Open In App

Automated Secure Code Review

Last Updated : 02 Nov, 2020
Improve
Improve
Like Article
Like
Save
Share
Report

Static application security testing (SAST) review source code of applications to identify security flaws that can make applications susceptible to breaches. It is considered as white box testing. SAST tools finds security flaws in an application (with lots of false positives) however it just serves as an aid for a cybersecurity analyst to help them zero in on security relevant areas of code so they can find vulnerabilities more efficiently.

How to perform Code Review Assessment via available SAST tools ?
Here we will be learning how to review reports generated by security assessment tools for code review. The report format is similar across various tools and we will discuss some main factors to be considered during assessment.

Vulnerabilities may exist in application due to insecure code, design or configuration. Automated security analysis can be carried on code to identify vulnerabilities through either of following two options :

  • Static code scanner scripts based on a pattern search (in-house and open source).
  • Static code analyzers (commercial and open source).

How SAST tools work ?
SAST tools examine code without attempting to execute it. They are integral part for Descopes strategies and hence a lot of research and POC is done to identify an apt tool for an organization.

Advantages of SAST tool :

  • Reduction in manual analysis efforts by an analyst.
  • Effective and efficient in identifying all the instances of a particular vulnerability.
  • Elaborate automated reporting format.

Disadvantage of SAST tool :

  • Business logic flaws remain undetected.
  • Security controls implemented in the application specific to its features and design are often undetected.
  • Great number of false positives are detected.

So anyone hoping that secure code checking can be automated completely by running SAST tool at end of build will be disappointed as there is still a deal of manual intervention required by security analysts.

While all tools almost have similar functionality, you should understand and work on any one tool and would be able to use any SAST tool. You can always find a guideline on how to use a particular tool on websites.

What to focus on analyzing the report generated from SAST tool?

  • Focus on vulnerability identified and on number of instances it is reported for. Vulnerability details, mitigation and references are always available in report for better understanding.
  • Always look through vulnerability graph to see what is source(entry point of vulnerability) and sink (vulnerability execution point) for better understanding.
    For eg : if we have input validation issue reported for a text box we need to see where value is being entered and where entered value will be executed. We need to check what values are allowed for this parameter and if we have validation in place or not. If validation is missing we will check if this value can execute as Cross-site scripting payload or will this value be stored in database and can act as SQL injection payload (there can be more scenarios related to it).Based on such analysis, vulnerability is marked as a false-positive or a true positive

  • After a vulnerability is identified assign severity based on CVSS. Severity provided by automated tools are generally incorrect and should be reviewed by a security analyst. Share reported vulnerability with developer suggesting them mitigation steps.

Generally automated tools generate a lot of false-positives so it is important for a Security Analyst to go through each instance of vulnerability being reported and verify. Due to high number of false positives, a security analyst intervention is always required for refining report and sharing true positives with developers.

Here is a list of some popular SAST tools that can be used for Secure Code Review Assessment :

Commercial Open-Source
Fortify Static Code Analyzer Reshift Security
Checkmarx CxSAST Brakeman
Coverity Scan Findbugs
Veracode JsHint
AppScan CodeWarrior


Similar Reads

Secure Code Review Assessment
What is Code Review? Developing robust and enterprise level applications is a time consuming task and making them completely secure is an impossible task. In reality, security is not about creating an impenetrable fortress but it is about managing and mitigating risk. Code review aims to identify security flaws in application related to its feature
3 min read
Manual Code Review : Security Assessment
Secure Code Review is code assessment for identifying security vulnerabilities at an early stage in development lifecycle. When used together with penetration testing(automated and manual), it can significantly improve security posture of an organization. This article does not discuss a process for performing a secure code review but discusses on t
3 min read
Benefits of Automated Cross-Browser Testing for Online Business
Any online business must make sure that their website is available to customers no matter the browser or operating system they are running. This, of course, means that they need to do a lot of testing to try and recreate thousands of possible combinations between the two. Now, you can either achieve that through manual simulations and never make su
4 min read
Advantages and Disadvantages of Automated Testing
Automated Testing is the technique for automating the manual testing process. In this process, manual testing is replaced by the collection of automated testing tools. Automated testing helps the software testers to check out the quality of the software. The mechanical aspects of the software testing task are automated by the automated testing. Adv
2 min read
Manual Testing vs Automated Testing
The article focuses on discussing the difference between Manual Testing and Automation Testing. Before proceeding with the difference between the two terminologies, let's discuss the terms in detail. What is Manual Testing?Manual testing is a type of testing in which we do not take the help of any tools (automation) to perform the testing. In this
6 min read
Difference between Software Inspection and Technical Review
1. Technical Review : In a review i.e. also known as technical review, a work product is especially examined for defects by several individuals other than the person who actually produced it. In this, work product is defined as an essential and important deliverable that is created during requirements, design, coding, or a testing phase of software
3 min read
Roles and Responsibilities in Review
Formal review generally provides various ways to improve quality, efficiency, and productivity of software development to simply recognize and solve their own issue and defects very early in software development process. At present, there are several organizations that are conducting reviews in all major aspects of their work along with requirement
3 min read
Software Review - Software Engineering
Software Review is a systematic inspection of software by one or more individuals who work together to find and resolve errors and defects in the software during the early stages of the Software Development Life Cycle (SDLC). A software review is an essential part of the Software Development Life Cycle (SDLC) that helps software engineers in valida
3 min read
Different Phases of Review Meeting
Review Meeting is one of important and essential forms of Formal Technical Review (FTR). FTR is usually effective when a little or small and particular part of overall software is under scrutiny i.e. Critical observation or examination. This meeting might contain some discussion related to defects or errors that are found, or some log of defects be
5 min read
Different Phases of Formal Review
Formal Review generally takes place in piecemeal approach that consists of six different steps that are essential. Formal review generally obeys formal process. It is also one of the most important and essential techniques required in static testing. Six steps are extremely essential as they allow team of developers simply to ensure and check softw
4 min read
Article Tags :