Code audit Contents Guidelines Tools Dependency on requirements See also References Navigation menu"Source Code Audit - FAQ""Guidelines for C source code auditing"Static analysis at the end of the SDLC doesn't work

Information technology audit


source codeprogrammingdefensive programmingvulnerabilitiesprogramming languages




A software code audit is a comprehensive analysis of source code in a programming project with the intent of discovering bugs, security breaches or violations of programming conventions. It is an integral part of the defensive programming paradigm, which attempts to reduce errors before the software is released. C and C++ source code is the most common code to be audited since many higher-level languages, such as Python, have fewer potentially vulnerable functions (e.g., functions that do not check bounds)[citation needed].




Contents





  • 1 Guidelines

    • 1.1 High-risk vulnerabilities


    • 1.2 Low-risk vulnerabilities



  • 2 Tools


  • 3 Dependency on requirements


  • 4 See also


  • 5 References




Guidelines


When auditing software, every critical component should be audited separately and together with the entire program. It is a good idea to search for high-risk vulnerabilities first and work down to low-risk vulnerabilities. Vulnerabilities in between high-risk and low-risk generally exist depending on the situation and how the source code in question is being used. Application penetration testing tries to identify vulnerabilities in software by launching as many known attack techniques as possible on likely access points in an attempt to bring down the application.[1] This is a common auditing method and can be used to find out if any specific vulnerabilities exist, but not where they are in the source code. Some claim that end-of-cycle audit methods tend to overwhelm developers, ultimately leaving the team with a long list of known problems, but little actual improvement; in these cases, an in-line auditing approach is recommended as an alternative.



High-risk vulnerabilities


Some common high-risk vulnerabilities may exist due to the use of:


  • Non-bounds-checking functions (e.g., strcpy, sprintf, vsprintf, and sscanf) that could lead to a buffer overflow vulnerability [2]

  • Pointer manipulation of buffers that may interfere with later bounds checking, e.g.: if ((bytesread = net_read(buf,len)) > 0) buf += bytesread; [2]

  • Calls like execve(), execution pipes, system() and similar things, especially when called with non-static arguments [2]

  • Input validation, e.g. (in SQL): statement := "SELECT * FROM users WHERE name = '" + userName + "';" is an example of a SQL injection vulnerability

  • File inclusion functions, e.g. (in PHP): include($page . '.php'); is an example of a Remote File Inclusion vulnerability

  • For libraries that may be linked with malicious code, returning the reference to the internal mutable data structure (record, array). Malicious code may try to modify the structure or retain the reference to observe the future changes.


Low-risk vulnerabilities


The following is a list of low-risk vulnerabilities that should be found when auditing code, but do not produce a high risk situation.


  • Client-side code vulnerabilities that do not affect the server side (e.g., cross-site scripting)

  • Username enumeration

  • Directory traversal


Tools


Source code auditing tools generally look for common vulnerabilities and only work for specific programming languages. Such automated tools could be used to save time, but should not be relied on for an in-depth audit. Applying such tools as part of a policy-based approach is recommended.[3]



Dependency on requirements


If set to the low threshold, most of the software auditing tools detect a lot of vulnerabilities, especially if the code has not been audited before. However the actual importance of these alerts also depends on how the application is used. The library that may be linked with the malicious code (and must be immune against it) has very strict requirements like cloning all returned data structures, as the intentional attempts to break the system are expected. The program that may only be exposed to the malicious input (like web server backend) must first care about this input (buffer overruns, SQL injection, etc.). Such attacks may never occur for the program that is only internally used by authorized users in a protected infrastructure.



See also


  • Information technology audit

  • Defensive programming

  • Remote File Inclusion

  • SQL injection

  • Buffer overflow

  • List of tools for static code analysis


References




  1. ^ "Source Code Audit - FAQ"..mw-parser-output cite.citationfont-style:inherit.mw-parser-output .citation qquotes:"""""""'""'".mw-parser-output .citation .cs1-lock-free abackground:url("//upload.wikimedia.org/wikipedia/commons/thumb/6/65/Lock-green.svg/9px-Lock-green.svg.png")no-repeat;background-position:right .1em center.mw-parser-output .citation .cs1-lock-limited a,.mw-parser-output .citation .cs1-lock-registration abackground:url("//upload.wikimedia.org/wikipedia/commons/thumb/d/d6/Lock-gray-alt-2.svg/9px-Lock-gray-alt-2.svg.png")no-repeat;background-position:right .1em center.mw-parser-output .citation .cs1-lock-subscription abackground:url("//upload.wikimedia.org/wikipedia/commons/thumb/a/aa/Lock-red-alt-2.svg/9px-Lock-red-alt-2.svg.png")no-repeat;background-position:right .1em center.mw-parser-output .cs1-subscription,.mw-parser-output .cs1-registrationcolor:#555.mw-parser-output .cs1-subscription span,.mw-parser-output .cs1-registration spanborder-bottom:1px dotted;cursor:help.mw-parser-output .cs1-ws-icon abackground:url("//upload.wikimedia.org/wikipedia/commons/thumb/4/4c/Wikisource-logo.svg/12px-Wikisource-logo.svg.png")no-repeat;background-position:right .1em center.mw-parser-output code.cs1-codecolor:inherit;background:inherit;border:inherit;padding:inherit.mw-parser-output .cs1-hidden-errordisplay:none;font-size:100%.mw-parser-output .cs1-visible-errorfont-size:100%.mw-parser-output .cs1-maintdisplay:none;color:#33aa33;margin-left:0.3em.mw-parser-output .cs1-subscription,.mw-parser-output .cs1-registration,.mw-parser-output .cs1-formatfont-size:95%.mw-parser-output .cs1-kern-left,.mw-parser-output .cs1-kern-wl-leftpadding-left:0.2em.mw-parser-output .cs1-kern-right,.mw-parser-output .cs1-kern-wl-rightpadding-right:0.2em


  2. ^ abc "Guidelines for C source code auditing".


