Andrey Karpov, profile picture
Uploaded byAndrey Karpov
PPTX, PDF91 views

Static code analyzers as a DevSecOps solution

The document discusses the role of static code analyzers in a DevSecOps environment, highlighting their automation benefits for vulnerability detection compared to traditional code reviews and dynamic analysis. It emphasizes the importance of integrating these tools into development processes for ongoing error detection and prevention, using standards and frameworks such as CWE, CVE, and MISRA. The conclusion stresses the high cost of security issues in final products and advocates for regular static analysis to uncover potential vulnerabilities early in the development cycle.

Download to read offline
Static code analyzers as a DevSecOps solution April 20, 2019 Holiday Inn Moscow Sokolniki
2 A few words about me • Yuri Minaev • C++ developer in the PVS-Studio company • minaev@viva64.com
3 DevSecOps
4 https://www.nist.gov/sites/default/files/documents/director/planning/report02-3.pdf
5
6 How to detect vulnerabilities  Code review  Unit-tests and dynamic analysis  Static analysis
7 Code Review
8 Code Review • Pros: – Sharing experience – Off the reel fixes • Cons: – Expensive and time-consuming – You get tired of viewing code
9 Static code analysis • Is the same as code review, but automated
10 Static code analysis • Pros: – Less costly – The analyzer doesn’t get tired – The analyzer is aware of error patterns, unknown to programmers • Cons: – False positives – You cannot find high level errors – It’s tricky with multithreading
11 Dynamic analysis • Pros: – Analysis during the performing process – No false positives • Cons: – Sanitizers and profilers are slow – You’ll often need some specific input data – Tests cannot cover all cases
12 Which method is better?
13 About tainted reputation
14 Modern analyzers  Integration in IDE  Integration in build systems and CI  Incremental analysis  Mechanisms of noise suppression
15 Integration in CI  Launch as a build step  Reports about found errors
SonarQube • «Control source code quality using the SonarQube platform» http://www.viva64.com/en/b/0452/ 16
17 Static Application Security Testing (SAST)  Automated search of errors in code  Detection of vulnerabilities that occur due to programming errors  More than 60% of vulnerabilities are programming errors © NIST
18 From an error to a vulnerability
19 Two kinds of SAST  Search for known vulnerabilities  Preventing actions against new vulnerabilities
20 Useful terms • CWE – Common Weakness Enumeration • SEI CERT – Software Engineering Institute Coding Standard • CVE - Common Vulnerabilities and Exposures • MISRA - Motor Industry Software Reliability Association
21 • CWE™ is a community-developed list of common software security weaknesses. • Is a list of potential vulnerabilities which can become real. • Website: https://cwe.mitre.org • 806 potential vulnerabilities.
22 • Standard by CERT Coordination Center, CERT/CC • Contains rules for C, C++, Java, Perl • Many matches with CWE • Website: https://wiki.sei.cmu.edu/
23 Example of CWE static void SHA1Final(unsigned char digest[20], SHA1_CTX *context) { u32 i; unsigned char finalcount[8]; .... memset(context->count, 0, 8); memset(finalcount, 0, 8); }
24 Example of CWE static void SHA1Final(unsigned char digest[20], SHA1_CTX *context) { .... memset(finalcount, 0, 8); } CWE-14 V597 The compiler could delete the 'memset' function call, which is used to flush 'finalcount' buffer. The memset_s() function should be used to erase the private data.
25 https://godbolt.org/ CWE-14
26 CWE-14: Compiler Removal of Code to Clear Buffers https://cwe.mitre.org/data/definitions/14.html
27 • CVE - real vulnerabilities, found in applications. • Website: https://cve.mitre.org/ • Total CVE Entries: 114 142
28 static OSStatus SSLVerifySignedServerKeyExchange(....) { .... if ((err = SSLHashSHA1.update( &hashCtx, &signedParams)) != 0) goto fail; goto fail; .... fail: ....; } • V640 The code's operational logic does not correspond with its formatting • V779 Unreachable code detected. It is possible that an error is present CVE-2014-1266
29 typedef char my_bool; my_bool check_scramble(const char *scramble_arg, const char *message, const uint8 *hash_stage2) { .... return memcmp(hash_stage2, hash_stage2_reassured, SHA1_HASH_SIZE); } • V642 Saving the 'memcmp' function result inside the 'char' type variable is inappropriate. The significant bits could be lost breaking the program's logic. CVE-2012-2122
30 • Paid coding standard. • Website: https://www.misra.org.uk/ • 143 rules in MISRA-C:2012 • 228 rules in MISRA-C++:2008
31 Examples of MISRA rules • Don’t use octal constants • Don’t use goto • A function has to have only one exit point • Don’t use standard library functions (atof/…/abort/exit/getenv/system/…) • Don’t use dynamic allocations • Each case has to end with break or throw
32
33 How to use standards incorrectly
34 How to use standards incorrectly
35 What about legacy?  Take an old large project  Run the analysis in your favourite analyzer  And get...
36 … tons of warnings
37 How to do it right  Run the analysis one time  Suppress all warnings  Run the analysis on the new code  Gradually fix old code and check edits
38 Usage scenario
39 Regularly, MAH BOI!
40 Conclusions  Security issues cost a lot if they get in a final product  Static code analysis is one of the ways of searching for vulnerabilities  Regular checks allow to eliminate potential vulnerabilities at the earliest stages
41 Q&A  PVS-Studio site: https://www.viva64.com  Contacts: Yuri Minaev minaev@viva64.com

