A software code audit is a comprehensive analysis of
source code
In computing, source code, or simply code, is any collection of code, with or without comments, written using a human-readable programming language, usually as plain text. The source code of a program is specially designed to facilitate the w ...
in a
programming project with the intent of discovering bugs, security breaches or violations of programming conventions. It is an integral part of the
defensive programming
Defensive programming is a form of defensive design intended to develop programs that are capable of detecting potential security abnormalities and make predetermined responses. It ensures the continuing function of a piece of software under un ...
paradigm, which attempts to reduce errors before the software is released. C and C++ source code is the most common code to be audited since many higher-level languages, such as Python, have fewer potentially vulnerable functions (e.g., functions that do not check bounds).
Guidelines
When auditing software, every critical component should be audited separately and together with the entire program. It is a good idea to search for high-risk
vulnerabilities
Vulnerability refers to "the quality or state of being exposed to the possibility of being attacked or harmed, either physically or emotionally."
A window of vulnerability (WOV) is a time frame within which defensive measures are diminished, com ...
first and work down to low-risk vulnerabilities. Vulnerabilities in between high-risk and low-risk generally exist depending on the situation and how the source code in question is being used. Application penetration testing tries to identify vulnerabilities in software by launching as many known attack techniques as possible on likely access points in an attempt to bring down the application.
This is a common auditing method and can be used to find out if any specific vulnerabilities exist, but not where they are in the source code. Some claim that end-of-cycle audit methods tend to overwhelm developers, ultimately leaving the team with a long list of known problems, but little actual improvement; in these cases, an in-line auditing approach is recommended as an alternative.
High-risk vulnerabilities
Some common high-risk vulnerabilities may exist due to the use of:
* Non-bounds-checking functions (e.g.,
strcpy,
sprintf, vsprintf, and
sscanf
The C programming language provides many standard library functions for file input and output. These functions make up the bulk of the C standard library header . The functionality descends from a "portable I/O package" written by Mike Lesk ...
) that could lead to a
buffer overflow
In information security and programming, a buffer overflow, or buffer overrun, is an anomaly whereby a program, while writing data to a buffer, overruns the buffer's boundary and overwrites adjacent memory locations.
Buffers are areas of memo ...
vulnerability
* Pointer manipulation of buffers that may interfere with later bounds checking, e.g.:
if ((bytesread = net_read(buf,len)) > 0) buf += bytesread;
* Calls like
execve(), execution pipes, system() and similar things, especially when called with non-static arguments
* Input validation, e.g. (in SQL):
statement := "SELECT * FROM users WHERE name = '" + userName + "';" is an example of a
SQL injection
In computing, SQL injection is a code injection technique used to attack data-driven applications, in which malicious SQL statements are inserted into an entry field for execution (e.g. to dump the database contents to the attacker). SQL in ...
vulnerability
* File inclusion functions, e.g. (in PHP):
include($page . '.php'); is an example of a
Remote File Inclusion A file inclusion vulnerability is a type of web vulnerability that is most commonly found to affect web applications that rely on a scripting run time. This issue is caused when an application builds a path to executable code using an attacker-cont ...
vulnerability
* For libraries that may be linked with malicious code, returning the reference to the internal mutable data structure (record, array). Malicious code may try to modify the structure or retain the reference to observe the future changes.
Low-risk vulnerabilities
The following is a list of low-risk vulnerabilities that should be found when auditing code, but do not produce a high risk situation.
* Client-side code vulnerabilities that do not affect the server side (e.g.,
cross-site scripting
Cross-site scripting (XSS) is a type of security vulnerability that can be found in some web applications. XSS attacks enable attackers to inject client-side scripts into web pages viewed by other users. A cross-site scripting vulnerability m ...
)
* Username enumeration
* Directory traversal
* Sensitive API keys
Tools
Source code auditing tools generally look for common vulnerabilities and only work for specific
programming languages
A programming language is a system of notation for writing computer programs. Most programming languages are text-based formal languages, but they may also be graphical. They are a kind of computer language.
The description of a programming ...
. Such automated tools could be used to save time, but should not be relied on for an in-depth audit. Applying such tools as part of a policy-based approach is recommended.
Static analysis at the end of the SDLC doesn't work
" by Wayne Ariola, SearchSoftwareQuality.com, September 22, 2008
Dependency on requirements
If set to the low threshold, most of the software auditing tools detect a lot of vulnerabilities, especially if the code has not been audited before. However the actual importance of these alerts also depends on how the application is used. The library that may be linked with the malicious code (and must be immune against it) has very strict requirements like cloning all returned data structures, as the ''intentional'' attempts to break the system are expected. The program that may only be exposed to the malicious input (like web server backend) must first care about this input (buffer overruns, SQL injection, etc.). Such attacks may never occur for the program that is only internally used by authorized users in a protected infrastructure.
See also
* Information technology audit
An information technology audit, or information systems audit, is an examination of the management controls within an Information technology (IT) infrastructure and business applications. The evaluation of evidence obtained determines if the inform ...
* Defensive programming
Defensive programming is a form of defensive design intended to develop programs that are capable of detecting potential security abnormalities and make predetermined responses. It ensures the continuing function of a piece of software under un ...
* Remote File Inclusion A file inclusion vulnerability is a type of web vulnerability that is most commonly found to affect web applications that rely on a scripting run time. This issue is caused when an application builds a path to executable code using an attacker-cont ...
* SQL injection
In computing, SQL injection is a code injection technique used to attack data-driven applications, in which malicious SQL statements are inserted into an entry field for execution (e.g. to dump the database contents to the attacker). SQL in ...
* Buffer overflow
In information security and programming, a buffer overflow, or buffer overrun, is an anomaly whereby a program, while writing data to a buffer, overruns the buffer's boundary and overwrites adjacent memory locations.
Buffers are areas of memo ...
* List of tools for static code analysis
This is a list of notable tools for static program analysis (program analysis is a synonym for code analysis).
Static code analysis tools
Languages
Ada
*
*
*
*
*
*
*
*
*
*
*
C, C++
*
*
*
*
*
*
*
*
*
*
*
* ...
References
{{reflist
Information technology audit