Software Assurance            Software Hardening            Autonomic Computing

The Role of Static Analysis in a Secure Software Development Lifecycle


INTRODUCTION:

"When should static analysis be applied?" The answer to this question is fairly straightforward: "whenever code is being developed." This however, is a simplification. The longer answer is "part of a structured and secure development process."  Static analysis is an important part of a modern software development tool suite which when applied correctly and sufficiently early can have a significant impact on code quality, security, and safety. Perhaps the most relevant point is the role static analysis plays in a security-first software design is critical in today's connected and complex operating environment. 

Related:

Security-First Design

A security-first design is an approach that integrates security as a top priority in the software development lifecycle (SDLC). To implement this approach, developers and project managers can expect at least the following types of activities while progressing through the five key stages of the cycle:

Slide1.jpg

 Figure 1: Security processes superimposed over the software design lifecycle.

Requirement definition: At the requirement stage, security-specific requirements can be introduced, along with known “abuse cases” (use cases that an attacker might follow) and a risk analysis.

Design and architecture: As candidate architectures become available, reviews must include security aspects that may not have been included previously. At this stage, testing plans should be created that include security analyses that follow the perceived “abuse cases.

Code development: At the coding stage, following security guidelines and coding standards are critical. The use of automation tools such as static analysis is key to ensure that vulnerabilities are not introduced into the product.

Integration and test: As the system as a whole starts to take form, subsystem and system testing will find vulnerabilities before integration and deployment to the market.

Deployment and maintenance: When a product enters the market and starts wide deployment, security vulnerabilities become exponentially costlier to fix. As a product goes through maintenance and revision, security is an on going concern and new vulnerabilities and threats need to be fed back in to the system in an iterative approach.

The Role of Static Analysis Tools in Improving Security

Static analysis tools like GrammaTech’s CodeSonar provide critical support in the coding and integration phases of development. Ensuring continuous code quality, both in the development and maintenance phases, greatly reduces the costs and risks of security and reliability issues in software. In particular, it provides some of the following benefits:

  • Continuous source code quality and security assurance: Static analysis is often applied initially to a large codebase as part of its initial integration as discussed below. However, where it really shines is after an initial code quality and security baseline is established. As each new code block is written (file or function), it can be scanned by the static analysis tools, and developers can deal with the errors and warnings quickly and efficiently before checking code into the build system. Detecting errors and vulnerabilities (and maintaining secure coding standards, discussed below) in the source at the source (developers themselves) yields the biggest impact from the tools.
  • Tainted data detection and analysis: Analysis of the data flows from sources (i.e. interfaces) to syncs (where data gets used in a program) is critical in detecting potential vulnerabilities from tainted data. Any input, whether from a user interface or network connection, if used unchecked, is a potential security vulnerability.  Many attacks are mounted by feeding specially-crafted data into inputs, designed to subvert the behavior of the target system. Unless data is verified to be acceptable both in length and content, it can be used to trigger error conditions or worse. Code injection and data leakage are possible outcomes of these attacks, which can have serious consequences.
  • Third-party code assessment: Most projects are not greenfield development and require the use of existing code within a company or from a third party. Performing testing and dynamic analysis on a large existing codebase is hugely time consuming and may exceed the limits on the budget and schedule. Static analysis is particularly suited to analyzing large code bases and providing meaningful errors and warnings that indicate both security and quality issues. GrammaTech CodeSonar binary analysis can analyze binary-only libraries and provide similar reports as source analysis when source is not available. In addition, CodeSonar binary analysis can work in a mixed source and binary mode to detect errors in the usage of external binary libraries from the source code. 
  • Secure coding standard enforcement: Static analysis tools analyze source syntax and can be used to enforce coding standards. Various code security guidelines are available such as SEI CERT C and Microsoft's Secure Coding Guidelines. Coding standards are good practice because they prevent risky code from becoming future vulnerabilities. As mentioned above, integrating these checks into the build and configuration management system improves the quality and security of code in the product.

Dynamic versus static analysis in the context of the SDLC

Dynamic Application Security Testing (DAST): Dynamic testing tools all require program execution in order to generate useful results. Examples include unit testing tools, test coverage, memory analyzers, and penetration test tools. Test automation tools are important for reducing the testing load on the development team and, more importantly, detecting vulnerabilities that manual testing may miss.

Static Application Security Testing (SAST): Static analysis tools work by analyzing source code, bytecode (e,g, compiled Java), and binary executable code. No code is executed in static analysis, but rather the analysis is done by reasoning about the potential behavior of the code. Static analysis is relatively efficient at analyzing a codebase compared to dynamic analysis. Static analysis tools also analyze code paths that are untested by other methods and can trace execution and data paths through the code. Static analysis can be incorporated early during the development phase for analyzing existing, legacy, and third-party source and binaries before these codes are incorporated into your product. As new source is added, incremental analysis can be used in conjunction with configuration management to ensure quality and security throughout. Figure 2 shows the types of testing tool applied at different phases of the SDLC. Overlap is natural and both types of tools can and will be used even beyond product development into maintenance.Slide2.jpg

Figure 2: The application of various tool classes in the context of the software development lifecycle.

Although adopting any class of tools helps productivity, security, and quality, using a combination of these is recommended. No single class of tools is the silver bullet. The best approach is one that automates the use of a combination of tools from all categories, and that is based on a risk-based rationale for achieving high security within budget.


CONCLUSION:

Security is now a top-level concern in device software development. Designing security into the product at the early stages is critical to contain both the risk and cost of downstream security threats. Static analysis tools play an important part in complete software tools suite and help accelerate secure software development.


Interested in learning more? Read our Guide "Protecting Against Tainted Data in Embedded Applications with Static Analysis" here.

Read the Guide