You can't secure what you don't acknowledge.SM

Tuesday, March 10, 2015

Using Checkmarx CxSuite to outline "the rest of the story" regarding application security

When it comes to Web application and mobile app security, can you honestly say you know where everything stands...as American radio personality Paul Harvey used to proclaim -  the rest of the story?
 
You can run Web vulnerability scans, perform manual mobile app analysis, and the most in-depth penetration testing possible. You can look at things from the perspectives of unauthenticated attackers, trusted users, and all the angles in between using Web proxies, forensics tools, and network analyzers. Still, that's not everything.

You haven't looked at the entire picture if you haven't looked at your application's source code using an automated source code analyzer such as Checkmarx's CxSuite. Why? Source code analysis helps paint the entire picture of where your applications are vulnerable and how they might stand up - and fall down - against the threats they face.
Note that I emphasize "automated" source analysis because no security professional of value has time to perform manual analysis on all the applications that matter.
 
The following screenshot of CxSuite shows the summary findings in an Android mobile app:

Interestingly, here are the findings in the same app written in Objective C for the super secure iOS platform:

There are a dozen more low-priority findings that you can't see in this screenshot. These differences in Android and iOS code are reason enough to perform source code analysis...

The CxSuite report shows prioritized findings (to be reviewed and re-prioritized by you as necessary) as well as source code examples so developers can understand how to fix the issues.


If you're an IT administrator, security manager, compliance auditor, developer, or consultant responsible for finding weaknesses in your organization's (or your client's) Web applications and mobile apps, you really need to look at the source code...eventually. And by "eventually" I mean at some point in the next year. Not the next five years. Not when you get around to it. If you don't, odds are good that someone else will find the flaws for you and try to make you look bad. Then what's it going to cost? Ten, twenty, many a thousand times more than it would've cost to perform the proper testing in the first place.


Don't end up here or fall into the group of people who find out about vulnerabilities and breaches from third parties that we keep hearing about. Perform a proper automated source code analysis soon and do it periodically. There are several source code analyzer options. Whether you're super technical or you're not, of the source code analyzers I've used over the years, I've found CxSuite to be a great option. 
In a future post I'll walk you through the steps required to perform a typical source code analysis. It's much easier than most people think.

No comments:

Post a Comment