Performing a Security Audit with CodeSonarFebruary 5, 2015 Tweet
Inspired by a recent demonstration to a CodeSonar customer, I helped put together a 7-minute video on performing security audits with CodeSonar.
Yes, I know what you're thinking... "7 minutes is awfully short for a big topic like auditing software for security issues."
Or maybe: "Is this like one of those 'Teach Yourself C++ in 15 Minutes' books???"
So yes, we're assuming you know a bit about software security, and that you also care a bit about the security of your software. Hopefully, you know a bit about software analysis tools as well; maybe you've used valgrind, or FindBugs, or something more powerful (like CodeSonar). You know that these tools report possible bugs, you know that they are sometimes wrong, and you also know that they can find bugs that you wouldn't find otherwise.
We're also assuming you know a bit about tainted data and your program's attack surface. If you are unfamiliar with taint analysis, I recommend reading this whitepaper: Protecting Against Tainted Data in Embedded Apps with Static Analysis. Simply put, taint analysis is used to discover the ways that potentially hazardous inputs (tainted data) can flow through a program to reach sensitive parts of code. The whitepaper goes into much more detail, describing taint sources and taint sinks, and will also help get you more familiar with the concept of a program's "attack surface."
So this video isn't so much a tutorial but a quick-start guide. It attempts to answer questions you might have about using static analysis to ensure software security. Questions like:
- "Where do I start looking in my code?"
- "How do I prioritize the bug reports that I have?"
- "How do I dig deeper into a potential security bug issue to see if it can really be exploited?"
CodeSonar has a lot of features designed specifically to answer these questions. It also provides advanced visual taint analysis for flagging and visualizing user input. Your "attack surface" becomes something concrete you can look at and interact with, not just a buzzword with no relation to your code.