How Application Security can prevent exploits in your code
For an outside cybercriminal to steal data, she or he first has to gain access to a network. This could be through direct access in a location with a connection point to a network or being directly at a computer on a network. Happens sometimes, but nowadays this is very rare. Much more common are two other means of gaining access – through phishing attacks and exploits.
An exploit uses a software security vulnerability. It is a flaw in software code of an operating system or an application, which makes it possible for a hacker to access other parts of the system, get administrator privileges, or deploy other tools to further his reach into the system. Nowadays there are almost weekly updates of OSs, office applications, internet browsers, because new software vulnerabilities are discovered almost daily, and must patched.
Todays’ environment differs very much from the times of mainframes or early PC era in one way. We use many more applications written not by large computer vendors or global software companies like Microsoft. Lots of them are developed in-house, that is by the companies themselves, by hired developer studios, or by one of thousands of smaller software developer teams. Popular mobile applications are sometimes developed by a single person. Also the term application has shifted to encompass smaller tools, web and SaaS services.
The fastest and cheapest way to prevent exploits is to discover them in the source code. And repair them before putting applications in production. Later this is harder and the costs of remediation or damage grow exponentially. But developer teams don’t have trained engineers specialized for security analysis. There are no people who would search for vulnerabilities and recommend changes. Developers don’t have time for that, modern DevOp teams must release multiple new application versions often daily.
But we can automate application security testing. Two well known brands are Checkmarx and MicroFocus Fortify. Those are tools or services that scan source code in different languages, or are integrated with scripting code or app servers, some even monitor running applications. Sometimes they integrate (Web) Application Firewalls. They have databases of hundreds of source code vulnerabilities, can discover them in source code, and they recommend changes to remove them. Not by searching for fixed code patterns but by intelligently following data input, processing, output, variable and memory usage, libraries and function calls, arguments passing etc. They find many more vulnerabilities much faster than a team of security analysts would.