Cost of Software Flaws and Code Analysis: Manual vs Automated

Module 9 Learning Outcomes

Explain the cost of software flaws.
Compare and contrast manual and automated source code review techniques.
Examine code analysis tools.
  

Discussion Board
During this module, you explored the cost of software flaws and a variety of code analysis tools. 
Use what you have learned to compare and contrast automated software review tools with manual review processes.

Commonly called “white-box” testing. 
Source code is available to the tester including many types of testing methods
Provides an understanding of the code structure
Helps to ensure that the code adheres to industry standards
Evaluates bot web and non-web applications Scans ALL code.

Has a higher probability of finding vulnerabilities

An excellent method for detecting errors and defects located in the  source code of a program WITHOUT execution.

There are five basic software testing steps that should be performed prior to release.

Basic functionality testing ensures that each attribute works.  Ensure that simple inputs are handled without system failure.  
Code review or peer review is performed to identify issues with the code structure prior to the code analysis phase.  
Code analysis is performed either statically or dynamically and is generally performed utilizing automate code scanners to identify weaknesses in the code or security vulnerabilities.

Unit testing is performed to ensure the code is working as expected and is tested across a range of valid and invalid inputs.  
Single-user performance testing is the final phase of the code testing and consists of a front-end analysis to make sure the software is response when the they are using the system. 

Static Code Analysis
Code analyzers
Look for patterns, defined as rules, which can cause security vulnerabilities or other code quality problems

Static code analyzers utilize “best fix location algorithm which fix multiple vulnerabilities at a single point
Very easy to deploy
Can save time during development

Calculating the Cost of a Code Fix
Average cost to code a fix = (number of developer man-days * cost per man-day)/ number of defects fixed

In addition to this calculation organizations need to also consider the following additional costs:
System testing costs
Implementation costs
System deployment and operations costs
Postproduction costs, and 
Other costs, such as project management, documentation, downtime cost, etc. (Merkow, 2020)

Manual Source Code Review
Manual source code reviews can begin when there is sufficient code from the development process to review. 
The scope of a source code review is usually limited to finding code-level problems that could potentially result in security vulnerabilities.
Manual secure code review is the process of reading source code line-by-line to identify potential vulnerabilities. 
It is a tedious process that requires skill, experience, persistence, and patience. 
Vulnerabilities discovered, and subsequently addressed through the manual review process, can greatly improve an organization’s security posture.

Module 9 Assignment Requirements

Primary Phases of Manual Review Interview
Understand the intent of the application before reviewing the code

Code Review
Each member of the code review team will review the entire code.
Provides for multiple eyes on the same code
Reporting Results
The final list of findings, along with descriptions and possible mitigations is presented to the developers.

Static Application Security Testing (SAST
Supports the secure development of programs in an organization by finding and listing the potential security bugs in the code base;
SAST tools offer a wide variety of views/reports and trends on the security posture of the code base
Can be used as an effective mechanism to collect metrics that indicate the progress and maturity of the software security activities.
Source code analyzers operate relatively quickly compared to the several thousands of man-hours needed
Automated tools also provide risk rankings for each vulnerability, which helps the organization to prioritize its remediation strategies.

Benefits of using SAST
Brand protection from reduced risks from potential security exploits. 
Improvement in delivery of secure and dependable application software solutions. 
Reduction in the cost of remediation by addressing security vulnerabilities earlier in the development life cycle (compared to expensive post-production fixes). 
Assurance to business owners/partners and auditors/regulators about effectiveness of security controls. 
Compliance with standards and internal/external audit requirements.

Benefits of using SAST
Easier security automation in the software development lifecycle. 
Improved developer skills through regular use of the tool helps to ensure ongoing quality improvements in custom-built software. 
Effective tool to collect and track software security metrics.

Inside SAST Tools
It’s risky to deploy SAST tools before the workforce is prepared to incorporate their use into the Scrum process
When this happens, the following situation becomes commonplace:
Applications are selected for scanning, and SAST scans are run. 
Reports of the scan results are prepared and shared with the team responsible for the application. 
Developers don’t understand what the reports are telling them and settle into bewilderment that leads to inaction or analysis paralysis. 
When developers do react, it’s often with incredulous disbelief that their program is capable of being defective and the security team must be wrong or crazy or is picking on them. 

Appsec architects responsible for this new processing are left holding the ever-growing bag of software defects that cannot be addressed properly and waits while management escalations resolve what’s now become a human–factors-based incident for managers in multiple areas to address.

SAST Key Terms and Elements
Trust Boundary (Security Perimeter)
Only the packaged application binaries are considered within the trusty boundary.
The point of entry of data, where variables are set with values Sink
The point of exit for data at which variables are used in computing processes Taint
The condition ascribed to every variable that’s found at the source Vulnerability
The condition in which a variable that still is tagged as tainted Cleanser or Trait Removal
The software routine that the scanner recognizes as a viable function that removes the taint tag.
Taint Propagation
This occurs when another variable is set to the value of a variable that is still tagged as tainted. .

Questions
Take advantage of this opportunity to seek further clarification.

Discussion Question.

During this module, you explored the cost of software flaws and a variety of code analysis tools. Use what you have learned to compare and contrast automated software review tools with manual review processes. Be sure to identify the pros and cons of each method as a means of drawing distinctions between the two methods. *The lecture is attached to help you. * include at least two sources from professional or academic literature—such as articles from peer-reviewed journals. *APA style.