Closing the Back Door thru Code Analysis

by

Have you performed code analysis on your software recently? If not, you are in good company as many companies are failing to do the one thing that could improve their software security – making sure the software isn’t vulnerable to an attack to begin with.

In a recent contribution to Forbes.com, James Lyne, Global Head of Security Research for Sophos, takes to task the multitude of organizations that have characterized recent breaches of their security as having been “sophisticated attacks” or ““an APT, or Advanced Persistent Threat.” He points out that in many of these cases, the claims of sophistication are just saving face – companies unwilling to admit that they left an open gateway through which hackers could enter…or as he put it, “it  certainly sounds better than ‘we got hacked, we had a file called passwords.txt. Oops!’”

He goes on to point out that, “There is no 100% in security, but the sad reality is many organizations being breached are failing to implement basic security controls and are trampled by entirely preventable malicious code.”

His analysis is truer than one would care to think.

One thing most security breaches have in common is that they were the result of some application quality defect that served as a point of vulnerability. If that vulnerability didn’t exist, then it stands to reason that any attack that would have slipped through the “human” layer of defense would likely have been thwarted.

Evaluating an application for its structural quality defects is critical since these defects are difficult to detect through standard testing. Nevertheless, these are the defects most likely to cause security breaches by unauthorized users.

A company that truly wants to address a potential security breach should first perform a code analysis on the applications in its IT system to find which of them have issues with structural quality that could have been the breaching point (or points). Most companies historically have avoided doing this because all they had available to them was either manual testing – which is grossly inefficient in terms of accuracy, cost and time investment – or comprehensive analysis platforms that only large enterprises could afford.

Today, however, there are automated analysis and measurement tools on the market offered via Software as a Service (SaaS), which makes it cost-effective and much easier to utilize code analysis to find application vulnerabilities in an IT system. In fact, with these SaaS versions of automated analysis and measurement on the market, finding vulnerabilities should probably be bumped in priority to BEFORE a breach happens.

Get the Pulse Newsletter  Sign up for the latest Software Intelligence news Subscribe Now <>
Open source is part of almost every software capability we use today. At the  very least libraries, frameworks or databases that get used in mission critical  IT systems. In some cases entire systems being build on top of open source  foundations. Since we have been benchmarking IT software for years, we thought  we would set our sights on some of the most commonly used open source software  (OSS) projects. Software Intelligence Report <> Papers
In our 29-criteria evaluation of the static application security testing (SAST)  market, we identified the 10 most significant vendors — CAST, CA Veracode,  Checkmarx, IBM, Micro Focus, Parasoft, Rogue Wave Software, SiteLock,  SonarSource, and Synopsys — and researched, analyzed, and scored them. This  report shows how each measures up and helps security professionals make the  right choice. Forrester Wave: Static Application Security Testing, Q4 2017  Analyst Paper
This study by CAST reveals potential reasons for poor software quality that  puts businesses at risk, including clashes with management and little  understanding of system architecture. What Motivates Today’s Top Performing  Developers Survey
Jonathan Bloom Writer, Blogger & PR Consultant
Jonathan is an experienced writer with over 20 years writing about the Technology industry. Jon has written more than 750 journal and magazine articles, blogs and other materials that have been published throughout the U.S. and Canada. He has expertise in a wide range of subjects within the IT industry including software development, enterprise software, mobile, database, security, BI, SaaS/Cloud, Health Care IT and Sustainable Technology. In his free time, Jon enjoys attending sporting events, cooking, studying American history and listening to Bruce Springsteen music.
Load more reviews
Thank you for the review! Your review must be approved first
Rating
New code

You've already submitted a review for this item

|