Manage Learn to apply best practices and optimize your operations.

Reviewing applications for security: Code review best practices

Developing secure application code isn’t easy. David Jacobs outlines best practices for keeping customers’ applications secure.

Developing secure application code isn’t easy. Subtle errors can easily create opportunities for malicious hackers, specifically application attacks that result in expensive repairs or embarrassing releases of confidential data.

Opportunities in secure application development
Solution providers, such as VARs, channel partners and software consultants, can help their customers reduce application vulnerabilities by providing valuable technical expertise and consulting assistance to address a number of issues. Here are a few bullet points that may help elucidate customer issue :

Just because an application’s code was deemed secure when it was deployed doesn’t mean it will remain secure.

David Jacobs

  • Customers often lack experience and expertise in secure code development.  It’s hard to find programmers with experience in secure development techniques, and those coming out of college into the workforce often aren’t trained in secure application coding. Typically, a computer science curriculum focuses on an array of topics, such as computer organization, algorithm design and specifics of various languages. Network security is often a part of the curriculum, but secure coding techniques usually aren’t covered. Further, even those developers who have been trained in secure development may not be up to date on the latest malicious  >hacker techniques</a>. The ongoing cat-and-mouse game demands expertise of application development experts who follow these trends as their primary focus.
  • Source code scans cannot identify all vulnerabilities. There are certain classes of errors that a code scan simply cannot detect. For example, a password routine that accepts one-character passwords may be programmatically correct, but would still constitute a security issue. Only a detailed code review will spot problems of this type.
  • Many customer applications contain commercial software packages. Companies often build applications using pre-created application components or modules, adding their own code to suit their business needs. In many cases, the code in the commercial packages is not visible to the buyer. There may be vulnerabilities within one or more of these components, which would be invisible to a source scan of customer-written code. Special expertise in known (and likely) flaws in commercial application components and modules is a helpful service that a solution provider may offer.
  • Scans may report many false positives, indicating problems that are not actual vulnerabilities. Most scan tools can recognize a common operation, such as building a webpage, and detect if it contains a vulnerability that may lead to an exploit, such as a cross-site scripting attack. But, they can’t analyze an organization’s own application-specific code. It may spot an apparent problem in, for example, a data-validation routine, but not recognize that the apparent problem has been dealt with it a different code sequence. Rather than miss real problems, the tools report every potential problem. A detailed review of the code is the only way to separate false positives from actual problems.
  • Applications may be vulnerable to attack types developed since they were scanned, reviewed and released. Just because an application’s code was deemed secure when it was deployed, doesn’t mean it will remain secure. New application vulnerabilities are discovered every day, and new exploits to take advantage of them emerge with equal frequency. For that reason, code should be reviewed periodically over time for new vulnerabilities.

Code review best practices
In some cases, customers will want to buy tools and run the scans and tests themselves. Others will need a solution provider to run and interpret scans and tests, and then report the results. Security solution providers can offer either option.

Regarding the first option, solution providers can select vendor tools appropriate for their customers’ requirements from software vendors who maintain partner programs, such as Armorize Technologies Inc., Checkmarx, Fortify  (now owned by HP), IBM, Rapid7, Trustwave and Veracode Inc. However, solution providers must make clear to customers that simply buying a scan tool and running it is not sufficient.  It’s still necessary to allocate time for the application code reviews. The danger is that a customer may buy a tool, run it once, realize that additional effort is required and not take any further action, essentially putting the tool on the shelf, never to run it again. Solution providers can play an important consulting role, interpreting results and conveying the importance of corrective action.

  • eye on secure software development
  • Vulnerability remediation
    Scan results may reveal hundreds of security vulnerabilities. The solution provider can assist the customer by categorizing the findings and prioritizing remediation, while also eliminating false positives. To do this, some scan tools include (or offer as an add-on) a remediation function that categorizes and ranks the vulnerabilities according to severity and risk. This is usually done by comparing the vulnerabilities against security policies. Basic security policies are often preconfigured with the remediation tool, and the solution provider can modify and add policies based on the customer’s own security agenda.  For federal customers, there are remediation tools that compare the vulnerabilities against the Common Vulnerability Scoring System (CVSS) developed by the National Institute of Standards and Technology (NIST).

    Penetration testing
    Solution providers can also periodically run penetration tests to make sure the running application isn’t vulnerable to attack types developed since the application was scanned and released. Penetration tests are particularly valuable in demonstrating to developers the importance of secure code. Unlike a scan that shows developers a potential break-in, penetration tests demonstrate an actual successful break-in. However, given that penetration tests require unique expertise and experience, solution providers lacking in either of those areas should strongly consider partnering with another company that specializes in penetration testing.

    Secure application development training
    Another key opportunity is training customers in secure code development. Solution providers can explain how improving the software development processes can accelerate application development while reducing code vulnerabilities. By pointing out how to insert quality checks during the design phase and in early testing, customers will learn how to eliminate errors that would be difficult and time-consuming to correct later.

    To deal with the problems in commercial software components noted above, a solution provider may scan customers’ executables rather than customers’ source, and then consult directories of alternative components, directing customers to a secure alternative.

    Ongoing consulting
    Additionally, because a customer’s IT staff may not have the time to stay abreast of the latest application attack methods, solution providers can continually monitor, scan, remediate, review reports and warn customers about problems that may affect their application infrastructure.

    Solution providers must understand that providing these services requires on-staff skilled software developers with extensive secure code expertise. Experience with other aspects of network and system security, such as installing firewalls or intrusion prevention products, is simply not relevant when it comes to developing secure applications. 

    Finally, and most importantly, solution providers should make clear to customers that the way to achieve maximum protection is to combine all the methods mentioned above: train developers, improve the development process, run scans, review source code and run penetration tests. Creating an operational approach for doing thisis yet another perfect opportunity for solution providers.

    About the author:
    David B. Jacobs of The Jacobs Group has more than twenty years of networking industry experience. He has managed leading-edge software development projects and consulted to Fortune 500 companies as well as software start-ups.

Dig Deeper on Managed network security services