Source Code Analysis

Source Code Analysis

Source code analysis exists because businesses are under constant attack from criminal hackers, malicious insider threats and ransomware.  As companies have focused on securing their network perimeters, attackers have turned their attention to the application layer to identify exploits which can be leveraged.
According to the experts:
  • “75% of security breaches happen at the application” – Gartner
  • “Over 70% of security vulnerabilities exist at the application layer, not the network layer” – Gartner
  • “If only 50% of software vulnerabilities were removed prior to the application going live in production, costs would be reduced by 75%” – Gartner
  • “92% of reported vulnerabilities are in applications not in networks” – NIST (National Institute of Standards and Technology)
  • “The cost of fixing a bug in the field is $30,000 vs $5,000 during coding” – NIST (National Institute of Standards and Technology)
Unfortunately, most organizations do not subject their application source code to security testing and analysis, which creates a dangerous gap in security between development and deployment.

Research argues that the general security level of web applications is decreasing. Code developers pay more attention to the functionality than to the security of web applications. As a result, many administration flaws appeared, they are classified as low-severity vulnerabilities, but by exploiting them, a hacker can obtain sensitive data (in case of its disclosure on the pages of application) or gain unauthorized access (as a result of brute-force or session attacks).  All applications regardless of development tools and industry are vulnerable.

Each of the applications studied by the experts had at least a medium-severity vulnerability, while 70% had critical flaws.  An intruder may exploit code errors not only to obtain full control over the server, but also to attack application users that may cause significant reputation damages.  The 2016 research results demonstrate a necessity to regularly analyze web applications security.  It is important to analyze security at all development stages and regularly (e.g. twice a year) in the course of operational use.  According to the results, the white-box testing with source code analysis is more efficient than other methods. Moreover, this testing can be conducted automatically (by the use of a source code analyzer) that is more usable than manual testing.  More than a half (62.5%) of applications put into production contained critical vulnerabilities.  This can lead to sensitive data disclosure, system compromise or failure.

Fortify application development & security experts will perform an in-depth application source code analysis to detect security vulnerabilities. Input validation logic, memory management, authentication, API calls and code path flow are all important aspects of software that need to be reviewed and scrutinized.  Source Code Analysis helps in finding security problems that may get masked by the other layers in the network, especially since firewalls can be bypassed through application layer vulnerabilities.

Speak with one of the Fortify engineers today!