Information Technology Reference
In-Depth Information
Because many security vulnerabilities are due to poor programming practices,
a number of research groups have started to publish lists of common coding prob-
lems. The list by the SANS Institute and MITRE is a useful example. The first list
in 2009 had 25 common problems, but newer versions have added more.
Examples of some of the coding problems from the original SANS list that
cause security flaws include the following:
• Buffer overflows
• Cross-site scripting
• SQL injections
• Operating system command injections
• Uploading hazardous file types
• Improper controls for file names
• Integer overflow or wraparound
• Downloading reusable code without validation
• Failure to authenticate critical features
• Encrypting data using algorithms that have been hacked
Readers are recommended to go to the SANS website and read the latest ver-
sion.
A number of static analysis tools have started to include or beef up checks for
security flaws in common languages such as Java, C, C##, SQL, and the like.
Some older languages such as ADA, COBOL, and FORTRAN are also covered
by static analysis. However, out of the current total of 2,500 known programming
languages, only about 25 are covered by all of the static analysis tools put together.
A few samples of static analysis tools with security checks include CAST
Software, CheckMarx, Code Armor, Code Sonar, Coverity, Findbugs, HP Fortify,
IBM App Scan analyzer, Intel static analysis, Klocwork, Parasoft, VeraCode, and
XTRAN.
There are many more static analysis tools. In fact, that market seems to be get-
ting crowded, and the vendors need some new tricks to differentiate themselves.
It would probably be a smart business move for the larger static analysis tools to
expand by offering text readability tools, text static analysis, inspection support,
mathematical test-case design, test and static analysis coverage tools, cyclomatic
Search WWH ::
Custom Search