Design and Development (A4): SDL Activities and Best Practices 179
“shelfware” in many organizations because the right people and/or the
right process was not used in selecting the tool or tools. Not all tools are
created equal in this space: Some are better at some languages than others,
whereas others have great front-end GRC (governance, risk management,
and compliance) and metric analysis capabilities. In some cases you may
have to use up to three different tools to be effective. Some of the popular
SAST vendor products are Coverity,
16
HP Fortify Static Code Analyzer,
17
IBM Security AppScan Source,
18
klocwork,
19
Parasoft,
20
and Veracode.
21
One of the challenges in using a static analysis tool is that false posi-
tives may be reported when analyzing an application that interacts with
closed-source components or external systems, because without the source
code it is impossible to trace the flow of data in the external system and
hence ensure the integrity and security of the data. The use of static code
analysis tools can also result in false negative results, when vulnerabilities
exist but the tool does not report them. This might occur if a new vulner-
ability is discovered in an external component or if the analysis tool has
no knowledge of the runtime environment and whether it is configured
securely. A static code analysis tool will often produce false positive results
where the tool reports a possible vulnerability that in fact is not. This
often occurs because the tool cannot be sure of the integrity and security
of data as it flows through the application from input to output.
22
Michael Howard, in his Security & Privacy 2006 IEEE article titled “A
Process for Performing Security Code Reviews,”
23
proposes the following
heuristic as an aid to determining code review priority. The heuristic can
be used as a guide for prioritizing static, dynamic, fuzzing, and manual
code reviews.
• Old code: Older code may have more vulnerabilities than new code,
because newer code often reflects a better understanding of security
issues. All “legacy” code should be reviewed in depth.
• Code that runs by default: Attackers often go after installed code
that runs by default. Such code should be reviewed earlier and more
deeply than code that does not execute by default. Code running by
default increases an application’s attack surface.
• Code that runs in elevated context: Code that runs in elevated
identities, e.g., root in *nix, for example, also requires earlier and
deeper review, because code identity is another component of the
attack surface.