White Paper

AutomatingYourCodeReview: MovingtoaSaaSModelfor ApplicationSecurity

Contents
Overview.................................................................................................................................3 ExecutiveSummary.................................................................................................................3 CodeReviewandSecurityAnalysisMethods...........................................................................5 SourceCodeReview PenetrationTesting BinaryCodeReview 5 6 7

ApplicationRatingandRemediation.......................................................................................7 VeracodeandAutomatedCodeReviews.................................................................................8 Binaryapplicationanalysis ApplicationReviewsandRatingsforSoftwareProcurement Remediation MultipleVulnerabilityDetectionTechnologies 8 9 9 10

Summary...............................................................................................................................10 AboutVeracode....................................................................................................................10
2008Veracode,Inc. 2

Overview
Todaysapplicationhasbecometheenterprisesnewperimeter.Withbetter networklevelsecuritytechnologyhardeningthenetworkperimeter,malicious attackersarenowfocusingtheireffortstostrikeattheleastdefendedpointsthe application.WhilehackerswereoncesatisfiedwithdefacingWebsites, unleashingdenialofserviceattacksandtradingillicitfilesthroughtargeted networks,modernattackersareprofitdriven.Financialandcustomerdatahave becomevaluablecommoditiesandapplicationsmustbesecureenoughtoprotect them.

ExecutiveSummary
Softwarevulnerabilitieshavebecomeextremelycommon,yetinspectingcodeforsecurityflawsissuch atimeconsumingandexpensiveprocessthatmanybusinessesforgoitentirely.Automatedinspection ofsoftwareusingtoolsoronpremiseproductsexpeditestheprocess,butstillrequiresanenterpriseto investsignificantlyinITresources,trainingandmaintenance.Italsoisdifficult,ifnotimpossible;to deploytheseresourcesconsistentlyacrossgeographicallydisperseddevelopmentgroups,address securityrisksposedbycommercialsoftware,oroffshoreoutsourcedapplicationdevelopment.Few businesseshavethestaff,securityexpertise,timeandmoneynecessarytoanalyzetheirentire applicationportfolioinhouse.Tocomplicatematters,sourcecodeisoftenunavailableforexternally developedsoftwareandthosethatdohaveaccessarewaryofexposingtheirproprietarysourcecode outsideoftheorganization. InarecentsurveyofU.S.basedsoftwaredevelopers,only12percentofthedeveloperswhoresponded saidthatsecuritytakesprecedenceoverandlessthanhalfhavehadanyformaltrainingonsecure codingtechniquesandprocesses.Thishasresultedinover7,000newsecurityvulnerabilitiesdisclosed overthelastyearaloneanalltimehigh.Inanefforttocombatthisgrowingtrend,newcompliance requirementsfromthePaymentCardIndustry(PCI),theComptrolleroftheCurrencyAdministratorof NationalBanks(OCC)alongwithrecommendationsfromindustrygroupsandanalystscallforcode reviewstosecuresoftwareapplications. Ondemandapplicationsecuritytestingofferedasanautomatedserviceisemergingasasimplerand morecosteffectivewaytoraisethesecuritylevelofsoftware.Infact,ITanalystfirmGartnerpredicts thatwithintwoyears50%ofenterpriseswillbeusingsomeformofsecurityasaserviceofferings. Applicationsecurityofferedasanondemandservicebasedonbinaryanalysisanddynamicweb scanningtechnologiesallowsorganizationstoreviewtheirentirecodebaseforvulnerabilitieswithout exposingtheirsourcecode.Ondemandapplicationsecurityisamajorsteptowardreducingriskin applicationsdevelopedinhouse,commercialoftheshelf(COTS)softwareaswellasapplications developedbyoffshoreoutsourcingproviders.

Software:TodaysBiggestSecurityRisk
Todaysapplicationhasbecometheenterprisesnewperimeter.Withbetternetworklevelsecurity technologyhardeningthenetworkperimeter,maliciousattackersarenowfocusingtheireffortstostrike attheleastdefendedpointstheapplication.WhilehackerswereoncesatisfiedwithdefacingWeb sites,unleashingdenialofserviceattacksandtradingillicitfilesthroughtargetednetworks,modern attackersareprofitdriven.Financialandcustomerdatahavebecomevaluablecommoditiesand applicationsmustbesecureenoughtoprotectthem. Recentindustrystatisticsconfirmthistrend.DatafromCERTrevealsthatthenumberofsoftware vulnerabilitieshasrisendramaticallyandhaseclipsed7,000newsoftwarevulnerabilitydisclosuresin thepastyearanalltimehigh.Meanwhile,GartnerandNISTreportthat95%ofallreported vulnerabilitiesareinsoftware,75%ofthreatstargetbusinessinformation,and75%ofattackstargetthe applicationlevel.Yet,evenwiththesefindings,mostenterprisesallocatelessthan10%oftheirsecurity spendingtoapplicationsecurity. NIST/GartnerKeyFacts CERTNumberofSoftwareVulnerability DisclosuresperYear

CodeReviewandSecurityAnalysisMethods
Thereareseveralmethodsintodaysmarketplacefororganizationstointroduceapplicationsecurity intotheirbusinesseseitherdynamically,withpenetrationtesting,orstatically,withsourcecodeanalysis orbinarycodeanalysis: 1. SourceCodeReviewmanualandautomated 2. PenetrationTestingmanualandautomated 3. BinaryCodeReviewautomated,asaservice

SourceCodeReview
Sourcecodescanningcomesintwoformsmanualandautomatedanalysis.Bothallowdevelopersto inspectcodeforknownsecurityvulnerabilitiesbeforecompilation.Fixingtheseflawsduringcodingcan reducethenumberofbuildsnecessarytoproduceasecureproductandeducateinternaldevelopers aboutsecurecodingpractices. Manualsourcecodeanalysis,thoughveryindepth,islaborintensiveandrequireshighlyskilled applicationsecurityexperts.Becauseofthis,itlacksrepeatabilityandisgenerallynotconsidered practical.Automatedsourcecodeanalysisisbecomingmoreprevalentinthemarketplace,butbecause sourcecodeisproprietary,mostbusinessesarewaryofsubmittingitforoffsitethirdpartyanalysis.As aresult,thesescanningtoolsaredeployedasonpremisessoftware,requiringdedicated infrastructureandstaffwithapplicationsecurityexpertise.Automatedscanningtoolsshortentesting times,butrequirededicatedhardware,installation,configuration,training,andfrequentupdates, makingitcostlyandtimeconsumingfororganizations. Mostbusinesscannotjustifyhiringdedicatedapplicationsecurityexpertstoperformsourcecode reviews.Thus,whethermanualorautomated,sourcecodescanningforcesorganizationstoretask developersandQApersonnelwhomaybehavelimitedexpertiseinapplicationsecurity.Additionally, modernsoftwaredevelopmentpracticesmaylimittheeffectivenessofsourcecodescanning.By definition,asourcecodescancanonlybeaseffectiveastheamountofsourcecodeavailabletoit. Businessesfrequentlyintegratecodefromthirdparties,suchaslibraries,commercialofftheshelf (COTS)software,andopensourcesoftware.Enforcingsecurecodingstandardswithoutsourcedand offshoredevelopmentpartnersistypicallydifficult,andenforcingthesestandardsforCOTScomponents fromthirdpartyvendorsisimpossibleusingsourcecodeanalysisalone.

PenetrationTesting
Manualpenetrationtestinginvolvesahumantestersimulatinganactualexternalattack.Duringatest, asecurityexpertattemptstocompromiseatargetapplicationusingexactlythesamemethodsasa hacker.Manualpenetrationtestingisusuallyconductedinablackboxsettingtestedfromthe outsidein,withnoknowledgeofsourcecodeorinternalprocesses.Businessescansafelyoutsource mostblackboxtesting,butoutsourcingmorevaluablewhiteboxtesting,performedwithspecific knowledgeofsourcecodeorsoftwaredesigndocumentation,riskscompromisingproprietaryassets. Manualpenetrationtestingcanprovidevaluablespotchecksandperhapsdetectsomelowhanging fruitvulnerabilities,butthetesterslevelofknowledgeandtheinabilitytoachieveadequatecoverage oftheapplicationscodefromitsexternalinterfaceslimitsitseffectiveness.Evenateamofthebest testerswouldbeunabletoperformcomprehensivetestsonrepeatedbuildsofanapplicationwithout slowingtheSDLCandaddingsubstantialcosts.Manualpenetrationtestingcanbenondeterministic, withtesterscontinuingtofindflawswhengivenanunlimitedamountoftime.Asaresult,manual penetrationtesting,whilevaluable,canbecostlyandtimeconsumingfororganizationslookingto introducesecurityintotheirapplicationsoranalyzingthirdpartyapplicationsforsecurityflaws. Toaddressthelimitationsofmanualpenetrationtesting,softwarevendorsnowoffertoolsthat automatethemostcommonscansandpenetrationattempts.Automatedpenetrationtestingprovides afaster,moreconsistentscanofcommonexternalvulnerabilitiesthanmanualtesting.However,these toolsarenotfullyautomated.Theyrequireahumantoguideorteachthetoolaboutthe applicationandrequireahumanwithsecurityknowledgetoinvestigatefalsepositives. Despiteitscostandtimeadvantages,automatedpenetrationtestingisnotareplacementformanual testing.Someapplicationsbehaveunpredictablyandautomatedtesttoolscannotpredicthowahuman attackermightreacttothosebehaviors.Bothmanualandautomatedpenetrationtestingrequire applicationsecurityanalystswithdeepexpertiseindesign,developmentanddeployment.Inaddition, bothtestscomelateintheSDLC.Organizationsarefacedwithadifficultchoicedelaythesoftware releaseinordertofixvulnerabilitiesandloserevenueordeploytheapplicationandplantoissuea potentiallyexpensivepatch.

