STATIC ANALYSIS REPORT
UNDERSTANDING THE POTENTIAL VULNERABILITIES IN YOUR ORGANIZATION IS CRITICAL FOR BUILDING A RISK MANAGEMENT PROGRAMHE WHITEHAT 2016 WEB APPLICATION SECURITY REPORT DETAILS, THE WEB SITES THEY ANALYZED CONTAINED A MINIMUM OF 5 VULNERABILITIES PER SITE
Imperva, another organization that conducted web application security tests and assessments on a variety of websites, had similar findings in 2015. They also identified an increased growth of malicious cyber-attacks targeting web applications when compared to the statistics of the previous year. The attack vectors analyzed include SQL Injection (SQLi), Cross-Site Scripting (XSS), Directory Traversal, Remote File Inclusion (RFI), HTTP Parameter Pollution, Remote Code Execution (RCE), and File Upload (FU). These statistics reveal a pattern of ever-increasing attacks on web applications, making it more important for businesses to thoroughly test their web applications via a static source code review to ensure data security and minimize risks.
While dynamic tests offer a significant view of the vulnerabilities of your web application, static source code analysis allows your organization to identify security flaws in the code (e.g. weak encryption ciphers, hard-coded credentials, insecure coding, backdoors), giving you the opportunity to fix foundational problems that could result in high-risk security issues in the future. Security flaws associated with the implementation can be better understood at the code level, which allows for the efficient identification of security vulnerabilities and better solutions to those security flaws.
WE CHECK FOR INSECURE PASSWORD STORAGE,
POOR CRYPTOGRAPHY PRACTICES AND HARD CODE CREDENTIALS
INSECURE PASSWORD STORAGE
Protecting yourself and your customer base is necessary, and is a goal that is achieved only when using comprehensive security assessments, such as code reviews, that will ensure that your web application's entire attack surface is adequately protected. The effectiveness of a manual, static code review lies in its potential to identify poor coding practices that could introduce high-risk security holes into your web application. As most software engineers are not generally trained in security practices and secure coding, security engineers are better equipped with the skills to audit the code of a web application to ensure that it meets an appropriate security baseline and identify vulnerabilities. This is a significant task since web applications vulnerabilities can critically weaken the infrastructure of your business. The WhiteHat security report also revealed that critical and high-risk vulnerabilities stayed unpatched for an average of 300 to 500 days respectively. The weak code associated with these security flaws can be identified by security engineers via a thorough source code review. Other security issues that often present in web apps, which can be identified through a source code review, are:
Lack of cryptographically secure hashing for passcodes could expose customer passwords to a cyber-criminal, which could have significant ramifications on your business.
Using a weak version of TLS (such as RC4 instead of AES) could allow traffic to be revealed to an attacker using a packet sniffer and an encryption-cracker. Even worse (and more common), using no encryption at all could allow unencrypted data to be sniffed and viewed by an attacker. This could also allow other issues such as Man-in-the-middle attacks for both cryptographic keys and sessions (e.g. session hijacking, also known as cookie hijacking).
According to the WhiteHat security report, the most significant security vulnerability found present in websites was insufficient transport layer protection. Insufficient transport layer protection stems from either poor or non-existent encryption of communications between servers and clients. Attackers can then use sniffers to intercept communications sent in plaintext and access sensitive data, such as usernames and passwords, when they are transmitted.
WE COMBINE STATIC APPLICATION SECURITY TESTING (SAST)
AS WELL AS MANUAL SOURCE CODE REVIEWS
SAST COMBINED WITH MANUAL SOURCE CODE REVIEWS
Such a manual code review is as important as SAST for comprehensive web app testing. Combining static application security testing with manual code reviews helps identify application vulnerabilities and thus presents a powerful defensive front against potential cyber-attacks by mitigating threats before they can appear. Another advantage for utilizing manual code reviews is the elimination of false-positives. Automated tools often report false positives, which are pieces of code which do not present security vulnerabilities but are reported by security tools. Experienced security engineers can identify these false-positives and remove them from the resulting report, helping developers and software engineers remain focused on actual issues.