Help us improve cyber security through source code scanning

| Joost Schalken-Pinkster | Security

To reduce the threat of cyber-attacks, all companies must start making more secure systems. This means more security awareness in all IT functions, including development. We are developing a new service that helps secure software development by scanning source code for security issues, and we are looking for test customers who are interested in getting security related feedback.

Why source code security is important

For the foreseeable future businesses will continue to face cyber-attacks. Although investments in infrastructure (e.g. firewalls, virus scanners and intrusion detection tools) will help keep many of the hackers away, the uncomfortable truth is that only solution that will work in the long run is improving the security of the fabric that makes the IT systems: the source code. The problem with source code security is that the devil is in the details: even a single slip in a single line of code could introduce a security issue. A missing security check or unsafe database call can go unnoticed for months, but can potentially make the whole system vulnerable. Another problem is keeping source code secure is change. Systems often have a large code base, that is constantly changing. Developers therefore need automated methods and tools.

Automated source code measurement

In the software quality world, the state of practice has evolved from an art and craft approach to a more mature engineering approach where source code measurements (software metrics) are used to determine if the quality of the source code is adequate. The road to these tools was long… In the 70’s pioneers like Tom McCabe and Maurice Halstead invented software metrics to measure the quality of source code. But it would take another thirty years (2000-2005) until it was clear how these software metrics could be used in practice to improve the state of practice. Only then were these tools embraced by practitioners and supported by widely available tools (see our (Dutch) list of common source code analysis tools).

In the software security world we need to make the same leap: we need to go from individual measurement tools to a comprehensive approach for tool-assisted secure software development. To allow such a comprehensive approach, we need to know which findings pose real risks to the security of a system and which findings are merely a false alerts. We also need to learn how much security is ‘good enough’: the software industry already has a reputation for being late and secure software engineering should not make it even more late.

Our secure source code initiative

And to learn these things we need your help: we are looking for companies that are willing to let us analyse the source code of their applications. We keep the source code confidential, measure the code based on common tools, compare the results to analysis by our experts and share the most important findings with you for validation. In addition to helping us improve the state of practice, you will gain insights into the security of your application.

We have tested our approach on a wide variety of real software systems in multiple technologies, including  C#, Java, php and Ruby on Rails. We are looking for more systems in these technologies, but also for systems in other modern technologies, including VB.net, Python, javascript, C/C++, scala and other JVM based languages. For all of these languages, we use a combined approach where we  use our own search algorithms and search patterns, but also make use of available tools and documentation. Our ultimate goal is finding out which tool/approach is good at finding what kind of issues, so we can use the best combination of tools for each system. We are open for comparing our results against existing security tools, such as Fortify, Veracode and Checkmarkx. So if you are already using one of these tools, our service is still relevant.

How to help

If you would like to obtain security insights for an IT system you are using or working on, please contact us via the form below or directly at joost [@] ictinstitute.nl. Note that we have a secure software upload process in place and that we will treat all source code as confidential. We will provide more information on what we can do and can answer any questions you have about this initiative.

Image: creative commons – perspecsys

Author: Joost Schalken-Pinkster
Dr. Joost Schalken-Pinkster has obtained a Ph.D. in software engineering in 2007. Since then he has worked continuously in IT as architect management consultant and lecturer. Besides working at ICT Institute, Joost is lecturer at Utrecht Applied University where he focuses on code construction, software design and software architecture.