More Related Content

PPTX
SAST and Application Security: how to fight vulnerabilities in the code
byAndrey Karpov
 
PDF
Mise en œuvre des méthodes de vérification de modèle et d'analyse statique de...
byPôle Systematic Paris-Region
 
PPTX
SAST, CWE, SEI CERT and other smart words from the information security world
byAndrey Karpov
 
PPTX
SAST, fight against potential vulnerabilities
byAndrey Karpov
 
PPTX
Static analysis and writing C/C++ of high quality code for embedded systems
byAndrey Karpov
 
PPTX
Static analysis: looking for errors ... and vulnerabilities?
byAndrey Karpov
 
PDF
PVS-Studio Static Analyzer as a Tool for Protection against Zero-Day Vulnerab...
byAndrey Karpov
 
PDF
How Can PVS-Studio Help in the Detection of Vulnerabilities?
byPVS-Studio
 
SAST and Application Security: how to fight vulnerabilities in the code
byAndrey Karpov
 
Mise en œuvre des méthodes de vérification de modèle et d'analyse statique de...
byPôle Systematic Paris-Region
 
SAST, CWE, SEI CERT and other smart words from the information security world
byAndrey Karpov
 
SAST, fight against potential vulnerabilities
byAndrey Karpov
 
Static analysis and writing C/C++ of high quality code for embedded systems
byAndrey Karpov
 
Static analysis: looking for errors ... and vulnerabilities?
byAndrey Karpov
 
PVS-Studio Static Analyzer as a Tool for Protection against Zero-Day Vulnerab...
byAndrey Karpov
 
How Can PVS-Studio Help in the Detection of Vulnerabilities?
byPVS-Studio
 

Similar to Static code analyzers as a DevSecOps solution

PPT
5_StaticAnalysisPREfast.pptaaaaaaaaaaaaa
byJooPedroLopes42
 
PPTX
testtesttesttesttesttesttesttesttesttesttesttesttesttest
byyamisukehiro9843
 
PPTX
Does static analysis need machine learning?
byAndrey Karpov
 
PPTX
Navigating the jungle of Secure Coding Standards
byChantalWauters
 
PPTX
Game Engine Code Quality: Is Everything Really That Bad?
byAndrey Karpov
 
PDF
685163main 2 4-a-swat_extendingbenefitsofstaticcodeanalysistools_final
byŠumadin Šumić
 
PPTX
Static Analysis Primer
byCoverity
 
PPTX
Programming languages and techniques for today’s embedded andIoT world
byRogue Wave Software
 
PDF
Secure Programming With Static Analysis
byConSanFrancisco123
 
PPTX
Static analysis as means of improving code quality
byAndrey Karpov
 
PPTX
Search for Vulnerabilities Using Static Code Analysis
byAndrey Karpov
 
PDF
CODE INSPECTION VIMRO 2015 MHF
byFitCEO, Inc. (FCI)
 
PPT
4.Security Assessment And Testing
byphanleson
 
PPTX
No liftoff, touchdown, or heartbeat shall miss because of a software failure
byRogue Wave Software
 
PPTX
BUSTED! How to Find Security Bugs Fast!
byParasoft
 
PDF
PVS-Studio 7.12 New Features for Finding Safety and Security Threats
byAndrey Karpov
 
PPTX
Static Code Analysis
byGeneva, Switzerland
 
PDF
Videos about static code analysis
byPVS-Studio
 
PDF
Standardizing Source Code Security Audits
byijseajournal
 
PPTX
Static analysis works for mission-critical systems, why not yours?
byRogue Wave Software
 
5_StaticAnalysisPREfast.pptaaaaaaaaaaaaa
byJooPedroLopes42
 
testtesttesttesttesttesttesttesttesttesttesttesttesttest
byyamisukehiro9843
 
Does static analysis need machine learning?
byAndrey Karpov
 
Navigating the jungle of Secure Coding Standards
byChantalWauters
 
Game Engine Code Quality: Is Everything Really That Bad?
byAndrey Karpov
 
685163main 2 4-a-swat_extendingbenefitsofstaticcodeanalysistools_final
byŠumadin Šumić
 
Static Analysis Primer
byCoverity
 
Programming languages and techniques for today’s embedded andIoT world
byRogue Wave Software
 
Secure Programming With Static Analysis
byConSanFrancisco123
 
Static analysis as means of improving code quality
byAndrey Karpov
 
Search for Vulnerabilities Using Static Code Analysis
byAndrey Karpov
 
CODE INSPECTION VIMRO 2015 MHF
byFitCEO, Inc. (FCI)
 
4.Security Assessment And Testing
byphanleson
 
No liftoff, touchdown, or heartbeat shall miss because of a software failure
byRogue Wave Software
 
BUSTED! How to Find Security Bugs Fast!
byParasoft
 
PVS-Studio 7.12 New Features for Finding Safety and Security Threats
byAndrey Karpov
 
Static Code Analysis
byGeneva, Switzerland
 
Videos about static code analysis
byPVS-Studio
 
Standardizing Source Code Security Audits
byijseajournal
 
Static analysis works for mission-critical systems, why not yours?
byRogue Wave Software
 

More from Andrey Karpov

PPTX
The Use of Static Code Analysis When Teaching or Developing Open-Source Software
byAndrey Karpov
 
PPTX
Static code analysis: what? how? why?
byAndrey Karpov
 
PPTX
Static Code Analysis for Projects, Built on Unreal Engine
byAndrey Karpov
 
PPTX
C++ Code as Seen by a Hypercritical Reviewer
byAndrey Karpov
 
PDF
60 terrible tips for a C++ developer
byAndrey Karpov
 
PDF
60 антипаттернов для С++ программиста
byAndrey Karpov
 
PDF
PVS-Studio in 2021 - Error Examples
byAndrey Karpov
 
PPTX
Safety on the Max: How to Write Reliable C/C++ Code for Embedded Systems
byAndrey Karpov
 
PDF
PVS-Studio in 2021 - Feature Overview
byAndrey Karpov
 
PPTX
Typical errors in code on the example of C++, C#, and Java
byAndrey Karpov
 
PPTX
Make Your and Other Programmer’s Life Easier with Static Analysis (Unreal Eng...
byAndrey Karpov
 
PPTX
Ошибки, которые сложно заметить на code review, но которые находятся статичес...
byAndrey Karpov
 
PDF
PVS-Studio в 2021
byAndrey Karpov
 
PPTX
How to Fix Hundreds of Bugs in Legacy Code and Not Die (Unreal Engine 4)
byAndrey Karpov
 
PDF
PVS-Studio Is Now in Chocolatey: Checking Chocolatey under Azure DevOps
byAndrey Karpov
 
PPTX
The Great and Mighty C++
byAndrey Karpov
 
PDF
Analysis of commits and pull requests in Travis CI, Buddy and AppVeyor using ...
byAndrey Karpov
 
PDF
Zero, one, two, Freddy's coming for you
byAndrey Karpov
 
PPTX
Best Bugs from Games: Fellow Programmers' Mistakes
byAndrey Karpov
 
PDF
PVS-Studio в 2021 - Примеры ошибок
byAndrey Karpov
 
The Use of Static Code Analysis When Teaching or Developing Open-Source Software
byAndrey Karpov
 
Static code analysis: what? how? why?
byAndrey Karpov
 
Static Code Analysis for Projects, Built on Unreal Engine
byAndrey Karpov
 
C++ Code as Seen by a Hypercritical Reviewer
byAndrey Karpov
 
60 terrible tips for a C++ developer
byAndrey Karpov
 
60 антипаттернов для С++ программиста
byAndrey Karpov
 
PVS-Studio in 2021 - Error Examples
byAndrey Karpov
 
Safety on the Max: How to Write Reliable C/C++ Code for Embedded Systems
byAndrey Karpov
 
PVS-Studio in 2021 - Feature Overview
byAndrey Karpov
 
Typical errors in code on the example of C++, C#, and Java
byAndrey Karpov
 
Make Your and Other Programmer’s Life Easier with Static Analysis (Unreal Eng...
byAndrey Karpov
 
Ошибки, которые сложно заметить на code review, но которые находятся статичес...
byAndrey Karpov
 
PVS-Studio в 2021
byAndrey Karpov
 
How to Fix Hundreds of Bugs in Legacy Code and Not Die (Unreal Engine 4)
byAndrey Karpov
 
PVS-Studio Is Now in Chocolatey: Checking Chocolatey under Azure DevOps
byAndrey Karpov
 
The Great and Mighty C++
byAndrey Karpov
 
Analysis of commits and pull requests in Travis CI, Buddy and AppVeyor using ...
byAndrey Karpov
 
Zero, one, two, Freddy's coming for you
byAndrey Karpov
 
Best Bugs from Games: Fellow Programmers' Mistakes
byAndrey Karpov
 
PVS-Studio в 2021 - Примеры ошибок
byAndrey Karpov
 

Recently uploaded

PDF
Top Django Questions for Preparation .pdf
bysenseacademy2
 
PDF
product realizatio n software.pdf
byJames Cameron
 
PDF
Speculative Automated Refactoring of Imperative Deep Learning Programs to Gra...
byRaffi Khatchadourian
 
PDF
Enterprise Data Sync via Navision Integration Service Provider
byNavision India
 
PDF
Zoople Technologies: Premier Data Science Institute in Kozhikode
byaromalcsunil761
 
PDF
Employee Self Service in Payroll A Win for Transparency and Productivity .pdf
byCRMLeaf
 
PDF
Custom eCommerce App Development for Modern Retail Stores.pdf
byInexture Solutions
 
PDF
WhaleSwap Token – Smart Contract Security Audit Report by EtherAuthority
byEtherAuthority1
 
PPTX
Communicating Software Architecture using Arc42
byAshraf Fouad
 
PDF
Softaken OCR Image to Text Extractor Tool
byaimberdphilomena
 
PDF
NFTMeme Token – Smart Contract Security Audit Report by EtherAuthority
byEtherAuthority1
 
PDF
12 Simple Ways to Attract Direct Bookings.pdf
byHotelogix
 
PDF
School-Hall-Pass-System-Modernizing-Student-Movement-Management.pdf
byinfoswipesolutionsin
 
