Code audit Contents Guidelines Tools Dependency on requirements See also References Navigation menu"Source Code Audit - FAQ""Guidelines for C source code auditing"Static analysis at the end of the SDLC doesn't work

Information technology audit


source codeprogrammingdefensive programmingvulnerabilitiesprogramming languages




A software code audit is a comprehensive analysis of source code in a programming project with the intent of discovering bugs, security breaches or violations of programming conventions. It is an integral part of the defensive programming paradigm, which attempts to reduce errors before the software is released. C and C++ source code is the most common code to be audited since many higher-level languages, such as Python, have fewer potentially vulnerable functions (e.g., functions that do not check bounds)[citation needed].




Contents





  • 1 Guidelines

    • 1.1 High-risk vulnerabilities


    • 1.2 Low-risk vulnerabilities



  • 2 Tools


  • 3 Dependency on requirements


  • 4 See also


  • 5 References




Guidelines


When auditing software, every critical component should be audited separately and together with the entire program. It is a good idea to search for high-risk vulnerabilities first and work down to low-risk vulnerabilities. Vulnerabilities in between high-risk and low-risk generally exist depending on the situation and how the source code in question is being used. Application penetration testing tries to identify vulnerabilities in software by launching as many known attack techniques as possible on likely access points in an attempt to bring down the application.[1] This is a common auditing method and can be used to find out if any specific vulnerabilities exist, but not where they are in the source code. Some claim that end-of-cycle audit methods tend to overwhelm developers, ultimately leaving the team with a long list of known problems, but little actual improvement; in these cases, an in-line auditing approach is recommended as an alternative.



High-risk vulnerabilities


Some common high-risk vulnerabilities may exist due to the use of:


  • Non-bounds-checking functions (e.g., strcpy, sprintf, vsprintf, and sscanf) that could lead to a buffer overflow vulnerability [2]

  • Pointer manipulation of buffers that may interfere with later bounds checking, e.g.: if ((bytesread = net_read(buf,len)) > 0) buf += bytesread; [2]

  • Calls like execve(), execution pipes, system() and similar things, especially when called with non-static arguments [2]

  • Input validation, e.g. (in SQL): statement := "SELECT * FROM users WHERE name = '" + userName + "';" is an example of a SQL injection vulnerability

  • File inclusion functions, e.g. (in PHP): include($page . '.php'); is an example of a Remote File Inclusion vulnerability

  • For libraries that may be linked with malicious code, returning the reference to the internal mutable data structure (record, array). Malicious code may try to modify the structure or retain the reference to observe the future changes.


Low-risk vulnerabilities


The following is a list of low-risk vulnerabilities that should be found when auditing code, but do not produce a high risk situation.


  • Client-side code vulnerabilities that do not affect the server side (e.g., cross-site scripting)

  • Username enumeration

  • Directory traversal


Tools


Source code auditing tools generally look for common vulnerabilities and only work for specific programming languages. Such automated tools could be used to save time, but should not be relied on for an in-depth audit. Applying such tools as part of a policy-based approach is recommended.[3]



Dependency on requirements


If set to the low threshold, most of the software auditing tools detect a lot of vulnerabilities, especially if the code has not been audited before. However the actual importance of these alerts also depends on how the application is used. The library that may be linked with the malicious code (and must be immune against it) has very strict requirements like cloning all returned data structures, as the intentional attempts to break the system are expected. The program that may only be exposed to the malicious input (like web server backend) must first care about this input (buffer overruns, SQL injection, etc.). Such attacks may never occur for the program that is only internally used by authorized users in a protected infrastructure.



See also


  • Information technology audit

  • Defensive programming

  • Remote File Inclusion

  • SQL injection

  • Buffer overflow

  • List of tools for static code analysis


References




  1. ^ "Source Code Audit - FAQ"..mw-parser-output cite.citationfont-style:inherit.mw-parser-output .citation qquotes:"""""""'""'".mw-parser-output .citation .cs1-lock-free abackground:url("//upload.wikimedia.org/wikipedia/commons/thumb/6/65/Lock-green.svg/9px-Lock-green.svg.png")no-repeat;background-position:right .1em center.mw-parser-output .citation .cs1-lock-limited a,.mw-parser-output .citation .cs1-lock-registration abackground:url("//upload.wikimedia.org/wikipedia/commons/thumb/d/d6/Lock-gray-alt-2.svg/9px-Lock-gray-alt-2.svg.png")no-repeat;background-position:right .1em center.mw-parser-output .citation .cs1-lock-subscription abackground:url("//upload.wikimedia.org/wikipedia/commons/thumb/a/aa/Lock-red-alt-2.svg/9px-Lock-red-alt-2.svg.png")no-repeat;background-position:right .1em center.mw-parser-output .cs1-subscription,.mw-parser-output .cs1-registrationcolor:#555.mw-parser-output .cs1-subscription span,.mw-parser-output .cs1-registration spanborder-bottom:1px dotted;cursor:help.mw-parser-output .cs1-ws-icon abackground:url("//upload.wikimedia.org/wikipedia/commons/thumb/4/4c/Wikisource-logo.svg/12px-Wikisource-logo.svg.png")no-repeat;background-position:right .1em center.mw-parser-output code.cs1-codecolor:inherit;background:inherit;border:inherit;padding:inherit.mw-parser-output .cs1-hidden-errordisplay:none;font-size:100%.mw-parser-output .cs1-visible-errorfont-size:100%.mw-parser-output .cs1-maintdisplay:none;color:#33aa33;margin-left:0.3em.mw-parser-output .cs1-subscription,.mw-parser-output .cs1-registration,.mw-parser-output .cs1-formatfont-size:95%.mw-parser-output .cs1-kern-left,.mw-parser-output .cs1-kern-wl-leftpadding-left:0.2em.mw-parser-output .cs1-kern-right,.mw-parser-output .cs1-kern-wl-rightpadding-right:0.2em


