Why You Need to Perform Source Code Analysis
Developers are very capable of writing applications that perform a diverse range of tasks and can scale to almost any scale.
However, we are not necessarily the best at finding fault with them, such as security vulnerabilities, especially not in an automated way — which is essential when we want to deploy software up to several times a day.
Luckily, we don’t have to, as source code analysis (or static analysis) tools help alleviate us of the need to do so.
What is Source Code Analysis?
If you’re not familiar with source code analysis, according to Techopedia, it is:
The automated testing of a program’s source code with the purpose of finding faults and fixing them before the application is sold or distributed.
These tools can find a range of application security issues, including, but not limited to; buffer overflows, SQL injection vulnerabilities, cryptography weaknesses, and XSS vulnerabilities.
Given that they can be automated, they can:
- Be integrated into continuous integration (CI) and continuous deployment (CD) pipelines
- Provide us with an analysis scorecard
- Block or allow a build to pass and the software to be built and shipped
That said, they’re not perfect, nor are always a suitable replacement for human intervention. For example, they cannot find every problem, because some issues only come into effect when the code is used together. Secondly, they can return false positives, because they look at one aspect in isolation.
However, when they can perform regular analysis of source code as part of a regular code review, they alleviate a significant amount of effort for developers. As such, they’re a handy addition to any professional development toolchain, ones that helps us to progressively improve software security and software quality.
Source Code Analysis Tools
Now I’m going to introduce you to four different source code analysis tools, some open source, some commercial, ones which cover several software languages and frameworks. At the end of the post, I’ll link to other tools and further reading, so that if the language or purpose of the tools covered isn’t what you need, you can hopefully find ones that are.
Let’s start off in a language-agnostic manner, with SonarLint. SonarLint is an open source, source code analyzer or linter, that integrates with:
– IntelliJ IDEA
– Visual Studio
– Visual Studio (VS) Code; and
It can collate a more extensive list of problems in files within your current project. It provides meaningful explanations of the issues that its found so that it’s easier for them to be understood and corrected.
The next tool is RIPS, by RIPSTech. Rips is an exception to some of the other tools in this list, as it’s designed specifically for PHP. While this may be a limitation if you are an organization that uses a number of languages simultaneously.
However, if you use a few, and of those PHP is the primary language, then you will benefit from having a tool specific to that language in place.
It provides a detailed analysis of each issue found, whether in single scripts of the source code for web applications, which contain the standard that it violated, the assessed issue severity, and a professional description. From there, issues can be flagged and prioritized.
What’s more, it integrates directly with both code editors and IDEs, including PhpStorm and Zend Server, as well as the following build servers: Jenkins, Bamboo, sonarqube, GitLab, Travis CI, and Drone.
Given that, it’s a very powerful and feature-rich tool for finding software faults in PHP applications.
Security Code Scan
Next up is Security Code Scan, which is a static code analyzer. Whereas RIPS is just for PHP, this tool is only for .Net.
However, given that StackOverflow’s 2017 Developer Survey listed C# as being the fourth most popular software development language, at 34.1%, along with Microsoft’s massive market share, this shouldn’t be a limitation.
Security Code Scan can analyze both C# and Visual Basic.Net source code for a range of security vulnerabilities. These include:
– Injection vulnerabilities (SQL Injection, Cross Site Scripting (XSS), XPath Injection, and Path Traversal)
– Cryptographic weaknesses (weak hashing functions, cipher algorithms, and random number generation)
– Cross-Site Request Forgery (CSRF)
– Disabled event validation
– Open redirects; and
– Insecure deserialization
In addition to these analysis rules, it integrates with a number of the standard build tools for Microsoft projects, including MSBuild, and Visual Studio Community, Professional, and Enterprise.
If you’re looking for a tool to analyze your .Net software quickly and efficiently, then give Security Code Scan a try.
We’ll finish up by looking at Brakeman. Quoting the official documentation, Brakeman is:
A security scanner for Ruby on Rails (RoR) applications.
Being specific to RoR applications allows it to be highly tailored to the needs and common vulnerabilities of that framework. As a result, its scans are as fast and as efficient as you’d expect, owing to its intimate knowledge of the framework.
Brakeman can scan for a number of the commonly expected vulnerabilities, including:
– Command injection
– Cross-Site Request Forgery (CSRF)
– Cross Site Scripting (XSS)
– File access
– Session manipulation
– SQL injection
– Unsafe deserialization
– Remote code execution; and
– Information disclosure
Also, it can check RoR configuration settings for looking for best practices. As for build server integrations, it works with the Hudson and Jenkins build servers via plugins.
Moreover, it was initially designed to be a command-line application, so it also works with almost any other tool and service you could imagine. These include Travis CI, CircleCI, Codeship, and CloudBees, amongst others.
So if you’re looking for a scanner tailor-made for scanning Ruby on Rails applications, then Brakeman is an excellent first choice.
That’s been a rapid introduction to source code analysis, otherwise known as static code analysis. We’ve looked at what it is, why it’s an excellent tool for uncovering security flaws, and we’ve had a bird’s eye view of four excellent static analysis tools, some commercial and some open source. We’ve also learned that, while excellent, they can return false positives. So they’re not a complete replacement for human analysis.
If you would like to know more, check out any of the links in the article, or any of the links in the further reading section below. If you’ve not tried it before and would like to see if source code analysis is a fit for your organization, signup for a 30-day free trial at Codacy.