Application security code analysis: a step towards software assurance

Abstract

The last few years have witnessed a rapid growth in cyber attacks, with daily new vulnerabilities being discovered in computer applications. Various security-related technologies, e.g., anti-virus programs, Intrusion Detection Systems (IDSs)/Intrusion Prevention Systems (IPSs), firewalls, etc., are deployed to minimise the number of attacks and incurred losses. However, such technologies are not enough to completely eliminate the attacks to some extent; they can only minimise them. Therefore, software assurance is becoming a priority and an important characteristic of the software development life cycle. Application code analysis is gaining importance, as it can help in writing safe code during the development phase by detecting bugs that may lead to vulnerabilities. As a result, tremendous research on code analysis has been carried out by industry and academia and there exist many commercial and open source tools and approaches for this purpose. These have their own pros and cons. Therefore, the main objective of this article is to explore the state-of-the-art in code analysis and a few major tools which benefit not only security professionals, but also novice Information Technology (IT) professionals. We study the tools and techniques under the basic four types of analysis (Static Source Code (SSC), Static Binary Code (SBC), Dynamic Source Code (DSC) and Dynamic Binary Code (DBC) analysis) and briefly discuss them.