I’m Ken Malmquist, founder of Source Code Security. I’m a retired naval officer and I’ve been a specialist in Application Security for the financial services industry since 2004.
At SCS, our aim is to help you secure your web sites, mobile applications, and APIs. We offer a range of services, including source code review, application and API penetration testing, secure design review, threat modeling, and software development lifecycle (SDLC) consulting. We execute our projects with a military degree of attention to detail to keep your users, employees, and stakeholders safe online.
The most effective way to address application vulnerability management is to take a risk-based approach.
A customer-facing, enterprise banking web application requires a different level of scrutiny than an internally-facing application that tracks equipment purchases. The more critical the application and the data it contains, the more methodical the security measures it will require. Depending on your organization’s appetite for risk, business objectives, compliance drivers, and resource constraints, when it’s time to assess the vulnerability of your critical applications, you’ll want to take an approach that best fits your needs. There are multiple methods to perform vulnerability assessments and each have different strengths and weaknesses. It’s important to find the right combination of these, depending on the unique attributes of your environment and what your goals are.
The most comprehensive form of vulnerability discovery is to perform a source code security assessment.
Without a doubt, the most comprehensive approach to finding application vulnerabilities is to examine the source code directly through some form of Static Application Security Testing (SAST). Which type of SAST method is right for you depends on several factors.
What does your application environment look like?
Whether you’re working with a mobile application, a cloud application, a web application, or a web api/microservice will introduce different variables that need to be taken into account. You’re going to have slightly different concerns if you’re working with PHP, .Net, Java, Rails, Express, or some other framework. Do you own the code? Do you own or manage the entire application stack? How about the data? Are you dependent on third party libraries? Is your development outsourced? All of these questions and more need to be addressed in order to develop an appropriate assessment strategy.
What’s the appropriate methodology for your source code security assessment?
Depending on your needs and your budget, SAST can be performed with different levels of human discernment. Source Coe Security is highly proficient in the use of various automated tools for source code assessment. These tools are great for finding a significant percentage of the most frequent critical vulnerabilities, such as SQL injection (SQLi) and cross-site scripting (XSS). But by themselves these tools may not provide the whole story. One challenge to a fully automated approach for vulnerability discovery is the tendency for false positive results. Without sufficient context, an automated tool may not know the difference between a true vulnerability and a functional requirement in your code. A bad signal-to-noise ratio in the findings of an automated assessment can add significant downstream costs when your team spends hours or even days trying to figure out what’s a real vulnerability and what isn’t. Another challenge automated tools encounter is identifying logic errors, such as those involving authentication and authorization issues.
The bottom line is that automated tools provide a great baseline for vulnerability discovery, but keep in mind that they often miss an essential layer of context. If you’re simply looking to meet a compliance objective, an automated approach might very well be all you need. But if your application is trading foreign currencies between central banks, you might prefer some greater assurance that you’ve found all the vulnerabilities you can and that you’ve verified these to be legitimate causes for concern. Of course, there are situations that fall at every point along the spectrum between the two examples given above, and each unique circumstance requires a unique approach. Source Code Security will work with your organization to find the “sweet spot” between automated and manual approaches. We’ll help you find the best mix of these methods for your application depending on your goals and we’ll provide you with a clear understanding of the costs/benefits associated with different strategies.
How much of your code base do you need to assess?
If this is the first time your application has ever been assessed for vulnerabilities, it’s important to establish a baseline for findings you can use to benchmark future efforts. Subsequent source code security assessments can focus on the changes made to the original code-base. But for the first pass, a comprehensive assessment of the entire code base is recommended as a best practice. However, sometimes an organization may decide that they only wish to assess areas of the code that handle inputs, such as web forms or searches. Perhaps they want to examine a particular module or api. Source Code Security can tailor the scope of an assessment to meet the particular requirements of your organization.
There are no one-size-fits-all solutions.
Source Code Security is committed to delivering results that maximize Return on Security Investment (ROSI) for our clients. We’ll work with your team to find the optimal mix of scope, strategies, and methods to give you the most accurate portrait of the risks facing your critical applications.
A Hybrid Assessment approach delivers results in context.
Ideally, application security code reviews are combined with threat modeling, secure architecture reviews, and penetration testing. This approach will enable us to provide you with the most comprehensive view possible of your application’s security posture, and eliminate more false positive results, saving time and money.
Once you know which vulnerabilities truly pose a risk, you can focus your security budget on the most pressing issues. That way you can target remediation efforts that will actually make a difference, without wasting money on fixes or controls that don’t deliver the same value.
Of course, Source Code Security is happy to assist you with the remediation process should any security deficiencies be uncovered!