Title: Application security code analysis: a step towards software assurance

Authors: Sanjay Rawat, Ashutosh Saxena

Addresses: Security and Privacy Group, SETLabs, Infosys Technologies Ltd., 210, Manikonda, Gachibowli, Hyderabad – 500032, India. ' Security and Privacy Group, SETLabs, Infosys Technologies Ltd., 210, Manikonda, Gachibowli, Hyderabad – 500032, India

Abstract: The last few years have witnessed a rapid growth in cyber attacks, with daily new vulnerabilities being discovered in computer applications. Various security-related technologies, e.g., anti-virus programs, Intrusion Detection Systems (IDSs)/Intrusion Prevention Systems (IPSs), firewalls, etc., are deployed to minimise the number of attacks and incurred losses. However, such technologies are not enough to completely eliminate the attacks to some extent; they can only minimise them. Therefore, software assurance is becoming a priority and an important characteristic of the software development life cycle. Application code analysis is gaining importance, as it can help in writing safe code during the development phase by detecting bugs that may lead to vulnerabilities. As a result, tremendous research on code analysis has been carried out by industry and academia and there exist many commercial and open source tools and approaches for this purpose. These have their own pros and cons. Therefore, the main objective of this article is to explore the state-of-the-art in code analysis and a few major tools which benefit not only security professionals, but also novice Information Technology (IT) professionals. We study the tools and techniques under the basic four types of analysis (Static Source Code (SSC), Static Binary Code (SBC), Dynamic Source Code (DSC) and Dynamic Binary Code (DBC) analysis) and briefly discuss them.

Keywords: security vulnerability; application code analysis; data flow; taint analysis; binary code instrumentation; code debugging; software assurance; information security; computer security; static source code; static binary code; dynamic source code; dynamic binary code.

DOI: 10.1504/IJICS.2009.026622

International Journal of Information and Computer Security, 2009 Vol.3 No.1, pp.86 - 110

Published online: 21 Jun 2009 *

Full-text access for editors Full-text access for subscribers Purchase this article Comment on this article