What Is Code Scanning?
Software and its code commonly contains errors. Some of these bugs are not critical and might affect only the functionality of the application, while others might affect security. In other cases, application code might initially appear secure, but a vulnerability could be discovered that makes it exploitable by attackers. Identifying and fixing these potentially exploitable security vulnerabilities, a process known as vulnerability management, is critical to application security.
A code scanner is a tool used to identify potential security issues in software applications. Various code scanning techniques can be used to identify vulnerabilities in applications before they go into production, and also to scan applications already running in production environments. The earlier code scanning is introduced into the development process, the lower the risk of deploying security vulnerabilities to production, and the lower the cost and complexity of remediating them.
In this article:
Why Is Code Scanning Security Important?
Developers and security professionals are becoming more proficient at recognizing security vulnerabilities in application code. However, many developers are still learning secure coding practices, and even seasoned developers could introduce them by mistake. In addition, some types of security vulnerabilities, such as the use of unsafe open source components, cannot be discovered without automed tools.
Most organizations recognize the value of reviewing code to find errors and bugs—this could happen via informal peer review, static analysis, or automated unit tests. The important thing to realize is that these quality reviews must also consider security issues in the code. However, many organizations do not have the necessary expertise or tooling, and many developers are not sufficiently aware that they need to actively work to prevent hackers from breaching their code.
Manual code reviews can be time consuming and expensive. In complex software applications, it is impractical to manually trace the flow of data through the entire call stack. Even the best security reviewers can miss important bugs. Fortunately, security testing expertise has been translated into a range of automated tools, which can be used to quickly and efficiently discover security vulnerabilities. Automated code scanners can constantly find a range of security issues and alert developers to them, enabling fast and easy remediation.
Vulnerability Scanning vs. Code Scanning
A vulnerability scanner is an application that identifies IT resources and their configuration, and compares the data with databases of known vulnerabilities. The result is a list of systems with known vulnerabilities that need attention, prioritizing their severity.
A code scanner is typically applied to a specific software application. It reviews source code and identifies security issues and vulnerabilities, either by comparing source code to known security best practices, or by checking code artifacts or components against vulnerability databases.
Some vulnerability scanners double as code scanners, providing the ability to examine the source code of production applications and identify security issues directly in the code. DAST scanners, described below, provide this capability.
Related content: Read our guide to the vulnerability scanning process
Code Scanning and Testing Tools
Static Analysis Security Testing (SAST)
SAST includes tools and techniques designed to inspect source code for defects and vulnerabilities at the development stage. It uses a white box testing approach, leveraging internal knowledge of the software and its structure.
For example, a SAST tool can identify weak random number generators, detect potential buffer overflows, identify potential SQL injections, and flag cross-site scripting (XSS) flaws. SAST tools can also check and enforce coding formats and standards. This can include everything from indentation to variable naming conventions.
SAST tools work by scanning source code in a code repository. They scan static code line by line, compare them to business rules, policies and security benchmarks, and identify issues. SAST tools come with a wide range of tests out of the box, and additional rules or testing scenarios can be defined and added as needed.
Dynamic Analysis Security Testing (DAST)
DAST refers to a set of tools and techniques for examining vulnerabilities in running applications (typically web-based applications). This method is a kind of black box test. Unlike SAST, which directly scans a codebase, DAST has no knowledge of the underlying code. Instead, DAST tools are designed to inject defective or malicious inputs into applications and observe the result.
DAST is useful for finding server configuration and authentication issues, as well as bugs that only appear when a user logs in. For example, the tool attempts cross-site scripting attacks or provides alphanumeric input to dialogs that require numeric input. The goal is to see how the software handles errors.
DAST tests running software from the perspective of an external user, just like hackers discover and exploit weaknesses. It can scan applications running in staging or production environments.
The DAST tool is essentially an input simulator. It provides thousands of possible inputs, and allows teams to design additional inputs, to simulate a malicious attack on an application and compare the expected output to the actual outcome. If there is a discrepancy between the expected and actual results, the software may be defective and remediation is needed.
DAST is commonly used to test web applications, and teams often use this method to inject malicious data and discover common web application vulnerabilities, in particular code injection threats. DAST can also identify business logic vulnerabilities by simulating arbitrary user actions.
Software Composition Analysis (SCA)
Software configuration analysis (SCA) is an automated process that identifies open source and third party components in a codebase. It can help evaluate security, license compliance issues, and code quality in these components.
