Security Compliance with Static Code Analysis
22 Dec 2016 by Daniel Peeren
Compliance describes the adherence to regulations and commitments organizations have to fulfill in certain sectors. Security is an integral part of many regulations. In general, a company is compliant if a snapshot of the current security arrangements meets a specific set of requirements. These requirements are defined by several regulatory organizations or standards, for example PCI DSS, HIPAA, or the ISO27k-series. If your company is bound to - or would like to - comply to these standards, read on and learn how the security requirements can be achived with a SAST tool.
PCI DSS
The Data Security Standard from the Payment Card Industry, short PCI DSS, specifies 12 requirements for the safe use of credit card information. The specifications were determined by the largest payment brands in order to reduce the vast amount of credit card frauds.
The most important part of this standard for web applications processing this data is requirement 6, to develop and maintain secure systems and applications. Next to maintenance and management requirements, the following steps are required:
- 6.1: Establish a process to identify security vulnerabilities and assign a risk ranking.
- 6.3: Develop internal and external software applications securely, in accordance with PCI DSS and based on industry standards and/or best practices. More specifically, custom code needs to be reviewed for potential coding vulnerabilities (6.3.2).
- 6.5: Address common coding vulnerabilities in software-development processes. This includes injection flaws (6.5.1), weak cryptography (6.5.3), information leakage (6.5.5), high risk vulnerabilities (6.5.6), Cross-Site Scripting (6.5.7), improper access control (6.5.8) and broken session management (6.5.10).
- 6.6: For public-facing web applications, address new threats and vulnerabilities on an ongoing bases and ensure these applications are protected against known attacks.
By integrating RIPS into your SDLC as an automated application vulnerability security assessment tool, these steps of requirement 6 and 11 (regularly test security systems) can be addressed. RIPS enables an early and cost-efficient detection and mitigation of security issues that could otherwise lead to authentication bypasses or the direct leakage of sensitive card data. Additionally, RIPS warns about the usage of insecure cryptography algorithms and thus helps to prevent unauthorized access (requirement 3.4 and 3.5).
HIPAA
The Health Insurance Portability and Accountability Act (HIPAA) specifies a standard for the privacy and security of electronic protected health information. Static code analysis is able to address the following elements in the CFR 164.308 and 164.12.
- Risk analysis
- Risk management
- Protection from malicious software
- Authentication security
- Data security and integrity
With the help of RIPS’ risk analysis, each analyzed application is categorized by its risk level that bases on the quantity and severity of prevalent security issues (see Figure 1). Based on this level, insecure applications can be automatically identified, prioritized, and subjected to further actions. Due to RIPS precise analysis of PHP characteristics, malicious PHP shells can be tracked down, as well as subtle bugs that affect the security of authentication mechanisms or stored data.
NIST 800-53
The Special Publication 800-53 by the National Institute of Standards and Technology (NIST), specifies guidelines on security controls for federal information systems. These guidelines apply to all systems in the U.S. except those related to national security. The following controls are covered by a static code analysis tool:
- RA-5: Vulnerability scanning of systems and applications
- SA-11: Security testing and evaluation in consultation with security personnel and a verifiable flaw remediation process
- SC-7: Boundary protection through authentication control
Vulnerability Classification
RIPS categorizes each detected vulnerability by the most common standards used in the security industry, namely OWASP Top 10, MITRE CWE, and SANS Top 25. An exemplary summary for all issues can be found in Figure 2. The standards unify the most dangerous software vulnerabilities and are listed in the following tables, as well as their support by RIPS.
OWASP Top 10
| Fully supported | |
| Automated detection is limited by a software's ability to understand anothers software's logic |
| Rank | Name | RIPS |
|---|---|---|
| A1 | Injection | |
| A2 | Broken Authentication and Session Management | |
| A3 | Cross-Site Scripting (XSS) | |
| A4 | Insecure Direct Object References | |
| A5 | Security Misconfiguration | |
| A6 | Sensitive Data Exposure | |
| A7 | Missing Function Level Access Control | |
| A8 | Cross-Site Request Forgery | |
| A9 | Using Components with Known Vulnerabilities | |
| A10 | Unvalidated Redirects and Forwards |
CWE/SANS Top 25
| Fully supported | |
| Not applicable to PHP code but to the PHP interpreter | |
| Automated detection is limited by a software's ability to understand anothers software's logic |
| Rank | ID | Name | RIPS |
|---|---|---|---|
| 1 | CWE-89 | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') | |
| 2 | CWE-78 | Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') | |
| 3 | CWE-120 | Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') | |
| 4 | CWE-79 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') | |
| 5 | CWE-306 | Missing Authentication for Critical Function | |
| 6 | CWE-862 | Missing Authorization | |
| 7 | CWE-798 | Use of Hard-coded Credentials | |
| 8 | CWE-311 | Missing Encryption of Sensitive Data | |
| 9 | CWE-434 | Unrestricted Upload of File with Dangerous Type | |
| 10 | CWE-807 | Reliance on Untrusted Inputs in a Security Decision | |
| 11 | CWE-250 | Execution with Unnecessary Privileges | |
| 12 | CWE-352 | Cross-Site Request Forgery (CSRF) | |
| 13 | CWE-22 | Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') | |
| 14 | CWE-494 | Download of Code Without Integrity Check | |
| 15 | CWE-863 | Incorrect Authorization | |
| 16 | CWE-829 | Inclusion of Functionality from Untrusted Control Sphere | |
| 17 | CWE-732 | Incorrect Permission Assignment for Critical Resource | |
| 18 | CWE-676 | Use of Potentially Dangerous Function | |
| 19 | CWE-327 | Use of a Broken or Risky Cryptographic Algorithm | |
| 20 | CWE-131 | Incorrect Calculation of Buffer Size | |
| 21 | CWE-307 | Improper Restriction of Excessive Authentication Attempts | |
| 22 | CWE-601 | URL Redirection to Untrusted Site ('Open Redirect') | |
| 23 | CWE-134 | Uncontrolled Format String | |
| 24 | CWE-190 | Integer Overflow or Wraparound | |
| 25 | CWE-759 | Use of a One-Way Hash without a Salt |
Summary
Fulfilling the requirements of security compliance is a good step towards building secure applications, especially if these applications are designed to handle sensitive information, such as protected health data or credit card data. With the help of static code analysis tools, the technical requirements of these standards can be addressed and the security of applications becomes more manageable. RIPS supports the most common security standards, detects different classes of security issues, and helps to remediate all issues for a maximum attack protection.
Follow us on Twitter to be notified when the next gift of our advent calendar is opened!
APAV Time Table
Disclaimer: The information provided here is for educational purposes only. It is your responsibility to obey all applicable local, state and federal laws. RIPS Technologies GmbH assumes no liability and is not responsible for any misuse or damages caused by direct or indirect use of the information provided.
Comments
comments powered by Disqus