Research shows that fixing security problems early in the development cycle is more efficient and cost-effective than the traditional penetrate-and-patch model. McAfee Strategic Security Services application security consultants use rigorous and efficient source code inspection to identify detrimental software security problems at the onset of the development cycle.
While we use commercial inspection tools to help automate the process, McAfee Strategic Security Services experts manually validate every issue and inspect code to overcome the limitations of automated tools and techniques that are ineffective. Our application security consultants find policy and best practice violations, such as inappropriate cryptography algorithms and common semantic language constructs that lead to vulnerabilities.
We have expertise in C, C++, C#, VB.NET Java, CFML, Perl, Classic ASP, and PHP working within development frameworks, such as J2EE and the .NET framework, and developing on Win32 and UNIX platforms.
McAfee Strategic Security Services' capability in source code security assessments extends from our Software and Application Security Service (SASS) consultants, who have performed source code audits on numerous client applications, as well as their own software. Our SASS consultants worked as development practitioners on commercial enterprise software systems and understand the software development process, as well as why and how security bugs are introduced. Our experience combined with advanced automated tools using contextual analysis, enable us to look at a greater amount of code faster, more accurately, and more effectively than other security consulting services.
Our detailed reports provide specific vulnerability information including line, file locations, the issue itself, and suggested solutions. We present an overview and statistics for code sections, such as the vulnerability density (per 1,000 lines of code) in specific areas. Also included is suggested strategic remediation, such as the creation of reusable components or security libraries.
When examining any sizeable application, we start by building a threat model in conjunction with the development team. This threat model helps us understand the applications’ functionality, technical design, and existing security threats and countermeasures. Threat models help us manage the size of the code base to examine down to a much smaller scope — typically 40% to 60% of the original code size.
Armed with the threat model and a complete understanding of the applications’ architecture, we use automated tools from Secure Software to assess the code for semantic and language security bugs. In general, we are looking for two types of issues: design flaws and implementation bugs. Design flaws include poor design ideas that have been implemented, such as choosing an inappropriate source of randomness for cryptographic key generation. Implementation bugs are typically syntactical or semantic language constructs that lead to security vulnerabilities. Software Magazine has published our work and methodology for code assessments in multiple articles.