Scanning for Web Application Vulnerabilities versus Static Source Code Audits: Choosing the Most Appropriate Solution
There are quite a few terms floating around the web application security space and sometimes it can be challenging to understand exactly what a specific term means and how it might relate to similar terms.
One such example that we were asked about recently was the term “source code audit”. We thought we’d provide an overview of what exactly a source code audit is and how its use can vary depending on your particular situation.
It’s might also be helpful to understand how source code audits can be tied into your overall security posture and even used in conjunction with a web application security scanner in an attempt to identify and eliminate all web application vulnerabilities.
What is a Source Code Audit?
Source code audits are a structured method of analyzing and assessing the source code for any website, web application,web service or any other software. Most often, this process is completed during the development or just prior to entering a production environment.
While source code audits can serve a purpose other than looking for security flaws and vulnerabilities, such as finding bugs or assessing for best practices, for the purposes of this article we’ll be talking about static code analysis (SCA) as it relates to the assessing of security vulnerabilities in a static environment (ie. the application is not running).
In most situations, code audits involve a combination of manual analysis and automated tools. Because the auditor is directly examining the source code, they often have more in-depth knowledge than the developers themselves — especially when it comes to security flaws.
Auditors frequently use automated tools capable of scanning code and providing a detailed analysis. While some tools are capable of scanning multiple languages, such as VisualCodeGrepper, others are language specific, such as RIPS (PHP), FlawFinder (C/C++) or Brakeman (Ruby on Rails). There are also tools that can also be used in the integrated development environment, further streamlining the process.
How Does A Source Code Audit Differ From a Web Application Security Scanner?
In this post, we’re looking at source code audits as a process that happens in the context of a static environment. While there is nothing inherently wrong with this process, it’s inevitable that a web application will eventually move from development to a live environment.
There are two key differences between a source code audit and a web application security scanner that are important to be aware of:
- Once a web application goes live, it makes sense that testing should also occur in that live environment. This is a key differentiator between static source code audits and a web application security scanners. Web application security scanners function in a live environment — attempting to identify and exploit security vulnerabilities in real time.
- The second difference (and a nuance to number one above) is that a source code audit looks at the actual source code in an attempt to uncover potential errors or vulnerabilities. A web application security scanner doesn’t look at the code. Instead, it “attacks and probes” the web application itself, hence why they are also called black box scanners.
While a source code audit is specifically looking at the code, a penetration tester could choose to review the code or attempt to penetrate the public-facing part of the web application in the same way that a hacker would.
This is a concept that’s often referred to as “hacking your website first” and is something that web application scanners do very well — effectively emulating a hacker by attacking the front-end of the web application.
Is A Source Code Audit Better Than A Web Application Security Scanner?
The answer to this question is both yes and no. As with most web application security issues, there’s never a “one size fits all” solution. In almost all situations, the ideal approach is one which is multi-faceted.
Strengths & Weaknesses of Source Code Auditing:
Source code audits offer several benefits. When completed properly, they are performed by auditors who are highly skilled and who have extensive knowledge of both the applicable programming language and a wide variety of security vulnerabilities. .
Source code audits also require knowledge of third-party software libraries because of their frequent use, their propensity to contain 0-day security flaws and failure of developers to use the most current and secure version.
The degree of knowledge required can also present some challenges. Not every auditor will be capable of auditing your web application. There are simply too many languages for any one person to become proficient in more than a handful.
By their very nature, source code audits are time intensive. If you assume that a skilled and knowledgeable auditor is capable of reviewing a few modules of code per day, it’s easy to see how costs can add up quickly — time and money are always two important concerns during the development process.
But speed and cost are not the only two things you should worry about. Auditors are human, which means they’re prone to making the occasional mistake. Although they start each day with a fresh set of eyes, 6 hours later, the odds have increased dramatically that they might overlook an inconspicuous error – possibility one which creates a critical vulnerability.
One last consideration, especially in relation to static audits is that once a web application is pushed to a live environment, the codebase often changes shortly thereafter. Updates, new features and third-party libraries are released on a regular basis. As a result, the initial source code audit can quickly become irrelevant. For ongoing testing, it quickly becomes more cost efficient and effective to use a web application security scanner.
Strengths & Weaknesses of Web Application Security Scanners:
Web application security scanners, while not perfect, offer several advantages that are worth considering:
First, they are valuable tools for scanning a web applications or websites in a live environment – emulating the actions of a hacker in an attempt to exploit vulnerabilities.
Because they are automated, web application security scanners are extremely proficient when it comes to identifying CSRF, SQL Injection, Cross-site scripting vulnerabilities and other security flaws. At the same time, they are not an ideal choice when it comes to identifying logical web application vulnerabilities. This makes them an ideal accompaniment to both source code audits and manual penetration testing.
Beyond their natural compatibility with manual penetration testing and source choice audits, web application security scanners also offer a wide variety of additional benefits including scalability, ease of use, the ability to manage large teams and projects and the speed with which they can scan large and complex web applications.
If you really liked
⇓ Subscribe Us ⇓
Sign up for our free email newsletter!! Sign up just providing your email address below: