situations where access to source code is not available, as is the case with commercial software, legacy applications or many offshore outsourced applications. This overcomes the requirement to have an “on‐premises” tool and enables application security to be delivered externally using Security‐as‐a‐Service (SaaS) model. Application Rating and Remediation

Regardless of their choice of techniques for application analysis, most businesses are not prepared to process the resulting security analysis data. Application development departments are focused on bringing functional applications to market as quickly and inexpensively as possible. Quality assurance departments can classify and prioritize functional defects, or “bugs,” in software according to established practices, but most businesses are unable to classify and prioritize security defects from vulnerability data. False positives and a lack of experience balancing acceptable levels of security risk and market demands further complicate this process.

To help businesses prioritize decisions about which flaws to fix, a scoring and ranking system has been developed in the marketplace. Until recently, security solution providers assessed the severity of vulnerabilities according to its own, proprietary system. This led to discrepancies between products and services, and limited the value of security assessments. In 2005, a coalition of security experts created the Common Vulnerability Scoring System (CVSS), a vendor‐agnostic standard for communicating the

severity of vulnerabilities. CVSS uses standard mathematical equations to calculate the severity of new vulnerabilities and provides scores based on the following factors: • System vulnerability and type of security impact • Exploitability and remediation availability • Severity potential

CVSS is a consistent benchmark for application security, providing businesses with actionable data and ensuring that their security efforts can be documented for regulatory compliance. Once a business can quantify the severity of its vulnerabilities, it can begin adjusting its ship or launch decision process to address them.

Scored and prioritized vulnerability data provides an excellent starting point for a formal security remediation program. Each vulnerability that is uncovered and classified provides a specific, actionable example of a poor coding practice from which developers can learn. With the assistance of a security expert, businesses can build a library of secure coding best practices tied to real‐world examples from their own code bases. Over time, this knowledge will improve the quality of a business’ developers and its applications, reducing cost and increasing productivity. Businesses can use application scoring as a method of tracking a developer or group’s progress toward secure coding standards, and can compare their scores to those of other companies or industry benchmarks, if available. Veracode and Automated Code Reviews

Veracode provides automated, on‐demand application security solutions that identify and help remediate application flaws introduced through coding errors or malicious intent offered as Software‐ as‐a‐Service (SaaS). Veracode combines its patented binary code analysis with multiple scanning technologies, including dynamic web scanning analysis, into a single solution. Because it is based on multiple scanning technologies, Veracode SecurityReview® offers accurate and comprehensive application security analysis in the industry. And by offering it through an automated, on‐demand solution, Veracode makes it easy and cost‐effective to find and fix application vulnerabilities that can put organizations at risk – whether they are developing applications in house or purchase applications from an outside vendor.

Binary application analysis

Veracode provides binary (composite) application analysis based on the industry’s first patented binary vulnerability scanning technology. Binary analysis peers deep into all code paths and data flows that the program will execute without actually running the program. By examining a compiled form of an application or component with the context of its runtime environment, Veracode provides a complete picture of real‐world vulnerabilities. It also examines real‐time communication among components for any weaknesses introduced during linkage. Binary analysis provides the easiest, most accurate and most comprehensive method for checking for securing applications. In addition, it enables organizations to improve software security during the development process and does not put a company’s intellectual property as risk, because it does require source code.

Application Reviews and Ratings for Software Procurement

The software industry is one of the largest manufacturing industries in the world, with $350 billion in off‐the‐shelf software sold each year, over $100 billion in customized code on top of that. Despite the size, there is no standardized notion of software security quality even though the repercussions include product patches, data breaches leading to massive identity theft and fluctuations in corporate stock prices. Until now, independent software ratings have not been possible for two reasons: • Due to the sensitivity associated with releasing source code for independent evaluation, • Existing evaluation tools are not able to assess 100% if the application code, which is a pre‐ requisite for accurate rating.