PDF
The future Android App Development in 2025
byLoudOwls Solutions Private Limited
 
PDF
Build Vs. Buy: Cloud Cost Management and FinOps
byAmnic
 
PPTX
Lead Scoring Models in the Wild: What Works & What Doesn’t
bybbedford2
 
PPTX
How Embedded Analytics Drives SaaS Growth in Fintech.pptx
byVarsha Nayak
 
PDF
Boobanker Token – Smart Contract Security Audit Report by EtherAuthority
byEtherAuthority1
 
PDF
How an HR Management System Can Transform Your HR Processes.pdf
byVihan Richard
 
PPTX
PPT - Easy way to improve your website's Google ranking.pptx
byThe Webbuzz
 
Top Django Questions for Preparation .pdf
bysenseacademy2
 
product realizatio n software.pdf
byJames Cameron
 
Speculative Automated Refactoring of Imperative Deep Learning Programs to Gra...
byRaffi Khatchadourian
 
Enterprise Data Sync via Navision Integration Service Provider
byNavision India
 
Zoople Technologies: Premier Data Science Institute in Kozhikode
byaromalcsunil761
 
Employee Self Service in Payroll A Win for Transparency and Productivity .pdf
byCRMLeaf
 
Custom eCommerce App Development for Modern Retail Stores.pdf
byInexture Solutions
 
WhaleSwap Token – Smart Contract Security Audit Report by EtherAuthority
byEtherAuthority1
 
Communicating Software Architecture using Arc42
byAshraf Fouad
 
Softaken OCR Image to Text Extractor Tool
byaimberdphilomena
 
NFTMeme Token – Smart Contract Security Audit Report by EtherAuthority
byEtherAuthority1
 
12 Simple Ways to Attract Direct Bookings.pdf
byHotelogix
 
School-Hall-Pass-System-Modernizing-Student-Movement-Management.pdf
byinfoswipesolutionsin
 
The future Android App Development in 2025
byLoudOwls Solutions Private Limited
 
Build Vs. Buy: Cloud Cost Management and FinOps
byAmnic
 
Lead Scoring Models in the Wild: What Works & What Doesn’t
bybbedford2
 
How Embedded Analytics Drives SaaS Growth in Fintech.pptx
byVarsha Nayak
 
Boobanker Token – Smart Contract Security Audit Report by EtherAuthority
byEtherAuthority1
 
