March OWASP – The Business Case for Static Analysis

Not a whole lot of activity the last week or so and I took a short break from writing. Probably a good thing as you can see what happens when I come up with my own ideas. It looks like my last one went over like a ton of bricks. Perhaps I shouldn’t care that companies want to leave Cincinnati as geography probably doesn’t matter any more, and at the Agile Round Table last night we talked a bit about how a single developer and a computer have the lowest startup cost when starting a new business. Couple a niche market with a single developer and low cost independent of geography and its probably a win-win all around. I’d like your thoughts. Does the Cincinnati IT community really matter?

Okay, matter or not, our community generates a ton of valuable information every month, so we’ll dive into the latest OWASP meeting here. I grabbed a seat near Bill Huber and Brian Blankenship. Bill runs his own operation, W. E. Huber Consulting, and Brian, a Security Analyst for Kindred Healthcare, knowing the value of the OWASP organization and the work they do, drove in from Louisville to take in the evening’s presentation. I had a pleasant surprise in store as I introduced myself. I’m a recruiter by profession, but I don’t like saying this at community events because that’s not my purpose when I attend. My purpose is to highlight the people in our community and help explain the value of these organizations to the rest of our community in hopes that more folks will get involved. Anyway, Brian asked what I did. I hemmed and hawed until I finally cut to the chase and explained that I am a recruiter. Then Bill chimed in and asked, “and your blog is?” “Cincinnatirecruiter,” I replied with a smile. He had been reading and I had a great chance to connect with someone new in the community.

After the meeting, Bill, Brian, and I spent more time talking and diving into a bit more detail. Later that evening Brian sent me a note with some valuable feedback about this blog and sent me an invitation to connect on LinkedIn. Brian, thanks for reaching out, and I hope we’ll see you again at some point.

For the meeting, Blaine Wilson provided a fairly in-depth demo of WebScarab, a proxy that allows you to monitor and modify traffic between the client machine and the web server. Blaine has quite a bit of real-life experience with WebScarab which he uses consistently in his Citigroup Technology Information Security Officer role. The bottom line here is that you need to proceed carefully when you use WebScarab because some of the functionality will trigger red flags in your organization’s intrusion detection systems (you do have intrusion detection systems, don’t you?). You could be fired if you don’t secure proper permissions. A couple of interesting configuration options include regular expression catch and ignore functionality, and fuzzing, which throws mass amounts of data that can potentially exploit security holes in your applications, at your applications.

Allison Shubert, a Citigroup Security Specialist, spoke about the business case for static analysis. Static analysis can plug another hole in the security wall. Still, static analysis efforts can cost quite a bit in terms of both money and effort and you’ll need to make an ROI case for investment.

The use of static analysis assumes an organization performs regular architecture reviews, regular integration and user acceptance tests, and penetration tests, as static analysis, like other testing methods, is not a silver bullet. Static analysis is one more test in a portfolio designed to harden applications.

Cost-to-fix increases greatly as a design defect moves through the software development life-cycle, and catching issues early becomes paramount to managing cost. In fact, a defect that manages to make it into production costs 400X more to fix than if it were caught at design time. Catching defects at design time can prove an elusive endeavor, though, as even thorough design will miss use cases users will attempt once the application reaches production. On a percentage basis, fewer issues are caught in design than in test than in production. So test early and often.

Automated static testing will catch vulnerabilities without the formal, and time consuming, code review sessions. Not that static analysis replaces code review, but static analysis can supplement code review in a value-added manner.

To build a business case, start with metrics. Collect data on the types of defects found and where these defects occur in the system. From this data, determine requirements for a static analysis effort in terms of the kinds of flaws you wish to catch. Then choose a static analysis tool that will fit your needs. And as you analyze your data, determine where in the life-cycle you will deploy your static analysis efforts.

Develop a proof-of-concept for your efforts in order to strengthen the business case. Collect data about the defects the tool discovers, the number of defects identified as you move from integration to system testing and through the life-cycle. You should see these numbers decline over time as you progress through the life-cycle. With your data in hand, present your findings to management in terms of how your efforts support the values of your organization, i.e. cost savings, securing private data, etc.

Some interesting resources include findbugs, hammurapi, lapse, and code crawler. Out of the box, these tools may identify hot-spots that may need additional analysis and not actual issues with the code. So the static analysis tools will both help identify real problems as well as point out areas that may require more in-depth analysis.

You can find Allison’s slide deck here once it’s posted.



~ by Andy on April 2, 2008.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: