After a decade of existence, still, Cross-site scripting, SQL Injection and other of missing Input validation associated security vulnerabilities can cause severe damage once exploited. To analyze this fact, [1] conducted an empirical study, while OWASP and SANS defined their respective risk-based approaches. Taking these results into consideration, three deficiencies can be highlighted: a lack in upskilling developers to write secure code, a high ratio of false positive findings in security code scanners and an erroneous planning for security corrections.

This blog entry is part of a series. In the first entry, we present how using the Eclipse platform and the JDT compiler, a proper tooling can be provided to overcome these deficiencies. We present a static analyzer that assists developers to report these security vulnerabilities. The second upcoming entry presents an innovative approach by integrating an Aspect Oriented tool for semi-automated correction of these findings. Both tools are designed within an architecture that is monitored by security experts and particularly adequate for agile development.

Static analysis into the Secure Development Lifecycle

This work aims to provide each developer a simple way to do daily security static analysis on his code. That would be properly achieved by providing a security code scanner integrated in the development environment, i.e. Eclipse in this case, and a centralized architecture that allows the security experts to assist the developers in any of the findings. Typically that would include verifying false positives and correspondingly adjusting the code scanner test cases, or assisting in reviewing the solutions for the fixes. This approach has several advantages over the approach in which static analysis is left over to the end of development:

1. The development group running the security code scanner at every build has the expertise of the context with which the project should operate.
2. Security experts, in charge of the code scanning activity, can interact with the development team on a case by case basis to fine tune the code scanner test cases and algorithm.
3. Fixing the bug into the development phase requires less time since the findings and the corrections are undertaken by the development team that wrote the code.
4. As soon as the security experts fix the test cases for circumventing false positives, all other development environments would immediately be patched.
5. Solving security issues into the development phase can reduce the number of issues that the security experts should analyze; in this way we could reduce the costs.

A tool to support developpers

Our incentive is to harvest the advantages acquired by using our approach in an agile and decentralized static analysis process early in the software development lifecycle.  It raises security awareness for the developers at the time of development and thus reduces cost expected for the after development fixes. The tool fulfills the following requirements :

1. Easy to use: end-users, especially for users that are not security experts, are expected to use it on a daily basis and without a dedicated training.
2. Domain specific: It must be integrated into the developers' daily development environment, to maximize adoption and avoid additional steps to run the tool.
3. Adjustable: It must run with a reduced number of lines of code (as expected to be daily scans), but also must scale to large amount of code.
4. Reflexive: It must have access to a security knowledge database, created and maintained by security experts. Developers can help build up the knowledge database by reporting their experience about classes, methods and packages. Generally, developers can tag such element as trusted or not.
5. Smart: It must support developers in correcting issues. Also, the prototype can educate developers to understand why the findings are true positives and why they occurred and what are the steps needed to mitigate the errors and avoid them in future development.

We have decided to develop an Eclipse Plugin made of different components that leverage decentralized approach for static analysis. The first Figure shows how the plugin is integrated into Eclipse workbench. By clicking on a small button, the developer is able to perform a static analysis which display within seconds or minutes (depending on the amount of code) the results.

The second Figure shows the results as seen by developers. It gives direct access to detected flaws and global overview on system vulnerabilities. The developer analyzes its code and review vulnerabilities when necessary.

The agile and decentralized approach for static analysis leverages developers knowledge with expertise support from security expert. The code analysis process is governed by the security experts during the security development lifecycle while applied by developers. We make usage of the day-to-day development environment tools - Eclipse - to automate the process and integrate a solution closer to the developer. A single environment allows from detection to correction and track of common vulnerabilities during the development phase.
This first entry blog introduce the advantages and requirements to adopt such approach. We will focus in the next blog entry on the semi-automatic correction approach we adopted for detected vulnerabilities.

Acknowledgment

This is a joint work with Marco Guarnieri, a former intern at SAP Labs France and paul.elkhoury/blog, member of SAP corporate security team in SAP AG Walldorf.

[1] Theodoor Scholte, Davide Balzarotti, and Engin Kirda. Quo vadis? a study of the evolution of input validation vulnerabilities in web applications. In Proceedings of Financial Cryptography and Data Security 2011, Lecture Notes in Computer Science, February 2011