Veracode’s innovation with binary security analysis, coupled with its on‐demand service model that integrates multiple testing techniques, makes this rating service possible, as it does not require organizations to divulge their proprietary source code. Veracode provides application security ratings for applications based on industry standards, including MITRE’s Common Weakness Enumeration (CWE) for classification of software weaknesses and FIRST’s Common Vulnerability Scoring System (CVSS) for severity and ease of exploitability. Veracode is the only organization to combine these standards into a meaningful and practical way to assess software security across internally and externally developed applications.

Veracode Software Security Ratings provide: • Clear insight into the security level of software from a trusted and independent third party; • A practical way to set security thresholds for purchased software, before it’s deployed in‐ house; • A standard method to implement code acceptance security polices for outsourced application development and evaluation of software security risk in M&A transactions.

Remediation

The Veracode world‐class team of application security experts passes along their expertise through a second, more detailed report designed to help developers fix the most severe vulnerabilities faster and become familiar with secure coding standards. This report points out the exact line of code creating each problem, provides supplementary details about the nature of the issue, and recommends a specific fix. This context enables developers to learn from their mistakes, eventually leading to cleaner, more secure code in future products. The Veracode reporting interface is similar to standard integrated development environments (IDEs) with which developers are already familiar, reducing acclimation time. By providing remediation reports and updating the scanner to reflect the latest security developments, Veracode’s security team provides expertise that would be impossible to obtain from in‐ house staff at most software development organizations.

Multiple Vulnerability Detection Technologies

While composite analysis using binary technology is the most effective single method of security analysis, it is not the only technique, nor is it as effective as a combination of approaches that include binary analysis. Different companies require varying levels of software assurance based on their business requirements. To meet these needs, Veracode integrates multiple types of security analysis such as dynamic Web application analysis and manual and automatic penetration testing. By helping teams work together to identify, prioritize, and remedy security issues, the Veracode platform will help businesses build more secure, cost‐effective applications and help organizations purchasing applications reduce the risk associated with application vulnerabilities. Summary

Maturing security technologies at the network level have shifted the focus of many new malicious hacker attacks to the application itself. For protection from this evolving threat, businesses need to assess application‐level security on a regular and timely basis. Technological, financial, and process limitations inhibit the effectiveness of penetration testing and source code analysis, leaving businesses without a viable method of comprehensive security testing. Automated code reviews using static binary analysis, delivered via a software‐as‐a‐service model, provide an opportunity for businesses to conduct comprehensive software testing, exposing weaknesses that might not be visible through other methods, with minimal impact on development process or deployment timelines. The Veracode software security solution integrates binary analysis with multiple application testing techniques to provide vulnerability severity ratings and remediation advice, allowing businesses to make informed business decisions as they secure their internal and purchased applications easily and cost‐effectively. About Veracode

Veracode is the world’s leader for on‐demand application security testing solutions. Veracode SecurityReview is the industry’s first solution to use patented binary code analysis and dynamic web analysis to uniquely assess any application security threats, including vulnerabilities such as cross‐site scripting (XSS), SQL injection, buffer overflows and malicious code. SecurityReview performs the only complete and independent security audit across any internally developed applications, third‐party commercial off‐the‐shelf software and offshore code without exposing a company’s source code. Delivered as an on‐demand service, Veracode delivers the simplest and most‐cost effective way to implement security best practices, reduce operational cost and achieve regulatory requirements such as PCI compliance without requiring any hardware, software or training.

Veracode has established a position as the market visionary and leader with awards that include recognition as a Gartner “Cool Vendor” 2008, Info Security Product Guide’s “Tomorrow’s Technology Today Award 2008,” Information Security “Readers’ Choice Award 2008,” AlwaysOn Northeast's "Top 100 Private Company 2008", NetworkWorld “Top 10 Security Company to Watch 2007,” and Dark Reading’s “Top 10 Hot Security Startups 2007.”

Based in Burlington, Mass., Veracode is backed by .406 Ventures, Atlas Venture and Polaris Venture Partners. For more information, visit www.veracode.com.