White Paper Automating Your Code Review: Moving to a SaaS Model for Application Security Contents Overview ................................................................................................................................. 3 Executive Summary ................................................................................................................. 3 Code Review and Security Analysis Methods ........................................................................... 5 Source Code Review 5 Penetration Testing 6 Binary Code Review 7 Application Rating and Remediation ....................................................................................... 7 Veracode and Automated Code Reviews ................................................................................. 8 Binary application analysis 8 Application Reviews and Ratings for Software Procurement 9 Remediation 9 Multiple Vulnerability Detection Technologies 10 Summary ............................................................................................................................... 10 About Veracode .................................................................................................................... 10 © 2008 Veracode, Inc. 2 Overview Today’s application has become the enterprise’s ‘‘new perimeter’’. With better network‐level security technology hardening the network perimeter, malicious attackers are now focusing their efforts to strike at the least defended points ‐ the application. While hackers were once satisfied with defacing Web sites, unleashing denial‐of‐service attacks and trading illicit files through targeted networks, modern attackers are profit‐driven. Financial and customer data have become valuable commodities and applications must be secure enough to protect them. Executive Summary Software vulnerabilities have become extremely common, yet inspecting code for security flaws is such a time‐consuming and expensive process that many businesses forgo it entirely. Automated inspection of software using tools or on‐premise products expedites the process, but still requires an enterprise to invest significantly in IT resources, training and maintenance. It also is difficult, if not impossible; to deploy these resources consistently across geographically dispersed development groups, address security risks posed by commercial software, or offshore outsourced application development. Few businesses have the staff, security expertise, time and money necessary to analyze their entire application portfolio in‐house. To complicate matters, source code is often unavailable for externally developed software and those that do have access are wary of exposing their proprietary source code outside of the organization. In a recent survey of U.S. based software developers, only 12 percent of the developers who responded said that security takes precedence over and less than half have had any formal training on secure coding techniques and processes. This has resulted in over 7,000 new security vulnerabilities disclosed over the last year alone – an all time high. In an effort to combat this growing trend, new compliance requirements from the Payment Card Industry (PCI), the Comptroller of the Currency Administrator of National Banks (OCC) along with recommendations from industry groups and analysts call for code reviews to secure software applications. On‐demand application security testing offered as an automated service is emerging as a simpler and more cost‐effective way to raise the security level of software. In fact, IT analyst firm Gartner predicts that within two years 50% of enterprises will be using some form of “security‐as‐a‐service” offerings. Application security offered as an on‐demand service – based on binary analysis and dynamic web scanning technologies – allows organizations to review their entire code base for vulnerabilities without exposing their source code. On‐demand application security is a major step toward reducing risk in applications developed in house, commercial‐of‐the‐shelf (COTS) software as well as applications developed by offshore outsourcing providers. 3 Software: Today’s Biggest Security Risk Today’s application has become the enterprise’s ‘‘new perimeter’’. With better network‐level security technology hardening the network perimeter, malicious attackers are now focusing their efforts to strike at the least defended points ‐‐‐ ‐ the application. While hackers were once satisfied with defacing Web sites, unleashing denial‐of‐service attacks and trading illicit files through targeted networks, modern attackers are profit‐driven. Financial and customer data have become valuable commodities and applications must be secure enough to protect them. Recent industry statistics confirm this trend. Data from CERT reveals that the number of software vulnerabilities has risen dramatically and has eclipsed 7,000 new software vulnerability disclosures in the past year – an all time high. Meanwhile, Gartner and NIST report that 95% of all reported vulnerabilities are in software, 75% of threats target business information, and 75% of attacks target the application level. Yet, even with these findings, most enterprises allocate less than 10% of their security spending to application security. NIST/Gartner Key Facts CERT – Number of Software Vulnerability Disclosures per Year 4 Code Review and Security Analysis Methods There are several methods in today’s marketplace for organizations to introduce application security into their businesses either dynamically, with penetration testing, or statically, with source code analysis or binary code analysis: 1. Source Code Review – manual and automated 2. Penetration Testing – manual and automated 3. Binary Code Review – automated, as a service Source Code Review Source code scanning comes in two forms – manual and automated analysis. Both allow developers to inspect code for known security vulnerabilities before compilation. Fixing these flaws during coding can reduce the number of builds necessary to produce a secure product and educate internal developers about secure coding practices. Manual source code analysis, though very in‐depth, is labor intensive and requires highly skilled application security experts. Because of this, it lacks repeatability and is generally not considered practical. Automated source code analysis is becoming more prevalent in the marketplace, but because source code is proprietary, most businesses are wary of submitting it for off‐site third‐party analysis. As a result, these scanning tools are deployed as “on‐premises” software, requiring dedicated infrastructure and staff with application security expertise. Automated scanning tools shorten testing times, but require dedicated hardware, installation, configuration, training, and frequent updates, making it costly and time consuming for organizations. Most business cannot justify hiring dedicated application security experts to perform source code reviews. Thus, whether manual or automated, source code scanning forces organizations to re‐task developers and QA personnel who may be have limited expertise in application security. Additionally, modern software development practices may limit the effectiveness of source code scanning. By definition, a source code scan can only be as effective as the amount of source code available to it. Businesses frequently integrate code from third‐parties, such as libraries, commercial off‐the‐shelf (COTS) software, and open‐source software. Enforcing secure coding standards with outsourced and offshore development partners is typically difficult, and enforcing these standards for COTS components from third‐party vendors is impossible using source code analysis alone. 5 Penetration Testing Manual penetration testing involves a human tester simulating an actual external attack. During a test, a security expert attempts to compromise a target application using exactly the same methods as a hacker. Manual penetration testing is usually conducted in a “black box” setting – tested from the outside in, with no knowledge of source code or internal processes. Businesses can safely outsource most black box testing, but outsourcing more valuable “white box” testing, performed with specific knowledge of source code or software design documentation, risks compromising proprietary assets. Manual penetration testing can provide valuable spot checks and perhaps detect some “low hanging fruit” vulnerabilities, but the tester’s level of knowledge and the inability to achieve adequate coverage of the application’s code from its external interfaces limits its effectiveness. Even a team of the best testers would be unable to perform comprehensive tests on repeated builds of an application without slowing the SDLC and adding substantial costs. Manual penetration testing can be non‐deterministic, with testers continuing to find flaws when given an unlimited amount of time. As a result, manual penetration testing, while valuable, can be costly and time consuming for organizations looking to introduce security into their applications or analyzing third party applications for security flaws. To address the limitations of manual penetration testing, software vendors now offer tools that automate the most common scans and penetration attempts. Automated penetration testing provides a faster, more consistent scan of common external vulnerabilities than manual testing. However, these tools are not fully automated. They require a human to “guide” or “teach” the tool