jueves, 5 de noviembre de 2009

True Source Code Analysis for Security 2009

This paper illustrates the problems associated with code analysis executed on binary or byte-code representations and how scan of the source itself solves the drawbacks.

CISOs have responded to the sharp rise in hacking by asking developers and auditors to implement secure software development for in-house and outsourced code. In recent years, ―source‖ code analysis has become the de facto choice to introduce secure development as well as gauge inherent software risk.

The irony is that source code analysis doesn‘t often look at the source at all. In fact, the majority of the products are using Binary analysis or byte-code analysis (BCA) created by the compiler. This method saves a great deal of effort when developing the analysis tools, but lowers drastically the usability and accuracy of the results. For example, current technical approaches examine code so late in the development cycle or—worse—after development leaving a high volume of vulnerabilities undiscovered. For the unfortunate developer and auditor, they are technically incapable of delivering the CISO‘s vision of secure software.
The differences between binary analysis and byte-code analysis have received little attention. This topic was addressed in just two recent blog posts. Worse, true source code analysis (TSCA) – which seems most logical for SCA, has been largely ignored. Yet only TSCA can deliver upon the CISO‘s promise of building security in.

Further, with the onset of cloud computing there is a new breed of languages used mainly in cloud computing where the developer develops the code while the cloud platform provider is responsible for validation, proprietary compilation and execution of the programs. The code has no manifestation as byte-code nor as binary, and the SCA must be done on the source code itself. No static analyzer is properly equipped to address this growing, important segment.
This technical paper fills this gap and explains how developers, auditors and cloud platform providers benefit from deploying a true source code analysis tool. with detailed code examples.

(Octubre 2009)

No hay comentarios: