C and C++ are two of the most widely used programming languages and both are prone to dangerous flaws because of unpredictable behavior, which is difficult to avoid with many code constructs. Combining potentially dangerous code and the high-pressure world of software development, the risks of creating new security vulnerabilities exist with each new function bug fix or refactoring. Eliminating code flaws requires both flagging poor programming practices (often referred to as “code smells”) and detecting existing bugs in code already written.
Static analysis tools can provide both a relatively superficial analysis that flags poor programming practices and violations of coding standards. However, more sophisticated tools analyze a program’s computation using a combined dataflow and symbolic execution analysis. This approach identifies more potential flaws and security vulnerabilities, enabling developers to produce software that is of higher quality. Teams that choose a tool with advanced defect presentation features like visualization (based on data collected during flow analysis) are better able to understand the implications of code weaknesses.
How Static Analysis Works
Static (source code) analysis tools are designed to look for bugs, poor coding practices, potential security vulnerabilities and coding standard compliance. Like a compiler, a static analysis tool does a build of your code using your existing build environment, but instead of creating object code, it creates an abstract model of your entire program. From the derived model, the tool’s symbolic execution engine explores program paths, reasoning about program variables, and how they relate. Advanced theorem-proving technology prunes infeasible program paths from the exploration.
INSERT IMAGE
Checkers perform static code analysis to find common defects, violations of policies, etc. Checkers operate by traversing or querying the model, looking for particular properties or patterns that indicate defects.
What separates more sophisticated tools is the symbolic execution techniques that explore paths through a control-flow graph, the data structure representing paths that might be traversed by a program during its execution. When the path exploration notices an anomaly, a warning is generated.
An astronomical number of combinations of circumstances must be modeled and explored, so advanced tools must employ a variety of strategies to ensure scalability. For example, procedure summaries are refined and compacted during the analysis, and paths are explored in an order that minimizes paging.
GrammaTech CodeSonar employs a unified dataflow and symbolic execution analysis that examines the computation of the complete application. By not relying on pattern matching or similar approximations, the CodeSonar static analysis engine is extraordinarily deep, finding three to five times more defects on average than other static analysis tools.
SAST tools can be integrated into a team’s development process at any time with ease. SAST technologies like CodeSonar simply attach to your existing build environments to add analysis information to your verification process.
Breadth vs Depth in SAST Analysis
The “breath of analysis for SAST tools refers to the number of different security vulnerabilities, insecure coding practices, and bad “code smells” it searches for. In most cases, SAST tools overlap with general static analysis tools, looking for all sorts of poor programming practices, not always related to security but quality in general.
Depth of analysis refers to how much “digging” is done to track down the root cause of a detected bug or vulnerability. Depth of analysis comes from sophisticated algorithms, such as those described above for CodeSonar, which ensure better precision of detection and important trace information to help fix the issues.
It is important for static application security testing (SAST) tools to have both breadth and depth of analysis for several reasons, including:
- Comprehensive Coverage: By having a breadth of analysis, SAST tools can cover a large number of potential bugs and vulnerabilities across various programming languages and frameworks. This ensures that a wide range of security issues can be identified, including common insecure programming practices and early detection of vulnerabilities such as injection attacks, cross-site scripting (XSS), insecure direct object references, and more.
- Compliance and Risk Mitigation: Organizations often need to comply with industry standards, including secure coding standards, which enshrine security best practices. SAST tools with broad analysis capabilities ensure that applications meet these requirements but also provide early detection of dangerous bugs that can turn into vulnerabilities. The breadth and depth of analysis cover the gamut of compliance requirements.
- Precision: While breadth of analysis helps identify a wide range of issues, depth of analysis provides a more thorough examination of code. Deep code analysis enables SAST tools to provide more accurate and precise results, reducing false positives and false negatives. Developers can then focus their efforts on addressing genuine security concerns rather than sifting through irrelevant or erroneous findings.
The combination of breadth and depth of analysis in SAST tools is crucial for comprehensive coverage of security issues. With the addition of a deep understanding of code, SAST tools are vital for enhancing the security of software applications throughout their lifecycle.
Why Depth Matters
The breadth of coverage is important to make sure the most critical security issues are covered. However, breadth can lead to an overwhelming number of warnings to sift through. The depth of analysis, particularly through the use of abstract interpretation with control and data flow analysis, provides more precise warnings for critical defects that need to be addressed. Depth matters for improved security for several reasons, including:
Uncovering Complex Bugs and Vulnerabilities: Abstract interpretation with control and data flow analysis allows SAST tools to perform a more detailed examination of code, revealing complex bugs and vulnerabilities that may not be easily detectable through other analysis techniques, including active testing like unit and integration testing. By analyzing the control flow and data dependencies within the code, these tools can identify subtle issues that may lead to security vulnerabilities, such as path-sensitive vulnerabilities or data leaks.
Path Exploration: Deep analysis explores paths within the code, enabling the identification of potential security flaws that arise due to specific combinations of control flow and data values. This capability helps detect issues that occur under specific, potentially rare conditions or as a result of certain program behaviors. These are conditions that can be missed during testing and inspections. Tools like CodeSonar highlight bugs like these within the UI since they are usually high-impact bugs or vulnerabilities.
Act Like a Compiler: Advanced SAST tools like CodeSonar integrate with numerous compiler hosts and embedded cross compilers to both integrate seamlessly into the build environment but also, critically, ensure source code is processed in an identical manner. This included compiler directives, macros, include files, etc. By analyzing the entire scope of the source code, the results are more precise.
Reduce false positives and false negatives: By modeling the flow of information and analyzing how it propagates through the code, SAST tools can identify potential sources of security vulnerabilities with more precision since root causes are found and evaluated. Higher precision reduces false positives (warnings that turn out not to be vulnerabilities) and false negatives (missed vulnerabilities), ensuring that the identified issues are genuine security concerns that require attention.
Advanced Vulnerability Detection: Certain types of vulnerabilities, such as data leaks, race conditions, or security flaws arising from complex control flow and only arising through certain runtime conditions, may require a deeper understanding of the code structure and its interactions. Abstract interpretation with control and data flow analysis enables SAST tools to capture these nuances and identify vulnerabilities that are difficult to detect through other means.
In order to detect complex bugs and vulnerabilities, depth of analysis, particularly through abstract interpretation with control and data flow analysis, is crucial for SAST tools. While breadth is important for coverage of security flaws, depth of analysis is important for finding vulnerabilities that can slip through active testing.
Prevention and Detection are Key to Unlocking the Value of SAST
SAST tools that support both the prevention of security vulnerabilities and the early detection of hidden vulnerabilities in developed code provide the most value to development teams.
Early detection of security issues by SAST tools helps prevent the propagation of vulnerabilities throughout the codebase. By identifying and addressing vulnerabilities at the source, developers can prevent the spread of security flaws to other parts of the application or related components. This early containment of vulnerabilities not only significantly reduces the likelihood of security breaches and exploitation in the future but also greatly reduces the economic impact of these vulnerabilities on the organization.
Prevention through the breadth of coverage with techniques like secure coding standards compliance prevents whole classes of vulnerabilities. This early prevention when it’s easy and cheap to do so—as it’s being developed—is an important way to improve overall security posture. Coverage of all sorts of security standards, like SEI CERT C and C++, and various poor security practices outlined in the OWASP Top 10 or the CWE Top 25, should be standard for SAST tool detection. However, this coverage should be augmented with powerful detection techniques enabled by deep analysis.
SAST tools provide developers with rapid feedback on potential security issues. This immediate feedback loop encourages developers to address vulnerabilities as they write code or during the code review process. Developers can adopt a proactive approach to security and make necessary adjustments, reducing the chances of introducing vulnerabilities into the application’s codebase.
The Benefits of Deep Analysis in SAST Tools
So, there’s a strong case for both breadth of coverage and depth of analysis; what are the benefits to a software organization? Of course, early detection and a shift left in security analysis are powerful tools to improve security. The combination of early detection and on-going prevention of vulnerabilities significantly enhances the overall security posture of the application. Improved approaches, like using SAST and other security tools in general, improve the security posture of the development organization as well. This comprehensive approach helps developers address potential vulnerabilities comprehensively and ensures that the application is fortified against both common and sophisticated attacks.
Additionally, early detection and identification of complex vulnerabilities saves time and effort in the software development process. By providing developers with actionable insights, advanced SAST tools like CodeSonar streamline the security review process and enable efficient remediation of vulnerabilities. This efficiency translates into faster development cycles, reduced testing and debugging efforts, and a more secure application overall.