  2. ^ abc "Guidelines for C source code auditing".


  3. ^ "Static analysis at the end of the SDLC doesn't work" by Wayne Ariola, SearchSoftwareQuality.com, September 22, 2008








Information technology auditUncategorized
-

Popular posts from this blog

Creating 100m^2 grid automatically using QGIS?Creating grid constrained within polygon in QGIS?Createing polygon layer from point data using QGIS?Creating vector grid using QGIS?Creating grid polygons from coordinates using R or PythonCreating grid from spatio temporal point data?Creating fields in attributes table using other layers using QGISCreate .shp vector grid in QGISQGIS Creating 4km point grid within polygonsCreate a vector grid over a raster layerVector Grid Creates just one grid

Image
Pattern match does not work in bash script Mage Armor with Defense fighting style (for Adventurers League bladeslinger) LaTeX closing $ signs makes cursor jump String Manipulation Interpreter Can divisibility rules for digits be generalized to sum of digits I'm planning on buying a laser printer but concerned about the life cycle of toner in the machine What is the offset in a seaplane's hull? How can I make my BBEG immortal short of making them a Lich or Vampire? What are the differences between the usage of 'it' and 'they'? The use of multiple foreign keys on same column in SQL Server How did the USSR manage to innovate in an environment characterized by government censorship and high bureaucracy? Is it tax fraud for an individual to declare non-taxable revenue as taxable income? (US tax laws) Why Is Death Allowed In the Matrix? Minkowski space Why are 150k or 200k jobs considered good when there are 300k+ births a month? Why do f...
Read more

Nikolai Prilezhaev Bibliography References External links Navigation menuEarly Russian Organic Chemists and Their Legacy092774english translationRussian Biography

19th-century chemists20th-century chemists1877 births1944 deathsRussian chemists RussianO.S.KopossevoNizhny NovgorodMoscoworganic chemistPrilezhaev ReactionepoxidesalkenesperoxyacidsUniversity of WarsawYegor Yegorovich VagnerGeorg WagnerSt. PetersburgPolytechnic in KievUniversity of MinskBelarusian Academy of SciencesAlexei Nikolaevich Bachname reactionSoviet Academy of Sciences Nikolai Alexandrovich Prilezhaev , Russian: Николай Александрович Прилежаев , (Born 15 [O.S. 1877] 27 [1] in Kopossevo near Nizhny Novgorod, died May 26, 1944 in Moscow) was a Russian organic chemist. The Prilezhaev Reaction between epoxides and alkenes to form peroxyacids is named after him. Prilezhaev was the son of a clergyman and studied chemistry at the Theological Seminary in Warsaw (graduated in 1895) and then at the Univ...
Read more

How to link a C library to an Assembly library on Mac with clangHow do you set, clear, and toggle a single bit?Find (and kill) process locking port 3000 on MacWho is listening on a given TCP port on Mac OS X?How to start PostgreSQL server on Mac OS X?Compile assembler in nasm on mac osHow do I install pip on macOS or OS X?AFNetworking 2.0 “_NSURLSessionTransferSizeUnknown” linking error on Mac OS X 10.8C++ code for testing the Collatz conjecture faster than hand-written assembly - why?How to link a NASM code and GCC in Mac OS X?How to run x86 .asm on macOS Sierra

Image
Is there enough fresh water in the world to eradicate the drinking water crisis? What is the term when two people sing in harmony, but they aren't singing the same notes? Is there a problem with hiding "forgot password" until it's needed? Why does this part of the Space Shuttle launch pad seem to be floating in air? Hostile work environment after whistle-blowing on coworker and our boss. What do I do? How to prevent YouTube from showing already watched videos? Is there an Impartial Brexit Deal comparison site? Would it be legal for a US State to ban exports of a natural resource? Can somebody explain Brexit in a few child-proof sentences? Latex for-and in equation Is a naturally all "male" species possible? Is there an wasy way to program in Tikz something like the one in the image? How to deal with or prevent idle in the test team? node command while defining a coordinate in TikZ Simulating a probability of 1 of 2^N with less tha...
Read more