The development of web applications necessitates comprehensive security assessments and testing. One type of security analysis that is imperative for web applications to undergo before being released into full production is a static analysis of the web application source code. The most unfortunate fact that came out of the WhiteHat Security Web Applications Security Statistics Report of 2016 was that the IT industry - which should have data security in mind more than other industries - had the most vulnerabilities, according to their findings.
Imperva, another organization that conducted web application security tests and assessments on a variety of websites, had similar findings in 2015. They also identified an increased growth of malicious cyber-attacks targeting web applications when compared to the statistics of the previous year. The attack vectors analyzed include SQL Injection (SQLi), Cross-Site Scripting (XSS), Directory Traversal, Remote File Inclusion (RFI), HTTP Parameter Pollution, Remote Code Execution (RCE), and File Upload (FU). These statistics reveal a pattern of ever-increasing attacks on web applications, making it more important for businesses to thoroughly test their web applications via a static source code review to ensure data security and minimize risks.
While dynamic tests offer a significant view of the vulnerabilities of your web application, static source code analysis allows your organization to identify security flaws in the code (e.g. weak encryption ciphers, hard-coded credentials, insecure coding, backdoors), giving you the opportunity to fix foundational problems that could result in high-risk security issues in the future. Security flaws associated with the implementation can be better understood at the code level, which allows for the efficient identification of security vulnerabilities and better solutions to those security flaws.
The coding of a web application - including both the front-end and back-end - determines how secure your web application will be, and how well it will hold up against an offensive front. Weak code introduces security holes (vulnerabilities) that can be exploited by a cyber-attacker. Software engineers need to identify the vulnerabilities found in each programming language that they use to develop web applications. Insecure coding practices increase the overall risks to your business assets, and passes those security risks onto all end-users who utilize your web applications.
Protecting yourself and your customer base is necessary, and is a goal that is achieved only when using comprehensive security assessments, such as code reviews, that will ensure that your web application's entire attack surface is adequately protected. The effectiveness of a manual, static code review lies in its potential to identify poor coding practices that could introduce high-risk security holes into your web application. As most software engineers are not generally trained in security practices and secure coding, security engineers are better equipped with the skills to audit the code of a web application to ensure that it meets an appropriate security baseline and identify vulnerabilities. This is a significant task since web applications vulnerabilities can critically weaken the infrastructure of your business. The WhiteHat security report also revealed that critical and high-risk vulnerabilities stayed unpatched for an average of 300 to 500 days respectively. The weak code associated with these security flaws can be identified by security engineers via a thorough source code review. Other security issues that often present in web apps, which can be identified through a source code review, are:
Lack of cryptographically secure hashing for passcodes could expose customer passwords to a cyber-criminal, which could have significant ramifications on your business.
Using a weak version of TLS (such as RC4 instead of AES) could allow traffic to be revealed to an attacker using a packet sniffer and an encryption-cracker. Even worse (and more common), using no encryption at all could allow unencrypted data to be sniffed and viewed by an attacker. This could also allow other issues such as Man-in-the-middle attacks for both cryptographic keys and sessions (e.g. session hijacking, also known as cookie hijacking).
According to the WhiteHat security report, the most significant security vulnerability found present in websites was insufficient transport layer protection. Insufficient transport layer protection stems from either poor or non-existent encryption of communications between servers and clients. Attackers can then use sniffers to intercept communications sent in plaintext and access sensitive data, such as usernames and passwords, when they are transmitted.
Static application security testing - a suite of tools and scanning techniques for testing an application for vulnerabilities - is a powerful set of tools for conducting security audits on applications. However, it does not replace the need for a thorough manual code review done by a security specialist, as a code review allows security personnel to deeply dissect and analyze the code of an application line by line to determine if security flaws are present.
Such a manual code review is as important as SAST for comprehensive web app testing. Combining static application security testing with manual code reviews helps identify application vulnerabilities and thus presents a powerful defensive front against potential cyber-attacks by mitigating threats before they can appear. Another advantage for utilizing manual code reviews is the elimination of false-positives. Automated tools often report false positives, which are pieces of code which do not present security vulnerabilities but are reported by security tools. Experienced security engineers can identify these false-positives and remove them from the resulting report, helping developers and software engineers remain focused on actual issues.