There are many reasons why software development companies do not spend enough time on security, and this ultimately turns into an underlying issue in the software market.
In addition, developers outnumber security staff by far. On average, the ratio of security group members to software development members is 1:75. Therefore, it can be difficult for companies to find the resources needed to apply security to any phase of the software development cycle, and it will be even more difficult to provide a list of fixes to the development team that will have to deal with tight deadlines and pressures from the business planning and strategy teams.
Not all development companies have the need, or the resources, to follow and implement all possible security considerations, but all companies must be able to guide their development processes so that they can progressively include security in them. However, for large companies with thousands of developers, the need to implement security in the development cycle is very high, but the efficiency of the processes can suffer an impact and consequently in the final results.
Lets try to illustrate this impact with numbers:
Lets say a big company with 2000 developers. It is decided to introduce a change in the development process that implies that each developer devotes 30 additional minutes per week to a specific task. This means a total of 1000 additional hours each week for the company as a whole. If the company wants to keep its deadlines, it must hire 25 full-time developers in order to meet them.
The real challenge, then, is that the changes intended to implement security mechanisms should be efficient for the development cycle and not prevent developers from doing their job on time.
Source code analysis attempts to evaluate the code of a program in order to find bugs and have them corrected before selling or distributing the product.
Secure code review is the most effective technique for identifying security errors at the beginning of the development cycle. In addition, the scope of the review can be significantly increased by adding automated and manual penetration tests.
It can be said that, if the code has not been checked for vulnerabilities, the probability of having security issues is almost 100%.
MITRE has catalogued more than 1000 different types of software vulnerabilities in the CWE (Common Weakness Enumeration) project. These vulnerabilities are different mistakes that developers can potentially make that ultimately can lead to a security problem. Many times these mistakes are made because software developers do not receive the right training on these vulnerabilities, either during their educational programs or in the workplace.
In fact, this is why there is a general feeling with the following argumentation: as many code developers are not aware or are not security experts, companies should implement secure code reviews between developers.
Code review aims to identify security flaws in a program related to its features and design, as well as the underlying causes.
With the increasing complexity of applications and the appearance of new technologies, the traditional way of finding security flaws may not detect all the security vulnerabilities in applications. It is essential to understand the application code, external components and configurations in order to have a clear vision of the project with the objective of finding the deficiencies. Such a deep immersion in the application code also helps determine the exact mitigation techniques that can be used to avoid security breaches.
Since this process manually can be very tedious and time consuming, the source code analysis tools, known as SAST (Static Application Security Testing), have been created to automate the process in order to find security flaws.
Automated source code analysis is basically an automatic debugging of code, with the goal of finding errors and bugs that may not be obvious to a developer.
No matter the size of a company, the reason for performing a secure code review is to find bugs and fix them before the end of the development phase. It is faster to perform a secure code review and find errors that way, as opposed to finding errors in testing or production.
Source code analysis tools have numerous advantages. These tools provide great scalability as they allow you to analyze large numbers of lines of code and can be analyzed on a continuous loop. In addition, they are useful for finding vulnerabilities that are more than proven that can be found automatically, such as SQL injections or buffer overflow attacks. They are also highly accurate because they show the specific problem, the file where it was found, and the exact line.
On the other hand, these tools greatly reduce the time that has to be spent on these types of tasks, and in this way help to reduce the costs of implementing security in the development cycle. A source code analysis tool could scan 50000 lines of code in less than 2 minutes. They can also help developers learn about their most common mistakes.
However, many vulnerabilities are difficult to find automatically, such as authentication problems, access control problems, insecure use of cryptography, etc. Current tools automatically find a relatively low percentage of such security flaws in applications. Therefore, if full security is desired, an approach including penetration tests should be adopted.
Finding a tool that fits our needs can be complicated, but there are plenty of free resources, such as the Awesome Static Analysis project (https://github.com/mre/awesome-static-analysis) whose goal is to create a collection of the various static analysis tools and quality code verifiers that are available, both open source tools and commercial tools.
No doubt, using tools that perform a source code review should be something that development companies should consider, not only with the aim of making their products more secure, but also with the aim of making the software market more secure. To carry out this task there is not a unique solution, but a variety of solutions that fit each company; and as always, this path is easier to walk hand in hand with a company that can offer consulting services and support.
