Nail down software security with dynamic analysis

Blog

October 30, 2016

CODE QUALITY BLOG: You?ve secured your Internet of Things (IoT)-connected system with components for authentication such as password, retina scan, physical key, plus encryption/decryption and more. But building these things in is not enough. You?ve got to be certain that they all work together properly and that the code doesn?t contain any flaws that could grant access to hackers. Security needs to be built in at the very start of the project by using secure protocols and continuing on up to functional elements in the application. One powerful tool for gaining this assurance is dynamic analysis.

Dynamic analysis examines the compiled, running code and relates it back to the source code. It is a major component in a suite of tools that includes code coverage, requirements traceability and static analysis. Of course, that means that dynamic analysis is but one important piece of what is needed to make a secure application. But analyzing the code as it executes has two advantages:

1. It can measure the effectiveness of our testing by using code coverage to indicate what parts have been executed or tested. That means it can also identify “dead” code that is either not needed or could serve as a gateway for hackers.

2. It can make use of automated test generation along with manual testing to examine the application’s behavior in the face of expected and unexpected input. Such input could either be from a user or, for example, from sensors. It lets us see what the system would do in such cases and what that means in terms of safety and security.

Both manual and automatically generated tests should relate to the program’s requirements. Having requirements that can be traced back and forth to the code is essential to understanding the system’s intended behavior. Also, for whatever the desired level of coverage, the ability to link the code behavior back to the requirements helps assure us of correct operation. This can be particularly important for security requirements. If you can see how the code is behaving and can link it back to security requirements, you can test the effectiveness of those requirements (for example, by simulating attacks) and determine if they are adequate or should be improved.

Dynamic analysis is not only intended for testing the completed program. It can also be used to great advantage in unit and integration testing. Combined with static analysis, which looks at the uncompiled code, it can be used to automatically generate the test cases, test harnesses, and the whole framework to verify the work of different teams and to integrate them smoothly into the full system. The ability to understand control flow and data flow gives insight into how the data—in the form of variables, parameters, etc.—is being manipulated. This lets us see dependencies between software components and whether each component is producing the expected results from the data presented.

As mentioned earlier, dynamic analysis is one of a set of tools that can be used together. When combined with static analysis to test for security properties, this is often identified as hybrid application security testing or HAST. Static analysis is used to check for coding standards compliance in order to eliminate code vulnerabilities using standards such as MISRA or CERT C. It is also useful in determining the data and control flow relationships and dependencies between software components before execution. Once the code is cleaned up from the static analysis perspective, it can move to dynamic analysis where the code is subjected to automatically generated tests and manual tests using expected and unexpected inputs.

Dynamic analysis, then, supported by complementary tools like static analysis and requirements traceability, can go a long way toward ensuring a secure, safe, and ultimately certifiable software effort.