• VCG is an automated code security review tool for C++, C#, VB, PHP, Java and PL/SQL which is intended to drastically speed up the code review process by identifying bad/insecure code
  • Steps for SCA:
    Install and run the VCG tool
    – Select the language of your project
    – Browse the project/file of your interest and click Scan

Static Code Analysis using HP Fortify

  • Fortify Static Code Analyzer is an automated static code analysis to help developers eliminate vulnerabilities and build secure software

Static Code Analysis using Rational AppScan Source Edition

  • AppScan Source is a static application security testing (SAST) solution which scans your application source code for security vulnerabilities

Selecting a Static Analysis Tool

  • You need to select the right tool while selecting the static analysis tool for secure code review
  • The process of selecting the right tool depends on certain conditions:
    – The static analysis tool used for reviewing the code should support the programming language used for developing the application
    – The accuracy of the tool with respect to false-negative and false-positive errors
    – The tool needs to understand the libraries and frameworks used in the application
    – It should be easy to integrate the tool to the IDE selected for developing the application
    – The time and effort required for the set-up of the tool
    – The type of analysis preferred for code review process
    – The license cost incurred for the tool
  • You should have a clear idea regarding the type of static code analysis required for performing code review

Manual Secure Code Review

  • With manual secure code review, you can analyze and detect many security vulnerabilities that are missed out during the static code analysis

Advantages
– Less chance of getting false-positive and false-negatives
– High percentage of vulnerabilities can be detected

Disadvantages
– Time consuming process
– Requires good understanding of the code used

Code Review for PCI DSS Compliance

  • The PCI DSS compliancy is checked against a list of PCI DSS requirements
  • Check the applications against a list of PCI DSS requirements

Code Review for PCI DSS Compliance (Cont’d)

  • The PCI DSS requirement 6.5 reviews and prevents common coding vulnerabilities such as:
  • 6.5.1 Unvalidated input
  • 6.5.2 Broken access control
  • 6.5.3 Broken authentication and session management
  • 6.5.4 Cross-site scripting (XSS) attacks
  • 6.5.5 Buffer overflows
  • 6.5.6 Injection flaws
  • 6.5.7 Improper error handling
  • 6.5.8 Insecure storage
  • 6.5.9 Denial of service
  • 6.5.10 Insecure configuration management