More end-user organisations and software vendors are using outsourced services to check app for vulnerabilities, so it's important to understand the processes involved.
On-demand software offers a number of benefits over applications installed and managed on a company's own premises. These benefits include infrastructure costs being shared among multiple customers, and the availability of experts dedicated to running the app, which frees up inhouse resources for other tasks.
But the nature of the app can determine the extent of the benefits, and some benefits only apply to certain categories of software. For example, Quocirca has recently been researching the outsourcing of security scanning for software applications.
Scanning applications should be an essential part of any business's overall approach to software security. This process applies to end-user organisations that develop and procure software for use inhouse, as well as to independent software vendors who write and sell software.
Software security scanning is an alternative, accepted by organisations such as the Payment Card Industry Security Standards Council (PCI SSC) to web application firewalls (WAFs), which are a way of protecting deployed software against application-specific attacks.
Scanning ensures problems are identified and fixed early in the software development and deployment cycle rather than left to run-time, as WAFs do.
New research published by Quocirca shows that code scanning in general is the most widely used approach to software security, and that the use of on-demand scanning services is now almost as widespread as the use of on-premise tools, especially for packaged applications bought from independent software vendors.
Some may be surprised that third-party code can be scanned in this way. To understand this approach requires an understanding of the two basic ways of addressing the issue: static and dynamic software scanning.
Static scanning is where software code or binaries are taken and run through a scanner. Every line is examined and analysed within the context of the development language and potential flaws identified with advice on how to fix.
Static scanning is thorough. It looks at all areas of the code regardless of how likely it is to actually be executed at run-time. When using an on-demand service for static scanning the application is submitted to the service provider over a secure link for a report.
Static scanning has traditionally been more suited to inhouse-developed code than commercially-acquired applications, because independent software vendors do not readily give up their source code for scrutiny. However, the advent of binary static analysis means any application can now be subjected to a static scan.
All that's needed are the final executable files. This approach has the additional benefit of including analysis of embedded third-party components, which source-code scanning would not provide. It may be advisable to seek the co-operation and permission of independent software vendors when scanning their applications. Indeed, they may well provide details of scans they themselves have commissioned.
Dynamic scanning can also be carried out independently of the supplier. Here the focus is on web-enabled applications that are scanned in a test or run-time environment. It is not as thorough as static scanning, because only discovered executable roots through the code are followed. But these routes are the ones most prone to attack.
Since no sources or details of binaries are required, dynamic testing can be used to test any web-enabled application, including those provided as on-demand services as well as inhouse-developed and deployed ones.
The process is straightforward. Simply point the scanner at the URL for the application and let it get on with it. There seems little point in buying and installing tools to carry out such scans on-premise when you consider how easy it is to point an on-demand service at a web-enabled application.
This advantage is especially true when the benefits of using an on-demand service specific to code scanning are taken in to account. Top among these benefits is the wisdom of crowds.
Because code-scanning service providers are dealing with hundreds of customers, and scanning many thousands of applications on their behalf, they soon build up a picture of common problems.
When it comes to commercial code, they will often have seen it before and know what to look for and have an understanding of common flaws introduced through customisation.
This familiarity allows service providers to benchmark the results of a given scan against the results they have had from other scans and indicate to a customer if its code is below or above average.
This facility makes it easy to set thresholds and offer advice about the dangers of proceeding with the deployment of a given application without making modifications to the code or putting other security measures in place.
Understanding software security is the core competence of the providers of on-demand scanning services. The developers of software code, whether they're coders working for end-users organisations or ISVs, do not necessarily have this skill.
Their focus should be on building the core functionality of their applications and ensuring they deliver the expected business value; the task of security testing can be outsourced.
Those interested in finding out more about the benefits of the dynamic and static code scanning and the results of Quocirca's latest research the report are freely available.