Code audit
Encyclopedia
A software code audit is a comprehensive analysis of source code
in a programming project with the intent of discovering bugs, security breaches or violations of programming conventions. It is an integral part of the defensive programming
paradigm, which attempts to reduce errors before the software is released. C and C++ source code is the most common code to be audited since many higher-level languages, such as Python, have fewer potentially vulnerable functions (e.g., functions that do not check bounds).
first and work down to low-risk vulnerabilities. Vulnerabilities in between high-risk and low-risk generally exist depending on the situation and how the source code in question is being used. Application penetration testing tries to identify vulnerabilities in software by launching as many known attack techniques as possible on likely access points in an attempt to bring down the application. This is a common auditing method and can be used to find out if any specific vulnerabilities exist, but not where they are in the source code.
Source code
In computer science, source code is text written using the format and syntax of the programming language that it is being written in. Such a language is specially designed to facilitate the work of computer programmers, who specify the actions to be performed by a computer mostly by writing source...
in a programming project with the intent of discovering bugs, security breaches or violations of programming conventions. It is an integral part of the defensive programming
Defensive programming
Defensive programming is a form of defensive design intended to ensure the continuing function of a piece of software in spite of unforeseeable usage of said software. The idea can be viewed as reducing or eliminating the prospect of Murphy's Law having effect...
paradigm, which attempts to reduce errors before the software is released. C and C++ source code is the most common code to be audited since many higher-level languages, such as Python, have fewer potentially vulnerable functions (e.g., functions that do not check bounds).
Guidelines
When auditing software, every critical component should be audited separately and together with the entire program. It is a good idea to search for high-risk vulnerabilitiesVulnerability (computing)
In computer security, a vulnerability is a weakness which allows an attacker to reduce a system's information assurance.Vulnerability is the intersection of three elements: a system susceptibility or flaw, attacker access to the flaw, and attacker capability to exploit the flaw...
first and work down to low-risk vulnerabilities. Vulnerabilities in between high-risk and low-risk generally exist depending on the situation and how the source code in question is being used. Application penetration testing tries to identify vulnerabilities in software by launching as many known attack techniques as possible on likely access points in an attempt to bring down the application. This is a common auditing method and can be used to find out if any specific vulnerabilities exist, but not where they are in the source code.
High-risk vulnerabilities
Some common high-risk vulnerabilities may exist due to the use of:- Non-bounds-checking functions (e.g., strcpy, sprintf, vsprintf, and sscanf) that could lead to a buffer overflowBuffer overflowIn computer security and programming, a buffer overflow, or buffer overrun, is an anomaly where a program, while writing data to a buffer, overruns the buffer's boundary and overwrites adjacent memory. This is a special case of violation of memory safety....
vulnerability - Pointer manipulation of buffers that may interfere with later bounds checking, e.g.:
if ((bytesread = net_read(buf,len)) > 0) buf += bytesread;
- Calls like execve, execution pipes, system and similar things, especially when called with non-static arguments
- Input validation, e.g. (in SQL):
statement := "SELECT * FROM users WHERE name = '" + userName + "';"
is an example of a SQL injectionSQL injectionA SQL injection is often used to attack the security of a website by inputting SQL statements in a web form to get a badly designed website in order to dump the database content to the attacker. SQL injection is a code injection technique that exploits a security vulnerability in a website's software...
vulnerability - File inclusion functions, e.g. (in PHP):
include($page . '.php');
is an example of a Remote File InclusionRemote File InclusionRemote File Inclusion is a type of vulnerability most often found on websites. It allows an attacker to include a remote file, usually through a script on the web server. The vulnerability occurs due to the use of user-supplied input without proper validation...
vulnerability
Low-risk vulnerabilities
The following is a list of low-risk vulnerabilities that should be found when auditing code, but do not produce a high risk situation.- Client-side code vulnerabilities that do not affect the server side (e.g., cross-site scriptingCross-site scriptingCross-site scripting is a type of computer security vulnerability typically found in Web applications that enables attackers to inject client-side script into Web pages viewed by other users. A cross-site scripting vulnerability may be used by attackers to bypass access controls such as the same...
) - Username enumeration
- Directory traversal (in Web applications)
Tools
Source code auditing tools generally look for common vulnerabilities and only work for specific programming languages. Such automated tools could be used to save time, but should not be relied on for an in-depth audit. Applying such tools as part of a policy-based approach is recommended.See also
- Information technology auditInformation technology auditAn information technology audit, or information systems audit, is an examination of the management controls within an Information technology infrastructure. The evaluation of obtained evidence determines if the information systems are safeguarding assets, maintaining data integrity, and operating...
- Defensive programmingDefensive programmingDefensive programming is a form of defensive design intended to ensure the continuing function of a piece of software in spite of unforeseeable usage of said software. The idea can be viewed as reducing or eliminating the prospect of Murphy's Law having effect...
- Remote File InclusionRemote File InclusionRemote File Inclusion is a type of vulnerability most often found on websites. It allows an attacker to include a remote file, usually through a script on the web server. The vulnerability occurs due to the use of user-supplied input without proper validation...
- SQL injectionSQL injectionA SQL injection is often used to attack the security of a website by inputting SQL statements in a web form to get a badly designed website in order to dump the database content to the attacker. SQL injection is a code injection technique that exploits a security vulnerability in a website's software...
- Buffer overflowBuffer overflowIn computer security and programming, a buffer overflow, or buffer overrun, is an anomaly where a program, while writing data to a buffer, overruns the buffer's boundary and overwrites adjacent memory. This is a special case of violation of memory safety....
- List of tools for static code analysis