Indian organizations are well aware of the importance of 'black box-based' dynamic analysis of applications and the environments in which they function. While certain types of dynamic analysis like vulnerability assessment and penetration testing (VA/PT) hog the limelight, the less glamorous static code analysis often gets ignored. However, dynamic analysis falls short of what static analysis can achieve in certain aspects.
Static code analysis advantages
Static analysis involves going through the source code of an application to determine issues in security, logic and so forth. Having access to the source code enables insights never possible in a black box test.
Some organizations today are also considering a hybrid approach, identifying vulnerabilities in the code through static code analysis and then confirming them through dynamic testing. Both dynamic and static analysis serve different purposes—neither should be underestimated. Static analysis enjoys several benefits not available to dynamic testers.
- Source code availability: The biggest advantage in static code analysis is that the entire source code is available. This implies that one has complete, end-to-end coverage, enabling comprehensive code testing and the ability to remediate specific problem areas within the application itself.
- Weak function analysis: In a particular programming language, static code analysis can identify use of functions prone to security issues and problematic methods of programming. For instance, when looking at vulnerabilities such as SQL injections, dynamic analysis tests involve external inputs and observation of subsequent results. However, in static code analysis it is possible to filter out just those lines of code dealing with the database interaction. This can help ascertain the methods used to secure the function, and weed out function/library related vulnerabilities.
- Storage of sensitive data: A pen-tester cannot directly determine how an application stores sensitive data — for instance, how usernames and passwords are stored and encrypted. However, by examining the source code one can ascertain where crypto-related functions are being called, which hashing mechanisms are employed, and so on.
- Specific code oversight: Static code testing makes it possible to target specific areas of code to tackle various issues with logic and security. Consider a shopping application that generates discount numbers against user accounts. A pen-tester can only know that such a feature exists; a code analyzer, however, can zero in on that section of code and analyze it threadbare, to determine if the logic can be influenced or exploited externally.
- View into backend processes: Applications today are designed to interact with external systems and services at the back end; something that a pen-tester/user cannot determine. To determine what external calls are being made, and whether this communication happens securely, it is essential to review the application code itself through static analysis.
Static vs. dynamic code analysis
Of course, dynamic testing’s biggest advantage is that source code needn’t be revealed. For instance, an organization doesn’t have to give out source code when contracting a consulting firm to undertake a dynamic testing exercise. Even within software development companies, the development and testing teams are usually separate, with strict restrictions on sharing source code.
With dynamic testing, it is possible to confirm the existence of vulnerabilities. For example, if the tester feels an authentication bypass is possible, it can be verified by attempting it. In static code analysis you are not running the code, simply analyzing it. Static analysis can only hint at the occurrence of a vulnerability, not confirm it. While static code analysis would have to presume the app running in diverse environments, a dynamic test can leverage the advantage of actually knowing the environment the app executes in.
While theoretically it should be possible to do black box testing on source code, it is not a trivial task. Entire teams are required to take source code and deploy it. Dynamic analysis is also preferred for identifying logical issues during execution. It would be extremely difficult to get the big picture without actually executing the application.
Static code analysis costs more than a regular dynamic test, may take longer and require a dedicated team. Specialist firms also tend to charge more for code analysis. For an organization, the major cost internally comes from maintaining internal teams specializing in code analysis. It is a lot easier to hire pen-testers than source code analyzers, who are hard to come by. A code analyzer needs to be a good programmer and such people usually prefer to stick to development roles. Pen-testing does not require one to necessarily be a great programmer, and is a relatively easier skill-set to acquire. Static code analyzers themselves form a major part of the cost.
About the author: Lavakumar Kuppan is the author of IronWASP, an advanced Web security testing platform. He has also authored multiple other security tools like 'Shell of the Future', JS-Recon, Imposter and the HTLM5 based distributed computing system—Ravan. As a security researcher, Lavakumar has discovered novel attacks that include a sandbox bypass on Flash Player, WAF bypass technique using HTTP parameter pollution, multiple HTML5 attacks and a CSRF protection bypass technique using CickJacking & HPP. His research and tools are available at the Attack and Defense Labs website.
(As told to Varun Haran)