Security Compliance with Static Code Analysis


Compliance

Compliance describes the adherence to regulations and commitments organizations have to fulfill in certain sectors. Security is an integral part of many regulations. In general, a company is compliant if a snapshot of the current security arrangements meets a specific set of requirements. These requirements are defined by several regulatory organizations or standards, for example PCI DSS, HIPAA, or the ISO27k-series. If your company is bound to - or would like to - comply to these standards, read on and learn how the security requirements can be achived with a SAST tool.

PCI DSS

The Data Security Standard from the Payment Card Industry, short PCI DSS, specifies 12 requirements for the safe use of credit card information. The specifications were determined by the largest payment brands in order to reduce the vast amount of credit card frauds.

The most important part of this standard for web applications processing this data is requirement 6, to develop and maintain secure systems and applications. Next to maintenance and management requirements, the following steps are required:

  • 6.1: Establish a process to identify security vulnerabilities and assign a risk ranking.
  • 6.3: Develop internal and external software applications securely, in accordance with PCI DSS and based on industry standards and/or best practices. More specifically, custom code needs to be reviewed for potential coding vulnerabilities (6.3.2).
  • 6.5: Address common coding vulnerabilities in software-development processes. This includes injection flaws (6.5.1), weak cryptography (6.5.3), information leakage (6.5.5), high risk vulnerabilities (6.5.6), Cross-Site Scripting (6.5.7), improper access control (6.5.8) and broken session management (6.5.10).
  • 6.6: For public-facing web applications, address new threats and vulnerabilities on an ongoing bases and ensure these applications are protected against known attacks.

By integrating RIPS into your SDLC as an automated application vulnerability security assessment tool, these steps of requirement 6 and 11 (regularly test security systems) can be addressed. RIPS enables an early and cost-efficient detection and mitigation of security issues that could otherwise lead to authentication bypasses or the direct leakage of sensitive card data. Additionally, RIPS warns about the usage of insecure cryptography algorithms and thus helps to prevent unauthorized access (requirement 3.4 and 3.5).

HIPAA

The Health Insurance Portability and Accountability Act (HIPAA) specifies a standard for the privacy and security of electronic protected health information. Static code analysis is able to address the following elements in the CFR 164.308 and 164.12.

  • Risk analysis
  • Risk management
  • Protection from malicious software
  • Authentication security
  • Data security and integrity

With the help of RIPS’ risk analysis, each analyzed application is categorized by its risk level that bases on the quantity and severity of prevalent security issues (see Figure 1). Based on this level, insecure applications can be automatically identified, prioritized, and subjected to further actions. Due to RIPS precise analysis of PHP characteristics, malicious PHP shells can be tracked down, as well as subtle bugs that affect the security of authentication mechanisms or stored data.

Figure 1: Risk analysis based on detected security vulnerabilities.

NIST 800-53

The Special Publication 800-53 by the National Institute of Standards and Technology (NIST), specifies guidelines on security controls for federal information systems. These guidelines apply to all systems in the U.S. except those related to national security. The following controls are covered by a static code analysis tool:

  • RA-5: Vulnerability scanning of systems and applications
  • SA-11: Security testing and evaluation in consultation with security personnel and a verifiable flaw remediation process
  • SC-7: Boundary protection through authentication control
Figure 2: Issue breakdown and classification of detected security vulnerabilities.

Vulnerability Classification

RIPS categorizes each detected vulnerability by the most common standards used in the security industry, namely OWASP Top 10, MITRE CWE, and SANS Top 25. An exemplary summary for all issues can be found in Figure 2. The standards unify the most dangerous software vulnerabilities and are listed in the following tables, as well as their support by RIPS.

OWASP Top 10

 Fully supported
 Automated detection is limited by a software's ability to understand anothers software's logic
RankNameRIPS
A1Injection
A2Broken Authentication and Session Management
A3Cross-Site Scripting (XSS)
A4Insecure Direct Object References
A5Security Misconfiguration
A6Sensitive Data Exposure
A7Missing Function Level Access Control
A8Cross-Site Request Forgery
A9Using Components with Known Vulnerabilities
A10Unvalidated Redirects and Forwards