SCA tools inspect package managers, manifest files, source code, binaries, container images, and more. Identified open source components are compiled into a Bill of Materials (BOM) and compared against various vulnerability databases.
SCA tools can also compare the BOM to license databases to detect licenses that do not meet the organization’s legal or compliance requirements, and can analyze the overall code quality of each component, by analyzing version control and contribution history. This allows security teams to identify and fix critical security and compliance issues.
Code Scanning in the CI/CD Pipeline
Automated scanning and auditing tools are essential for identifying issues during the development stage and enabling developers to address them quickly.
Ideally, developers should use the following techniques and tools to test their software:
- Built-in code analysis tools—works within the development environment to prevent common errors as they emerge during the code writing process.
- Software composition analysis (SCA)—works within the CI/CD pipeline to ensure the code in an application is secure. It is especially important for projects that use open source components because an insecure version of an open source library could introduce serious vulnerabilities to the application.
- Static application security testing (SAST)—operates within the CI/CD pipeline to analyze source code and identify potential vulnerabilities before the team builds the software. However, SAST also has several disadvantages, such as a high rate of false positives.
- Dynamic application security testing (DAST)—operates within the CI/CD pipeline to analyze applications at runtime. Once the code is compiled, it works without accessing the source code, identifying actual security vulnerabilities to reduce false positives.
- Manual penetration tests—help identify errors and vulnerabilities that automated solutions cannot discover, such as business logic flaws. However, penetration testing is time-consuming and requires experienced security specialists, making it feasible only for advanced, high-priority threats. Usually, it takes place at the end of the SDLC.
Implementing security scanning early in the SDLC is important but requires significant resources and time. Development teams must often balance the test quality requirements with the time needed to perform the tests.
Best Practices for Code Scanning and Secure Coding
Create a Source Code Protection Policy
A source code protection policy is a set of rules, requirements, and procedures for handling and protecting source code. It also clearly defines the roles involved in source code development and the process and tools they follow. By defining and enforcing this policy, you can protect your code from threats such as reverse engineering and code tampering.
As part of the source code protection policy, you can ensure secure access and use of source code repositories, mandate the use of encryption, and protect access to continuous integration and continuous delivery (CI/CD) pipeline components.
A source code protection policy should include documentation and training on secure coding practices and incorporating security into the software development lifecycle (SDLC), including where and how code scanners will be integrated into the pipeline.
Test as Early as Possible to Promote Accountability
Secure coding policies, including requirements and guidelines, are insufficient to ensure high-quality code. Likewise, setting up testing infrastructure does not guarantee effective tests. Development teams must take responsibility for security, adhering to coding policies through the SDLC and taking a proactive security approach rather than relying on tests to find bugs.
Enforcing rules is not as effective as promoting a security-oriented attitude, ensuring that developers understand that secure coding practices are in their interest. Taking responsibility for writing clean code means that whenever they discover an error, developers are ready to address it straight away, without relying on others to apply fixes later.
Shifting security left (i.e., writing secure code from the start and performing early tests) can help give developers a sense of ownership of application security. The alternative is to shift security to the right and test software just before production release—however, this approach is less effective. It is often more expensive and time-consuming than shifting left.
Under the shift-right approach, the code must pass through the entire pipeline when the tests identify an issue. Given the time lapsed between the initial coding stage and the testing process, developers often cannot remember the details of the code, or they might assign it to different developers. Ultimately, it takes longer to identify and mitigate vulnerabilities, delaying the overall release.
Conduct Secure Application Development Training
Code scanning is not effective when developers are unaware of security best practices. Even with code scanning technology in place, developers will continue to introduce security flaws into their code, and might find it difficult to implement the recommendations from code scanning tools.
The reality is that many highly skilled developers are less knowledgeable about security. Many coding courses and college programs teach details like formal verification while neglecting cybersecurity and common attacks. The problem is more widespread among developers who haven’t taken recent courses with a security emphasis.
Here are a few ways you can make developers more aware of security concerns, making them active partners in your security program::
- Ensure managers are highly security-oriented and can drive security awareness among development teams.
- Don’t assume what developers know—check their knowledge and provide extra training if required.
- Keep track of new threats and security techniques and train developers regularly to ensure they stay up-to-date.
- Account for mistakes made by developers.
- Foster collaboration between the development and security teams.
- Use an “assume breach” mentality—make sure internal components and inter-service communication is secure, even if those components are behind a firewall.