Security:
Secure software is paramount in today's applications; this is why software development companies should use every tool possible to secure their applications before release. If the application is not properly secured hackers will use any tool available to find and exploit security vulnerabilities.
Static analysis tools that scan for security vulnerabilities within source code have become a standard tool in the hacker's toolkit to quickly assess an application for possible exploitable security vulnerabilities. Once a machine has been compromised often the first thing to be stolen is any available source code and intellectual property. Once a hacker can view the source code they can manually analyze it line by line to discover possible vulnerabilities, or automate the process using a static analysis tool.
Most static analysis tools generate easy to read and understand reports that show the exact line of the rule infraction. Once the piece of possibly vulnerable code has been found the hacker can then find ways to execute the code that may not have been thought of by the developer or tester. If the code can be forced into an unpredicted state the hacker may be able to exploit the vulnerable code and gain the ability to run untrusted code on the targeted server or desktop.
After a hacker uses static analysis tools to find an exploit, he will often publish Proof of Concept code to popular hacking sites such as securityfocus.com, packetstormsecurity.com, and other less known underground sites. Proof of Concept code is example source which, when executed remotely, can perform the exploit against a remote server. Proof of Concept code can be used to help convince companies to change software providers or, in the worst case, can be used to create a worm, trojan or virus which could cost a company enormous amounts of money in damages and repair.
We suggest all software development companies run static analysis tools on their source code. Never assume that a hacker will be unable to steal your source code. By running static analysis on your code you are building a defense in depth against malicious attack. A thorough analysis and series of bug fixes will render this class of tool useless in the hands of a hacker.
| <<Previous | 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 10 | 11 | 12 | 13 | 14 | 15 | Next>> |
Provided by: Security Innovation, The Application Security Company