Wednesday, November 14, 2012

Code Reviewing in Software Development Lifecycle

Overview


Software vulnerabilities is a reality in today's world. Every day we can read news in Information Security magazines and websites reporting a zero-day vulnerability. Software vulnerabilities occur due to numerous reasons, but the most significant are: lack of security awareness of developers and deadline pressure. Lack in awareness of security issues is usually depicted in some statements such as: "We will not get hacked", "Our services reside on internal network", "We trust our internal users (eg employees, partners)", "We have a very expensive web application firewall (waf) protecting us", etc. But nowadays, when industrial espionage is a reality, trust can cost money and reputation.
 
Code review generally is the process when examining the source code of an application for vulnerabilities. It is a necessity in order to develop secure software and contributes in the Software Development Life Cycle (SDLC). We can examine one of the most famous SDLC guide providing guidelines in developing secure software: Microsoft Security Development Lifecycle (SDL).
 

Security flavour in SDL

The phases of Microsoft SDL:
 
 
Security is integrated in almost all phases. Further details can be found on SDL's website.
Code review resides mainly in "Verification" phase. In SDL website, Microsoft provides a list of tools for code reviewing, but in this current article I am going to present a demo of Yasca, an open source code review tool.
 

Yasca

From Yasca website:
"Yasca is a source code analysis tool that I started writing in 2007. It could best be described as a "glorified grep script" plus an aggregator of other open-source tools.
Yasca can scan source code written in Java, C/C++, HTML, JavaScript, ASP, ColdFusion, PHP, COBOL, .NET, and other languages."
 
The main advantage of Yasca is that collaborates perfectly with a wide list of static code review tools such as: FindBugs, PMD, JLint, JavaScript Lint, PHPLint, CppCheck, ClamAV, RATS, Pixy.
Personally, I have installed Yasca in a Windows 7 Ultimate and works perfectly in command line, whereas I have abandoned the installation in Backtrack 5 R3 because of numerous errors.
 

Demo

I extracted the vulnerable code (guess from where?! Of course from OWASP broken web applications VM where there is a tone of vulnerable code just waiting to be hacked!). The vulnerable code is from WebGoat web application found on the path:
/owaspbwa/WebGoat-svn/src/main/java/org/owasp/webgoat/lessons
 
Here is a sample of Yasca's report:
 
 
 

Wrap-up

Code review should be included in every software deployment project. It is an essential safeguard in order to produce secure software and minimize the risk from potential vulnerabilities. Besides, we should always apply security techniques in every layer of our web application (code review, web application firewall, access control, etc).
 
  

Further reading

 

2 comments:

  1. Planning is an objective of each and every activity, where we want to discover things that belong to the project and more useful for SDLC.

    ReplyDelete
  2. Thank you very much to describe Software Development Life cycle trow this page. It will be very helpful for me.

    .Net Application Development

    ReplyDelete