BinaryCodeReview
Theanalysisofcompiledapplicationsisarecentdevelopmentinsecuritytesting.Similartosourcecode reviews,binaryreviewsfallunderthecategoryofstaticanalysis,alsocommonlycalledwhitebox testingandhavethesamedistinctadvantagesinthatitcanevaluatebothwebandnonweb applicationsandthroughadvancedmodeling,candetectflawsinthesoftwaresinputsandoutputsthat cannotbeseenthroughpenetrationtestingalone. Byexaminingacompiledformofanapplicationinitsruntimeenvironment,thistechniquecanprovidea muchmorecomprehensivepictureofrealworldvulnerabilities.Whileintegratingotherformsof securitytestingrequiressignificantprocessmodifications,analyzingatthebinariesrequiresveryfew suchmodifications.ThestandardSDLCprovidesawindowforbinaryanalysisduringbuildacceptance testing.Developerscanrunsecurityanalysisandfunctionaltestinginparallelfromthesamecompiled binary. Binaryanalysiscreatesabehavioralmodelbyanalyzinganapplicationscontrolanddataflowthrough executablemachinecodethewayanattackerseesit.Unlikesourcecodetools,thisapproach accuratelydetectsissuesinthecoreapplicationandextendscoveragetovulnerabilitiesfoundin3rd partylibraries,prepackagedcomponents,andcodeintroducedbycompilerorplatformspecific interpretations.Anotheradvantageofbinaryanalysisistheabilitytodetectgrowingtypesofthreats suchasthosecomingfrommaliciouscodeandbackdoorswhichareimpossibletospotwithtraditional toolsbecausetheyarenotvisibleinsourcecode. Perhapsthebiggestadvantageofbinarycodereviewsisthatstaticbinariesarefullycomplied,and thereforesafertoreleasetothirdpartysecurityservicesforanalysiswithoutriskingproprietaryassets. Performingbinarycodereviewsremovesconcernssurroundingintellectualpropertycontainedinsource codeandisapplicabletosituationswhereaccesstosourcecodeisnotavailable,asisthecasewith commercialsoftware,legacyapplicationsormanyoffshoreoutsourcedapplications.Thisovercomes therequirementtohaveanonpremisestoolandenablesapplicationsecuritytobedelivered externallyusingSecurityasaService(SaaS)model.

ApplicationRatingandRemediation
Regardlessoftheirchoiceoftechniquesforapplicationanalysis,mostbusinessesarenotpreparedto processtheresultingsecurityanalysisdata.Applicationdevelopmentdepartmentsarefocusedon bringingfunctionalapplicationstomarketasquicklyandinexpensivelyaspossible.Qualityassurance departmentscanclassifyandprioritizefunctionaldefects,orbugs,insoftwareaccordingto establishedpractices,butmostbusinessesareunabletoclassifyandprioritizesecuritydefectsfrom vulnerabilitydata.Falsepositivesandalackofexperiencebalancingacceptablelevelsofsecurityrisk andmarketdemandsfurthercomplicatethisprocess. Tohelpbusinessesprioritizedecisionsaboutwhichflawstofix,ascoringandrankingsystemhasbeen developedinthemarketplace.Untilrecently,securitysolutionprovidersassessedtheseverityof vulnerabilitiesaccordingtoitsown,proprietarysystem.Thisledtodiscrepanciesbetweenproductsand services,andlimitedthevalueofsecurityassessments.In2005,acoalitionofsecurityexpertscreated theCommonVulnerabilityScoringSystem(CVSS),avendoragnosticstandardforcommunicatingthe

severityofvulnerabilities.CVSSusesstandardmathematicalequationstocalculatetheseverityofnew vulnerabilitiesandprovidesscoresbasedonthefollowingfactors: Systemvulnerabilityandtypeofsecurityimpact Exploitabilityandremediationavailability Severitypotential

