SmartDec Scanner #3: Overview
We have already described particular features of SmartDec Scanner in our previous articles. However, we have been getting more general questions about the scanner — what is it and what problem it solves. In this article I will try to answer them by giving an overview of SmartDec Scanner.
Why analyze app code?
Remote service evolution
Although code vulnerability issues and undocumented features are no longer a novelty, they were somewhat neglected by cybersecurity officers as apps most often ran within corporate LANs and were inaccessible to external users. Moreover, cybersecurity teams had to address much more pressing challenges, such as perimeter security, access management, data leak prevention, endpoint protection against malware, etc. However, developing remote services have totally changed the game.
- Online services and apps can now be used and accessed by any customer.
- More business systems accessible by remote employees on a 24/7 basis.
- Undefined outer perimeter makes software the only security layer.
- The more skilled and experienced cyber criminals are, the greater the risk of app code vulnerability and undocumented feature exploitation.
Therefore, undocumented features and vulnerabilities in the app code directly affect IT system performance, sensitive data confidentiality, and the financial safety of organizations and their customers. This is especially true for public online services and apps that depend on service availability and carry out financial transactions in real time.
Development process acceleration
App vulnerability issue is aggravated by the adoption of faster code development and publication methods due to widespread competition. Such methods include continuous integration (CI), i.e. merging developer working copies to a shared trunk several times a day, and continuous delivery (CD), i.e. software building, testing, and releasing at max speed. Under such conditions, there is simply no time to thoroughly analyze code vulnerabilities as delivering project parts on time is critical and undocumented features are often added for fast debugging or quick fixing, remaining in the code from then on.
Legacy software
Another problem is the widespread use of legacy information systems. These systems are often developed by amateurs, outdated, poorly documented, and heavily modified compared to their original versions. Moreover, original developers may have left the market or organization long ago. Therefore, vulnerabilities in such systems cannot be eliminated due to the lack of available updates. Moreover, these systems are often mission-critical and therefore cannot be stopped or promptly replaced with a better alternative.
Obsolete code with well-studied and well-known vulnerabilities and undocumented features embedded by developers, intentionally or accidentally, cause huge financial and reputation risks. Attackers can exploit these weaknesses to penetrate an IT infrastructure, interfere with a legacy system (even causing its crash) and steal sensitive data such as financial reports. Examining vulnerabilities and undocumented features in legacy systems is further complicated by source code unavailability when contractors change and developers leave.
90% of successful cyber attacks exploit vulnerabilities
Given the above problems, app code analysis has become one of the most important cybersecurity tools. However, since combatting vulnerabilities and undocumented features is fairly new to cybersecurity officers, no best practices are available yet. This is mainly due to the fact that cybersecurity and software development teams speak different languages. Developers are first committed to writing code on time, minimizing bugs, and meeting business needs, with only a few complying with the Security Development Lifecycle (SDL), while most cybersecurity officers cannot articulate what they want from developers. As a result, app security has become a very serious problem: according to the US Department of Homeland Security, over 90% of successful cyber attacks have exploited app vulnerabilities. The most common attacks include:
- SQL code injection
- Buffer overflow
- Cross-site scripting
- Security misconfiguration
How to reduce code vulnerability exploitation risks
In order to prevent or minimize incidents related to app code vulnerabilities and undocumented features:
- Regularly analyze security of app code developed both in-house and by external contractors
- Take measures to address revealed vulnerabilities as fast as possible (e.g. promptly reconfigure Web Application Firewall)
- Ensure code correction by developers to eliminate vulnerabilities and undocumented features in the code itself
Ensuring end-to-end security at a medium-size or large company requires Security Development Lifecycle (SDL) adoption, which can promptly detect code vulnerabilities and undocumented features before an official app release.
App code analysis technologies
Gartner’s IT market experts believe that app code analysis for vulnerability and undocumented features is one of the key technologies when it comes to ensuring app security and SDL compliance.
Currently, they identify four major code testing methods:
- SAST (Static Application Security Testing) is the analysis of a source code without its actual execution (the “white box” method). This is ideal for code testing integration into the app development process with the objective of establishing SDL using CI.
- DAST (Dynamic Application Security Testing) is the analysis of executable files on a physical or virtual processor (the “black box” method). This implies testing already deployed and running apps and is widely used by teams practicing the waterfall development method and by analysts who cannot access app source code. Due to source code unavailability and inherent methodology restrictions, DAST detects far fewer vulnerabilities than SAST.