How an HR Management System Can Transform Your HR Processes.pdf
byVihan Richard
 
PPT - Easy way to improve your website's Google ranking.pptx
byThe Webbuzz
 

Static code analyzers as a DevSecOps solution

  • 1.
    Static code analyzersas a DevSecOps solution April 20, 2019 Holiday Inn Moscow Sokolniki
  • 2.
    2 A few wordsabout me • Yuri Minaev • C++ developer in the PVS-Studio company • minaev@viva64.com
  • 3.
  • 4.
  • 5.
  • 6.
    6 How to detectvulnerabilities  Code review  Unit-tests and dynamic analysis  Static analysis
  • 7.
  • 8.
    8 Code Review • Pros: –Sharing experience – Off the reel fixes • Cons: – Expensive and time-consuming – You get tired of viewing code
  • 9.
    9 Static code analysis •Is the same as code review, but automated
  • 10.
    10 Static code analysis •Pros: – Less costly – The analyzer doesn’t get tired – The analyzer is aware of error patterns, unknown to programmers • Cons: – False positives – You cannot find high level errors – It’s tricky with multithreading
  • 11.
    11 Dynamic analysis • Pros: –Analysis during the performing process – No false positives • Cons: – Sanitizers and profilers are slow – You’ll often need some specific input data – Tests cannot cover all cases
  • 12.
  • 13.
  • 14.
    14 Modern analyzers  Integrationin IDE  Integration in build systems and CI  Incremental analysis  Mechanisms of noise suppression
  • 15.
    15 Integration in CI Launch as a build step  Reports about found errors
  • 16.
    SonarQube • «Control sourcecode quality using the SonarQube platform» http://www.viva64.com/en/b/0452/ 16
  • 17.
    17 Static Application SecurityTesting (SAST)  Automated search of errors in code  Detection of vulnerabilities that occur due to programming errors  More than 60% of vulnerabilities are programming errors © NIST
  • 18.
    18 From an errorto a vulnerability
  • 19.
    19 Two kinds ofSAST  Search for known vulnerabilities  Preventing actions against new vulnerabilities
  • 20.
    20 Useful terms • CWE– Common Weakness Enumeration • SEI CERT – Software Engineering Institute Coding Standard • CVE - Common Vulnerabilities and Exposures • MISRA - Motor Industry Software Reliability Association
  • 21.
    21 • CWE™ isa community-developed list of common software security weaknesses. • Is a list of potential vulnerabilities which can become real. • Website: https://cwe.mitre.org • 806 potential vulnerabilities.
  • 22.
    22 • Standard byCERT Coordination Center, CERT/CC • Contains rules for C, C++, Java, Perl • Many matches with CWE • Website: https://wiki.sei.cmu.edu/
  • 23.
    23 Example of CWE staticvoid SHA1Final(unsigned char digest[20], SHA1_CTX *context) { u32 i; unsigned char finalcount[8]; .... memset(context->count, 0, 8); memset(finalcount, 0, 8); }
  • 24.
    24 Example of CWE staticvoid SHA1Final(unsigned char digest[20], SHA1_CTX *context) { .... memset(finalcount, 0, 8); } CWE-14 V597 The compiler could delete the 'memset' function call, which is used to flush 'finalcount' buffer. The memset_s() function should be used to erase the private data.
  • 25.
  • 26.
    26 CWE-14: Compiler Removalof Code to Clear Buffers https://cwe.mitre.org/data/definitions/14.html
  • 27.
    27 • CVE -real vulnerabilities, found in applications. • Website: https://cve.mitre.org/ • Total CVE Entries: 114 142
  • 28.
    28 static OSStatus SSLVerifySignedServerKeyExchange(....) { .... if ((err= SSLHashSHA1.update( &hashCtx, &signedParams)) != 0) goto fail; goto fail; .... fail: ....; } • V640 The code's operational logic does not correspond with its formatting • V779 Unreachable code detected. It is possible that an error is present CVE-2014-1266
  • 29.
    29 typedef char my_bool; my_boolcheck_scramble(const char *scramble_arg, const char *message, const uint8 *hash_stage2) { .... return memcmp(hash_stage2, hash_stage2_reassured, SHA1_HASH_SIZE); } • V642 Saving the 'memcmp' function result inside the 'char' type variable is inappropriate. The significant bits could be lost breaking the program's logic. CVE-2012-2122
  • 30.
    30 • Paid codingstandard. • Website: https://www.misra.org.uk/ • 143 rules in MISRA-C:2012 • 228 rules in MISRA-C++:2008
  • 31.
    31 Examples of MISRArules • Don’t use octal constants • Don’t use goto • A function has to have only one exit point • Don’t use standard library functions (atof/…/abort/exit/getenv/system/…) • Don’t use dynamic allocations • Each case has to end with break or throw
  • 32.
  • 33.
    33 How to usestandards incorrectly
  • 34.
    34 How to usestandards incorrectly
  • 35.
    35 What about legacy? Take an old large project  Run the analysis in your favourite analyzer  And get...
  • 36.
  • 37.
    37 How to doit right  Run the analysis one time  Suppress all warnings  Run the analysis on the new code  Gradually fix old code and check edits
  • 38.
  • 39.
  • 40.
    40 Conclusions  Security issuescost a lot if they get in a final product  Static code analysis is one of the ways of searching for vulnerabilities  Regular checks allow to eliminate potential vulnerabilities at the earliest stages
  • 41.
    41 Q&A  PVS-Studio site: https://www.viva64.com Contacts: Yuri Minaev minaev@viva64.com