Secure software development is having a moment right now—and it’s long overdue. And that’s because so many critical systems have been hacked and found wanting. Consider just from this year:
- Software giant Microsoft saw their business email software hacked, victimizing hundreds of thousands of users including the European Banking Authority (Bloomberg, CNBC).
- Colonial Pipeline on the eastern seaboard suffered a ransomware attack, with hackers holding up the company for $5 million and causing fuel shortages across vast swaths of the eastern United States (NY Times).
If you develop software for businesses, consumers, or your own organization, all eyes are on you. The world is awake to the vulnerabilities posed by cybersecurity. To maintain public trust, your secure software development practices must be ironclad, your testing practices airtight.
Of course, no code testing protocol is perfect. But to develop a comprehensive secure software development testing regimen, it helps to know your options. Whether you are developing and testing your software solution in-house or with the help of a third-party development and testing firm, here are some secure software development testing tools you should know about.
Static Code Analysis Tools
Static Code Analysis examines the code in its “static” state—that is, unconsolidated and not running. Also known as static application security testing (SAST), static code analysis can be performed through an exhaustive process of manual review, but automation has changed the game. SAST tools takes a tedious process and makes it quick, saving time and resources on a repetitive but important task.
Automated SAST tools compare code against an identified set of coding rules. To accurately identify vulnerabilities, the software must be coded in the right language (one that the SAST tool is designed to scan) and it must be written in such a way that deviations from the rule set identify a potential vulnerability.
Once the tool has completed its scan, it will provide a list of potential vulnerabilities. Developers must manually review that list to identify which ones are actual vulnerabilities and then perform the corrections. But the automated tool saves the developer a lot of time.
Errors that SAST tools can find include:
- Coding Standard Violations
- Programming Errors
- Syntax Violations
- Undefined Values
- Security Vulnerabilities
Examples of Static Code Analysis Tools
- Veracode. This popular SAST tool can perform static code analysis on a broad spectrum of coding languages, including but not limited to Python, PHP, Ruby on Rails, C/C++, Java, JavaScript, RPG, and Visual Basic 6. It provides code checks across the pipeline, along with fast results, high accuracy, and audit-friendly checklists. It’s not the most user-friendly tool, and it’s geared toward developers.
- Embold. This general-purpose SAST tool uses machine learning (AI) to triage problems and suggest solutions. A free open-source tool, it is user-friendly and able to perform static code analysis on a variety of programming languages, including C/C++, C#, Objective C, Python, PHP, Java, JavaScript, SQL, and more.
- DeepScan. DeepScan is a sophisticated SAST tool that reviews code for bugs, runtime errors, and quality deficiencies. It only scans TypeScript, JavaScript, React, and Vue.js.
- Checkmarx. Checkmarx is an enterprise-level SAST tool trusted by over 1,400 companies, including five of the top ten software developers, to perform static code analysis on 25 different coding languages.
- Reshift. Redshift is a SaaS SAST tool for the Java programming language. Free to use for open-source software with commercial plans starting at $99, it integrates seamlessly into the development workflow to perform static code analysis on Java.
Dynamic Code Scanning Tools
Whereas static code analysis examines the code in a static state, Dynamic Code Scanning examines the code in its dynamic, i.e. running state. An executed application presents a different attack surface than a static application, so it requires a distinct process to expose those vulnerabilities.
Dynamic application security testing (DAST) tools are designed to probe the program with inputs that are meant to tease out errors and vulnerabilities—in essence, replicating various vectors of attack that a cybercriminal might try. Examples of these inputs include SQL queries, negative numbers, long input strings, large positive numbers, and other unexpected inputs.
A DAST tool might check a running application for:
- Program Errors. DAST tools can identify “divide-by-zero” errors, memory leaks, race conditioning, null pointer dereferencing—various program errors that a cybercriminal might trip to find a backdoor into the program.
- Vulnerabilities. Possible vulnerabilities in source code instrumentation, compilation stage instrumentation, and object code instrumentation.
- Resources Consumed. This includes both the program time execution and the memory being used.