  3. ^ "Static analysis at the end of the SDLC doesn't work" by Wayne Ariola, SearchSoftwareQuality.com, September 22, 2008








Information technology auditUncategorized
-

Popular posts from this blog

Frič See also Navigation menuinternal link

Image
SurnamesCzech-language surnames ‹ The template Infobox surname is being considered for merging. › Frič Origin Language(s) Czechized German (eastern Middle German dialects and Alemannic German) - Thuringian, Upper Saxon, Low Lusatian, Silesian Meaning derived from German: Friedrich Other names Variant(s) Fritsch, Fritzsch, Frycz, Fricz, Fryczyński, Frietsch, Fritsche, Fritzsche; Fritschi (Alemannic), Fritz, Fritze, Fritzel, Fritzl, Fritzke, Fritzen Frič is a Czechized German surname. Notable people with the surname include: Alberto Vojtěch Frič, Czech botanist Antonín Jan Frič (Fritsch) , Czech paleontologist Jaroslav Erik Frič, Czech poet Martin Frič, Czech film director, screenwriter and actor See also Fričovce (Hungarian: Frics ) .mw-parser-output table.dmboxclear:both;margin:0.9em 1em;border-top:1px solid #ccc;border-bottom:1px solid #ccc;background-color:transparent Surname list This page lists people with the surname Frič . If an internal link intending to refer to a specifi
Read more

Identify plant with long narrow paired leaves and reddish stems Planned maintenance scheduled April 17/18, 2019 at 00:00UTC (8:00pm US/Eastern) Announcing the arrival of Valued Associate #679: Cesar Manara Unicorn Meta Zoo #1: Why another podcast?What is this plant with long sharp leaves? Is it a weed?What is this 3ft high, stalky plant, with mid sized narrow leaves?What is this young shrub with opposite ovate, crenate leaves and reddish stems?What is this plant with large broad serrated leaves?Identify this upright branching weed with long leaves and reddish stemsPlease help me identify this bulbous plant with long, broad leaves and white flowersWhat is this small annual with narrow gray/green leaves and rust colored daisy-type flowers?What is this chilli plant?Does anyone know what type of chilli plant this is?Help identify this plant

Image
Apollo command module space walk? prime numbers and expressing non-prime numbers Can a non-EU citizen traveling with me come with me through the EU passport line? Extract all GPU name, model and GPU ram How to deal with a team lead who never gives me credit? Why was the term "discrete" used in discrete logarithm? Why do we bend a book to keep it straight? When do you get frequent flier miles - when you buy, or when you fly? How come Sam didn't become Lord of Horn Hill? At the end of Thor: Ragnarok why don't the Asgardians turn and head for the Bifrost as per their original plan? Is it true that "carbohydrates are of no use for the basal metabolic need"? Using et al. for a last / senior author rather than for a first author How to tell that you are a giant? How to react to hostile behavior from a senior developer? String `!23` is replaced with `docker` in command line How to find out what spells would be useless to a blind NPC sp
Read more

fontconfig warning: “/etc/fonts/fonts.conf”, line 100: unknown “element blank” The 2019 Stack Overflow Developer Survey Results Are In“tar: unrecognized option --warning” during 'apt-get install'How to fix Fontconfig errorHow do I figure out which font file is chosen for a system generic font alias?Why are some apt-get-installed fonts being ignored by fc-list, xfontsel, etc?Reload settings in /etc/fonts/conf.dTaking 30 seconds longer to boot after upgrade from jessie to stretchHow to match multiple font names with a single <match> element?Adding a custom font to fontconfigRemoving fonts from fontconfig <match> resultsBroken fonts after upgrading Firefox ESR to latest Firefox

Image
How to type this arrow in math mode? Multiply Two Integer Polynomials What do hard-Brexiteers want with respect to the Irish border? Why isn't the circumferential light around the M87 black hole's event horizon symmetric? For what reasons would an animal species NOT cross a *horizontal* land bridge? Can one be advised by a professor who is very far away? Identify boardgame from Big movie slides for 30min~1hr skype tenure track application interview Why do we hear so much about the Trump administration deciding to impose and then remove tariffs? If I score a critical hit on an 18 or higher, what are my chances of getting a critical hit if I roll 3d20? Can we generate random numbers using irrational numbers like π and e? Worn-tile Scrabble Output the Arecibo Message What is the meaning of Triage in Cybersec world? How are circuits which use complex ICs normally simulated? Shouldn't "much" here be used instead of "more"? Dele
Read more