CWE/SANS Top 25

 Fully supported
 Not applicable to PHP code but to the PHP interpreter
 Automated detection is limited by a software's ability to understand anothers software's logic
RankIDNameRIPS
1CWE-89Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
2CWE-78Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
3CWE-120Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')
4CWE-79Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
5CWE-306Missing Authentication for Critical Function
6CWE-862Missing Authorization
7CWE-798Use of Hard-coded Credentials
8CWE-311Missing Encryption of Sensitive Data
9CWE-434Unrestricted Upload of File with Dangerous Type
10CWE-807Reliance on Untrusted Inputs in a Security Decision
11CWE-250Execution with Unnecessary Privileges
12CWE-352Cross-Site Request Forgery (CSRF)
13CWE-22Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
14CWE-494Download of Code Without Integrity Check
15CWE-863Incorrect Authorization
16CWE-829Inclusion of Functionality from Untrusted Control Sphere
17CWE-732Incorrect Permission Assignment for Critical Resource
18CWE-676Use of Potentially Dangerous Function
19CWE-327Use of a Broken or Risky Cryptographic Algorithm
20CWE-131Incorrect Calculation of Buffer Size
21CWE-307Improper Restriction of Excessive Authentication Attempts
22CWE-601URL Redirection to Untrusted Site ('Open Redirect')
23CWE-134Uncontrolled Format String
24CWE-190Integer Overflow or Wraparound
25CWE-759Use of a One-Way Hash without a Salt

Summary

Fulfilling the requirements of security compliance is a good step towards building secure applications, especially if these applications are designed to handle sensitive information, such as protected health data or credit card data. With the help of static code analysis tools, the technical requirements of these standards can be addressed and the security of applications becomes more manageable. RIPS supports the most common security standards, detects different classes of security issues, and helps to remediate all issues for a maximum attack protection.


Follow us on Twitter to be notified when the next gift of our advent calendar is opened!

APAV Time Table

DateAuthorTitle
24 Dec 2016Johannes DahseWhat we learned from our Advent Calendar
23 Dec 2016Hendrik Buchwalde107 2.1.2: SQL Injection through Object Injection
22 Dec 2016Daniel PeerenSecurity Compliance with Static Code Analysis
21 Dec 2016Martin BednorzAbanteCart 1.2.8 - Multiple SQL Injections
20 Dec 2016Martin BednorzKliqqi 3.0.0.5: From Cross-Site Request Forgery to Code Execution
19 Dec 2016Robin PeraglieosClass 3.6.1: Remote Code Execution via Image File
18 Dec 2016Daniel PeerenContinuous Integration - Jenkins at your service
17 Dec 2016Johannes DahseOpenConf 5.30 - Multi-Step Remote Command Execution
16 Dec 2016Robin PeraglieRedaxo 5.2.0: Remote Code Execution via CSRF
15 Dec 2016Dennis DeteringGuest Post: Vtiger 6.5.0 - SQL Injection
14 Dec 2016Hendrik BuchwaldThe State of Wordpress Security
13 Dec 2016Johannes DahsephpBB 2.0.23 - From Variable Tampering to SQL Injection
12 Dec 2016Martin BednorzTeampass 2.1.26.8: Unauthenticated SQL Injection
11 Dec 2016Daniel PeerenRescanning Applications with RIPS
10 Dec 2016Hendrik BuchwaldNon-Exploitable Security Issues
9 Dec 2016Hendrik BuchwaldPrecurio 2.1: Remote Command Execution via Xinha Plugin
8 Dec 2016Martin BednorzPHPKit 1.6.6: Code Execution for Privileged Users
7 Dec 2016Hendrik BuchwaldSerendipity 2.0.3: From File Upload to Code Execution
6 Dec 2016Robin PeraglieRoundcube 1.2.2: Command Execution via Email
5 Dec 2016Hendrik BuchwaldExpression Engine 3.4.2: Code Reuse Attack
4 Dec 2016Johannes DahseIntroducing the RIPS analysis engine
3 Dec 2016Martin BednorzeFront 3.6.15: Steal your professors password
2 Dec 2016Martin BednorzCoppermine 1.5.42: Second-Order Command Execution
1 Dec 2016Hendrik BuchwaldFreePBX 13: From Cross-Site Scripting to Remote Command Execution
25 Nov 2016Martin BednorzAnnouncing the Advent of PHP Application Vulnerabilities

Disclaimer: The information provided here is for educational purposes only. It is your responsibility to obey all applicable local, state and federal laws. RIPS Technologies GmbH assumes no liability and is not responsible for any misuse or damages caused by direct or indirect use of the information provided.

Tags: daniel peeren, php, compliance, apav, sast,

Comments

comments powered by Disqus