Examples of Dynamic Code Scanning Tools
- Tenable.io. This SaaS risk-based vulnerability management (RBVM) tool is one of the most comprehensive dynamic code scanning tools on the market. It allows you to see vulnerabilities across the entire attack surface, predicts the most likely vectors of attack, and take action on the most important vulnerabilities.
- Netsparker. This enterprise-level DAST tool offers unique functions to scan complex application environments for vulnerabilities in hard-to-reach, oft-forgotten areas. The rapid-feedback feature helps train developers to write secure code.
- Micro Focus Fortify On Demand. Formerly HP Fortify on Demand, FoD is a great starter solution with the ability to scale as you grow. It can perform mobile app security scanning, open-source code scanning, and vendor application security scanning.
- Rapid7 AppSpider. AppSpider earns its evocative name by crawling into the darkest, hard-to-reach corners of an app to perform dynamic application security testing.
- Acunetix by Invicti. This easy-to-use DAST tool provides robust reports with every scan, making it easy to identify high-priority vulnerabilities. It also offers recommendations on how to fix them.
Interactive Application Security Testing (IAST) Tools
Interactive Application Security Testing (IAST) is an advanced form of dynamic code scanning.
Whereas DAST tools query the running application in hopes of provoking an error and exposing a vulnerability, IAST tools actively scan the flow of data in the running program. It involves much less trial-and-error than DAST tools and yields far fewer “false positives” than DAST and SAST tools. IAST tools also have the advantage of exposing errors in real-time as the tool scans the running code.
However, IAST tools aren’t a one-size-fits-all solution. They need to be used in tandem with other application testing tools to form a complete picture of the application’s vulnerabilities.
Examples of IAST Tools
- Hdiv Detection. This sophisticated IAST tool reports the file and line number of every vulnerability it discovers, making it easy for the developer to locate and fix the problem. It’s easy to install and monitor through a centralized dashboard with a convenient “vulnerability detail” panel.
- Seeker IAST. Seeker IAST not only identifies vulnerabilities; it also determines which vulnerabilities can actually be exploited by a hacker. It has an impressive false-positive rate of nearly zero.
Database Security Scanning Tools
Even organizations that take secure software development seriously tend to neglect their databases. As such, the databases within or adjacent to the software solution tend to be the first place an attacker will look to identify vulnerabilities.
Database Security Scanning Tools examine the application databases in search of unique database-specific vulnerabilities. No secure software development testing battery is complete without checking for these.
Examples of Database Security Scanning Tools
- MSSQL Datamask. MSSQL Datamask helps organizations test masked data, not just live data, to identify vulnerabilities that other tools might miss.
- Scuba. This free scanning tool is capable of identifying over 2,000 common database vulnerabilities, including missing patches and weak passwords.
- AppDetectivePro. Companies use this database scanner to quickly uncover missing patches, access and control issues, configuration mistakes, and possible vectors for denial-of-service or escalation-of-privilege attacks.
- Nmap. This open-source network mapper uses raw IP packets to perform network surveys and audit them for security.
Correlation Tools
SAST, DAST, IAST … your code has been poked and prodded within an inch of its life by now. The result is a laundry list of vulnerabilities or potential vulnerabilities for you to address. These long lists can be formidable. Is there any way to triage these potential vulnerabilities even further? Weed the list down to a murderer’s row of actual vulnerabilities?
Correlation Tools take the output of various tests and look for correlations—that is, similar results from different tests. If more than one test identifies a discrepancy as a potential vulnerability in the software, it may be a prime candidate for prioritized action.
Examples of Correlation Tools
- Orchestron. The Orchestron platform offers a leading-edge example of automated application vulnerability correlation, saving time and resources in development and security auditing.
- ThreadFix. ThreadFix consolidates SAST, DAST, and IAST results, merging results and removing duplicates. It also integrates manual checks and thread models to offer an integrated view of your application security test results.
Conclusion
As long as there is software, there will be criminals who try to exploit vulnerabilities in that software to cause chaos and enrich themselves. In the wild-west landscape of the global Cloud, developers and cybersecurity experts have no choice other than to be better-armed and quicker on the draw than the hackers who threaten them and their users. The right arsenal of secure software development tools can ensure that your software development team doesn’t show up with a knife to the proverbial gunfight.