CVSSisaconsistentbenchmarkforapplicationsecurity,providingbusinesseswithactionabledataand ensuringthattheirsecurityeffortscanbedocumentedforregulatorycompliance.Onceabusinesscan quantifytheseverityofitsvulnerabilities,itcanbeginadjustingitsshiporlaunchdecisionprocessto addressthem. Scoredandprioritizedvulnerabilitydataprovidesanexcellentstartingpointforaformalsecurity remediationprogram.Eachvulnerabilitythatisuncoveredandclassifiedprovidesaspecific,actionable exampleofapoorcodingpracticefromwhichdeveloperscanlearn.Withtheassistanceofasecurity expert,businessescanbuildalibraryofsecurecodingbestpracticestiedtorealworldexamplesfrom theirowncodebases.Overtime,thisknowledgewillimprovethequalityofabusinessdevelopersand itsapplications,reducingcostandincreasingproductivity.Businessescanuseapplicationscoringasa methodoftrackingadeveloperorgroupsprogresstowardsecurecodingstandards,andcancompare theirscorestothoseofothercompaniesorindustrybenchmarks,ifavailable.

VeracodeandAutomatedCodeReviews
Veracodeprovidesautomated,ondemandapplicationsecuritysolutionsthatidentifyandhelp remediateapplicationflawsintroducedthroughcodingerrorsormaliciousintentofferedasSoftware asaService(SaaS).Veracodecombinesitspatentedbinarycodeanalysiswithmultiplescanning technologies,includingdynamicwebscanninganalysis,intoasinglesolution.Becauseitisbasedon multiplescanningtechnologies,VeracodeSecurityReviewoffersaccurateandcomprehensive applicationsecurityanalysisintheindustry.Andbyofferingitthroughanautomated,ondemand solution,Veracodemakesiteasyandcosteffectivetofindandfixapplicationvulnerabilitiesthatcanput organizationsatriskwhethertheyaredevelopingapplicationsinhouseorpurchaseapplicationsfrom anoutsidevendor.

Binaryapplicationanalysis
Veracodeprovidesbinary(composite)applicationanalysisbasedontheindustrysfirstpatentedbinary vulnerabilityscanningtechnology.Binaryanalysispeersdeepintoallcodepathsanddataflowsthatthe programwillexecutewithoutactuallyrunningtheprogram.Byexaminingacompiledformofan applicationorcomponentwiththecontextofitsruntimeenvironment,Veracodeprovidesacomplete pictureofrealworldvulnerabilities.Italsoexaminesrealtimecommunicationamongcomponentsfor anyweaknessesintroducedduringlinkage.Binaryanalysisprovidestheeasiest,mostaccurateandmost comprehensivemethodforcheckingforsecuringapplications.Inaddition,itenablesorganizationsto improvesoftwaresecurityduringthedevelopmentprocessanddoesnotputacompanysintellectual propertyasrisk,becauseitdoesrequiresourcecode.

ApplicationReviewsandRatingsforSoftwareProcurement
Thesoftwareindustryisoneofthelargestmanufacturingindustriesintheworld,with$350billionin offtheshelfsoftwaresoldeachyear,over$100billionincustomizedcodeontopofthat.Despitethe size,thereisnostandardizednotionofsoftwaresecurityqualityeventhoughtherepercussionsinclude productpatches,databreachesleadingtomassiveidentitytheftandfluctuationsincorporatestock prices.Untilnow,independentsoftwareratingshavenotbeenpossiblefortworeasons: Duetothesensitivityassociatedwithreleasingsourcecodeforindependentevaluation, Existingevaluationtoolsarenotabletoassess100%iftheapplicationcode,whichisapre requisiteforaccuraterating. Veracodesinnovationwithbinarysecurityanalysis,coupledwithitsondemandservicemodelthat integratesmultipletestingtechniques,makesthisratingservicepossible,asitdoesnotrequire organizationstodivulgetheirproprietarysourcecode.Veracodeprovidesapplicationsecurityratings forapplicationsbasedonindustrystandards,includingMITREsCommonWeaknessEnumeration(CWE) forclassificationofsoftwareweaknessesandFIRSTsCommonVulnerabilityScoringSystem(CVSS)for severityandeaseofexploitability.Veracodeistheonlyorganizationtocombinethesestandardsintoa meaningfulandpracticalwaytoassesssoftwaresecurityacrossinternallyandexternallydeveloped applications. VeracodeSoftwareSecurityRatingsprovide: Clearinsightintothesecuritylevelofsoftwarefromatrustedandindependentthirdparty; Apracticalwaytosetsecuritythresholdsforpurchasedsoftware,beforeitsdeployedin house; Astandardmethodtoimplementcodeacceptancesecuritypolicesforoutsourced applicationdevelopmentandevaluationofsoftwaresecurityriskinM&Atransactions.

Remediation
TheVeracodeworldclassteamofapplicationsecurityexpertspassesalongtheirexpertisethrougha second,moredetailedreportdesignedtohelpdevelopersfixthemostseverevulnerabilitiesfasterand becomefamiliarwithsecurecodingstandards.Thisreportpointsouttheexactlineofcodecreating eachproblem,providessupplementarydetailsaboutthenatureoftheissue,andrecommendsaspecific fix.Thiscontextenablesdeveloperstolearnfromtheirmistakes,eventuallyleadingtocleaner,more securecodeinfutureproducts.TheVeracodereportinginterfaceissimilartostandardintegrated developmentenvironments(IDEs)withwhichdevelopersarealreadyfamiliar,reducingacclimation time.Byprovidingremediationreportsandupdatingthescannertoreflectthelatestsecurity developments,Veracodessecurityteamprovidesexpertisethatwouldbeimpossibletoobtainfromin housestaffatmostsoftwaredevelopmentorganizations.

MultipleVulnerabilityDetectionTechnologies
Whilecompositeanalysisusingbinarytechnologyisthemosteffectivesinglemethodofsecurity analysis,itisnottheonlytechnique,norisitaseffectiveasacombinationofapproachesthatinclude binaryanalysis.Differentcompaniesrequirevaryinglevelsofsoftwareassurancebasedontheir businessrequirements.Tomeettheseneeds,Veracodeintegratesmultipletypesofsecurityanalysis suchasdynamicWebapplicationanalysisandmanualandautomaticpenetrationtesting.Byhelping teamsworktogethertoidentify,prioritize,andremedysecurityissues,theVeracodeplatformwillhelp businessesbuildmoresecure,costeffectiveapplicationsandhelporganizationspurchasingapplications reducetheriskassociatedwithapplicationvulnerabilities.

Summary
Maturingsecuritytechnologiesatthenetworklevelhaveshiftedthefocusofmanynewmalicious hackerattackstotheapplicationitself.Forprotectionfromthisevolvingthreat,businessesneedto assessapplicationlevelsecurityonaregularandtimelybasis.Technological,financial,andprocess limitationsinhibittheeffectivenessofpenetrationtestingandsourcecodeanalysis,leavingbusinesses withoutaviablemethodofcomprehensivesecuritytesting.Automatedcodereviewsusingstaticbinary analysis,deliveredviaasoftwareasaservicemodel,provideanopportunityforbusinessestoconduct comprehensivesoftwaretesting,exposingweaknessesthatmightnotbevisiblethroughothermethods, withminimalimpactondevelopmentprocessordeploymenttimelines.TheVeracodesoftwaresecurity solutionintegratesbinaryanalysiswithmultipleapplicationtestingtechniquestoprovidevulnerability severityratingsandremediationadvice,allowingbusinessestomakeinformedbusinessdecisionsas theysecuretheirinternalandpurchasedapplicationseasilyandcosteffectively.

AboutVeracode
Veracodeistheworldsleaderforondemandapplicationsecuritytestingsolutions.Veracode SecurityReviewistheindustrysfirstsolutiontousepatentedbinarycodeanalysisanddynamicweb analysistouniquelyassessanyapplicationsecuritythreats,includingvulnerabilitiessuchascrosssite scripting(XSS),SQLinjection,bufferoverflowsandmaliciouscode.SecurityReviewperformstheonly completeandindependentsecurityauditacrossanyinternallydevelopedapplications,thirdparty commercialofftheshelfsoftwareandoffshorecodewithoutexposingacompanyssourcecode. Deliveredasanondemandservice,Veracodedeliversthesimplestandmostcosteffectivewayto implementsecuritybestpractices,reduceoperationalcostandachieveregulatoryrequirementssuchas PCIcompliancewithoutrequiringanyhardware,softwareortraining. Veracodehasestablishedapositionasthemarketvisionaryandleaderwithawardsthatinclude recognitionasaGartnerCoolVendor2008,InfoSecurityProductGuidesTomorrowsTechnology TodayAward2008,InformationSecurityReadersChoiceAward2008,AlwaysOnNortheast's"Top 100PrivateCompany2008",NetworkWorldTop10SecurityCompanytoWatch2007,andDark ReadingsTop10HotSecurityStartups2007. BasedinBurlington,Mass.,Veracodeisbackedby.406Ventures,AtlasVentureandPolarisVenture Partners.Formoreinformation,visitwww.veracode.com.

10