You are here

You are here

Automated application analysis gets better at stopping potential vulnerabilities

Rob Lemos Writer and analyst

Despite nearly two decades of attempting to eradicate software security bugs, vulnerabilities continue to cause headaches for application developers. Automated application analysis is increasingly helping developers eliminate flaws before they become vulnerabilities.

Earlier this month, for example, a vulnerability found in the web version of the popular WhatsApp mobile application gave attackers the ability to trick users into running malicious code. More than 200 million users could have been compromised by attackers because of the flaw, which was found by Check Point Software Technologies and fixed by WhatsApp in early September.

Every year, thousands of similar vulnerabilities are missed by developers and discovered by security researchers and other third parties. Nearly 8,000 software vulnerabilities were discovered in 2014, the most ever found in a single year, according to the National Vulnerability Database.

"Software companies have a need, an urgency to deliver products quickly," says Subbu Sthanu, director of mobile security and application security for IBM. "However, they need to realize that they are not testing the software adequately to find vulnerabilities."

To stem the rising tide of security issues, developers are increasingly turning to automated application analysis systems. Static, dynamic, and interactive application security testing (AST) tools can help programmers find software bugs before they turn into security vulnerabilities. More intelligence and the incorporation of more data help eliminate noisy false positives to allow developers to focus on the most serious issues first.

"The further down the line that a vulnerability gets, the more expensive it is to fix it," Sthanu says.

Automated analysis systems incorporating security intelligence and using data from other programs that have an exemplary solution to a particular coding program can help catch and fix security issues before they're released as part of a software product.

"Within the next five years, we will see the emergence of software analysis systems that leverage terabytes of open source software to automatically learn from the mistakes of the past and prevent these from recurring in the future," says Jothy Rosenberg, associate director of the cyber systems group at Draper Laboratories, a technology research organization. "This includes all of the bugs, bug fixes, software vulnerabilities, and vulnerability repairs applied to these open source packages over the last three and a half decades."

Fighting against defects

Automation is necessary to blunt business trends that result in more vulnerabilities. At present, three business forces make it more likely that developers will create coding mistakes that lead to security flaws. First, companies typically lack the resources to perform extensive quality and security testing on their software. Additionally, most developers don't have the knowledge to create secure code or to spot the security flaws in code. Finally, companies focus their business priorities on speeding their products to market with the right features, rather than spending hours eliminating the security vulnerabilities that could result in a later compromise.

Those same trends are driving the need for automation, because automation results in consistent and quick detection of potential vulnerabilities, said IBM's Sthanu.

"There is a priority to get your apps out there, and security slows you down," he said. "So security needs to be fast."

Finding and fixing vulnerabilities before code is released is important, because companies can't fix every vulnerability, and attackers typically find the security holes missed by the defenders. Almost all—99.9 percent—of the vulnerabilities used by attackers to compromise business computers are more than a year old, according to Verizon's latest Data Breach Investigations Report.

Consistency and speed

Bad programming practices can have a widespread impact on programs. An application developed for the manufacturing sector typically has the highest density of high-severity flaws, more than 50 flaws per megabyte of code, followed by technology, with 29 high-severity flaws per megabyte, according to the latest State of Software Security report by application security firm Veracode.

Automated analysis systems can bring a consistent approach to finding flaws and training developers not to make the same mistakes. Once a pattern of defect is understood, a system can catch the problem every time.

In 2014, for example, the Computer Emergency Response Team Coordination Center (CERT/CC) at Carnegie Mellon University used automated scanning to find applications in the Google Play store that had man-in-the-middle vulnerabilities. This led to the identification of 1,400 vulnerabilities—as identified by the Common Vulnerabilities and Exposures (CVE) identifier—in thousands of Android applications.

Because such systems have historically alerted developers to defects that aren't true vulnerabilities, there's a lot of mistrust, says Draper's Rosenberg.

It's a challenge to get "software developers to trust automated software analysis and repair tools," he says. "It took two decades to get software developers to trust optimizing compilers—we got there, but it took a long time. Today's developers have learned to trust their tools and won't be so skeptical of this next major innovation for automated software analysis and repair."

More intelligence and more data

With the explosion of web and mobile applications, more self-trained developers are programming and, in many cases, repeating the same mistakes of their predecessors. However, the next generation of automated systems promise to be smarter and learn from the vast volumes of already-existing code.

IBM has focused on building more intelligence systems. Draper Laboratories is developing a new system, dubbed DeepCode, that aims not only to recognize certain patterns of flaws but also to mine the vast landscape of digital programs to find code to solve the problems.

Yet, these approaches aren't fully realized. False positives are still a significant problem for automated analysis systems—the machines tend to alert on many software defects that may not be a true threat. Additionally, most automated systems can handle only a small amount of vulnerability patterns. Learning about potentially new patterns of vulnerabilities is difficult.

"With program analysis, context matters; our challenge is to automatically identify which software patterns constitute bugs and security vulnerabilities depending on where they show up in the program," Draper's Rosenberg says.

In the end, automated systems can become a foundation for software security, creating a baseline that may not find every flaw but can prevent the same vulnerabilities from appearing again and again.

Keep learning

Read more articles about: SecurityApplication Security