- mAST (mobile Application Security Testing) is a type of mobile app code analysis that takes into account mobile platform specifics (primarily Google Android or Apple iOS).
Currently, SAST is the most mature and reliable way to analyze code. SmartDec has long been developing SmartDec Scanner, a unique proprietary static code analyzer which identifies vulnerabilities in both source code and executables (binary code).
SmartDec Scanner description
SmartDec Scanner is a static app code analyzer capable of identifying vulnerabilities and undocumented features. Its distinctive feature is the ability to analyze not only source code, but also executables (i.e. binaries) and to return much better results than when using DAST. The analyzer can test apps written in 30 programming languages or that have been compiled into an executable file with one of seven extensions, including those for Google Android, Apple iOS, and Apple macOS.
- Supported programming languages: Java, Java for Android, JavaScript, JSP, TypeScript, VBScript, VBA, Scala, HTML5, PHP, Python, Groovy, Kotlin, Go, Ruby, С#, C/C++, Objective-C, Swift, ABAP, Apex, ASP.NET, Solidity, PL/SQL, T/SQL, Visual Basic 6.0, 1C, Delphi and COBOL.
- Projects can be uploaded in .7Z, .EAR/AAR, .RAR, .TAR.BZ2, .TAR.GZ, .TAR, and .CPIO archives.
- Supported executable file extensions: jar, war, dll, exe, apk, ipa, and app.
The mobile app code can be tested simply by pasting the app link in Google Play or App Store to the analyzer, which may be considered as full mAST.
To detect vulnerabilities and undocumented features, SmartDec Scanner leverages 10+ analysis methods, including dataflow analysis, lexical, syntax, semantic, taint, constant propagation, type propagation, synonym and control flow graph analysis. Users can configure analysis settings, exclude some vulnerabilities, or start incremental analysis when only changed code segments are checked.
Detected vulnerabilities and undocumented features are highlighted directly in the analyzed app code, even if found in executables (debug_info file not needed here). It is possible to compare test results of a project while taking account of any changes, which are usually made when writing code, with the relevant notification being emailed.
SmartDec Scanner employs Fuzzy Logic Engine, which is based on technological know-how and uses fuzzy set and fuzzy logic mathematical tools in order to minimize the number of both false positives and false negatives (vulnerabilities or undocumented features).
Eliminating vulnerabilities and undocumented features requires not only detection, but also the correct description of rules to exploit or fix them. SmartDec Scanner provides detailed advice on eliminating detected vulnerabilities and undocumented features, describes the ways they can be exploited, and recommends how to configure WAF. The SmartDec Scanner’s database of vulnerability and undocumented feature search rules is continuously updated by analyzer developers after R&D activities.
To enable Secure SDLC, SmartDec Scanner can be easily integrated with the Git repository and CI/CD servers, such as Jenkins, TFS CI (Azure DevOps Server) and TeamCity, offering quick analysis for both source and binary codes. The solution can also be integrated with the Atlassian Jira issue tracking system, which monitors the process of eliminating vulnerabilities and undocumented features. Support for Microsoft Active Directory streamlines control over access to SmartDec Scanner in cases where multiple developers are present.
For interoperability with other systems and services, the analyzer offers an open API.
Application areas
SmartDec Scanner is a must if companies need to:
- Sell goods and services online, provide online banking, personal account functionality, mobile e-commerce, and other online services to external users
- Check apps for vulnerabilities and undocumented features left by developers, even if source code is unavailable
- Comply with PCI DSS, OWASP and HIPAA requirements in terms of software code analysis
- Strengthen the authority and influence of cybersecurity function with regard to both in-house and third-party developers
- Properly and promptly set up Web Application Firewalls
Conclusion
I hope I’ve managed to describe what SmartDec Scanner is and what problem it solves. You can also take a look at our videos (1, 2) or request a free trial or demo via trial@smartdec.com. We will be happy to answer your questions or get feature requests.
This article was created by SmartDec, a security team specialized in static code analysis, decompilation and secure development.
Feel free to use SmartCheck, our smart contract security tool for Solidity and Vyper, and follow us on Medium, Telegram and Twitter. We are also available for smart contract development and auditing work.
