The relevance of static code testing to organizations today cannot be overstated. Indian companies are increasingly realizing that identifying and fixing bugs and issues in software right at the outset, in the coding phase itself, is exponentially cheaper than patching a live production environment; an acknowledgment that is resulting in static code analysis tools making their presence felt in the Indian market.
While black-box or 'dynamic' testing tools and methods help identify issues in a live runtime environment, they have no way of examining the source code to pinpoint the lines or sections of code that are causing the problem. That's where static analysis tools, which help determine defects and vulnerabilities within the software code but without executing that code, come into the picture. Both types of analysis are required to ensure robust application security.
Dynamic and static software testing doctrines
Black-box testing is considered by some to be more obscure than a static code review. "You will get much more bang for your buck from a code review tool than from a black-box tool," says K. K. Mookhey, founder and principal consultant at NII Consulting, India.
A multi-pronged approach is recommended for strong application security, says Mookhey. Tools available in the market today provide features supporting both dynamic and static testing, and there has been some amount of consolidation with most vendors amalgamating both these functionalities into their tools.
Static analysis tools are generally procured by companies that are involved in software development, given that they already have the source code available on hand. 'There is a very clear cost-benefit emerging, since the process becomes a part of the development life cycle," says Mookhey. However, static analysis is also becoming relevant to companies planning to develop in-house software — either internally or by outsourcing.
Static analysis tools in India
According to Rohan Patil, manager for risk and security services at Vista Infosec, "Indian firms today increasingly request both VA/PT and code review for in-house apps." While Indian companies might not always acquire the tools themselves, subscribing to static analysis as a managed service is gaining popularity. Patil says that Indian companies are amenable to sharing the source code as long as confidentiality is assured (under non-disclosure agreements and contractual clauses).
Most static analysis tools in the market cover just about all programming languages that one might use today. The USP for each then becomes the familiarity and comfort with the operator/vendor, and any unique features that sweeten the deal.
Further, with each static analysis tool, the extent and manner in which false positives (code wrongly tagged as a vulnerability) are identified and remediated differs. Given that many organizations today use customized frameworks and methods for coding, a significant amount of hand-holding is required for every static analyzer. As long as the coders stick to standard frameworks and methods of coding, it's possible to expect good results from a static analysis tool in the standard configuration.
The reporting/recommendation mechanism in static analysis tools also differs. While some may merely provide straight reports, others link to knowledge-base articles. Some may even offer concise recommendations on how to rewrite the code. Other features to consider when evaluating static code analysis tools include how well the solution integrates with the development platform/environment, the internal knowledge-base, and, of course, pricing.
Here's a brief look at some static analysis tools popular with Indian companies:
Checkmarx is the tool of choice for many a security tester and owes this not only to its level of accuracy, but also its capability to handle large chunks of code. Checkmarx supports a wide range of analyzed languages and has excellent false positive remediation.
Checkmarx comes with LDAP integration and role-based access and also provides compliance coverage for PCI DSS and HIPAA.
Priced between Rs. 8-13 lakh (around $25,000), Checkmarx also partners with security solutions providers who are authorized to provide it as a managed service.
Figure 1. Checkmarx user interface. [Pic courtesy Checkmarx]
Veracode is a completely cloud-based solution. The code scan is done on Veracode servers, received and scanned in the binary format ensuring an inability to recompile the code. Veracode is reputed to be highly accurate in its reports, with false positive remediation performed in its own environment. This static analysis tool also works with EXEs, DLLs and compiled code. A subscription to Veracode's service obtains access to the entire product suite online, with no local installation of software or hardware required.
One disadvantage with Veracode is that it cannot be used on the fly, as with a local static code analyzer in your development environment. Veracode makes good sense if you are looking for a service and don't have a very large app-sec environment.
3. IBM Security AppScan
One of the most powerful static code analysis suites available in the market today, IBM's Security AppScan product family (formerly IBM Rational AppScan) offers both dynamic and static testing capabilities. AppScan has formidable bug finding and false positive remediation capabilities. The reporting console correlates the results of dynamic and static tests.
AppScan supports nearly all languages, but demands a level of expertise, suffering from a steep learning curve, according to users. AppScan is known to integrate well with different development platforms and is a good bet if you are already subscribed to IBM's Rational application lifecycle management solutions, since this might net you significant discounts.
Figure 2. AppScan. [Pic courtesy Owasp.org]
4. Armorize CodeSecure
Starting as a niche player, Armorize was originally an appliance based solution but is offered today as on-premises licensed software. A Web-based solution is also available. Armorize's engine incorporates WAF and a malware alerting and monitoring service. User feedback indicates that Armorize's false positive mitigation is effective, albeit tricky, while the reports are crisp and legible. Armorize has a very strong focus on security and static code analysis of Web applications. According to industry sources, Armorize costs close to Rs 4 Lakh ($ 7000), a price-point much below most of the leading solutions on the market today.
Figure 3. Armorize CodeSecure. [Pic courtesy Owasp.org]
5. HP Fortify
Another leader in the static analysis tools space, Fortify was acquired by HP in 2010 and has since replaced HP's DevInspect static analysis product. Fortify offers innovative features such as runtime software protection for vulnerable sections of cde, and tools like program trace analyzer that analyzes the logic flow to determine if additional controls are required.
Fortify integrates with most SLC platforms and offers the largest number of analyzed languages in the market today. The Fortify suite offers static and dynamic analysis and correlation features. Fortify is apparently the most expensive solution on the market; however, industry sources state that HP's pricing model is negotiable.