× {{alert.msg}} Never ask again
Receive New Tutorials
GET IT FREE

Performing a Security Audit for your Code: The Basics

– {{showDate(postTime)}}

security audit

A software code audit is a comprehensive analysis of source code in programming project with the intent of discovering bugs, security breaches, or violations of programming conventions, as Wikipedia so handily defines it. In addition, it is a defensive programming procedure to reduce errors before a software is released. 


Are you a PHP developer interested in software security? Read our comprehensive tutorial: Building Modern & Secure PHP Applications


The Importance of Performing Security Audit

In today’s corporate world, code auditing is now regarded as one of the most critical stages in Systems Development Life Cycle.  Security researchers audit source code for a number of diverse reasons.  However, the actual purpose of code auditing is to check whether any library functions such as C/C++ strcpy () and strcat() is vulnerable to buffer overflow before the software is commercialized.  Vulnerabilities are not always limited to library functions. There are areas or other specific locations to check out for potential flaws.

Common Techniques

As of this writing, there is no formal documentation for code auditing. However, there are two common techniques preferred by security researchers or bug hunters. These techniques are:

  • Static Analysis
  • Dynamic Analysis 

1. Static Analysis

Static Code Analysis commonly refers to the running of Static Code Analysis tools that attempt to highlight possible vulnerabilities within ‘static’ source code by using techniques such as Taint Analysis and Data Flow Analysis. Below are techniques of static code analysis.

Data Flow Analysis: It is used to collect dynamic information about data in software while it is in a static state. The common terms used in data flow analysis are:

  • Control Flow Graph: It is an abstract representation of software by use of nodes. The nodes in a control flow graph represent basic blocks. Moreover, directed edges in a graph are used to represent paths or routes from one block to another
  • Lexical Analysis:  Lexical Analysis converts the syntax of a source code into a token of information. It converts the source code in order to abstract the source code and make it less difficult to manipulate.
  • Taint Analysis: For instance in Perl and Ruby, there is a built-in taint checking mechanism to accept input or data via CGI. Taint Analysis helps security researchers to identify variables tainted with user controllable input and traces them to possible vulnerable functions.

2. Dynamic Analysis:

Dynamic program analysis is performed by executing programs on a real or virtual processor. For dynamic program analysis to be effective, the target program must be executed with sufficient test inputs to produce interesting behavior. Use of software testing measures such as code coverage helps ensure that an adequate slice of the program’s set of possible behaviors have been observed.

Advantages and disadvantages

Now let’s find out the advantages and disadvantages of static and dynamic code analysis. Let’s take a look at some.

Advantages of Static Code Analysis:

  1. It is able to find weaknesses or vulnerabilities in the code at the exact location.
  2. It can scan the entire code base. In addition, it is extremely fast if automated tools are used.
  3. Vulnerabilities are discovered in the early stages of development. Thus, it reduces the cost to fix hidden flaws in the future.
  4. Finally, it provides mitigation recommendation to security researchers so they can be aware of possible issues in future development.

Disadvantages of Static Code Analysis:

  1. It takes longer time if conducted manually (as with most things done manually).
  2. It rarely finds flaws or vulnerabilities in the runtime environment.
  3. Occasionally, it produces many false positives and false negatives.
  4. Not all automated tools support multiprogramming languages.

Advantages of Dynamic Code Analysis:

  1. Unlike static code analysis, it can identify vulnerabilities in a runtime environment.
  2. It can be examined against any live application.
  3. It is also capable of identifying false negatives in static code analysis.
  4. Moreover, it allows you to examine whether the results of static code analysis are valid.

Disadvantages of Dynamic Code Analysis:

  1. It is extremely tedious to trace vulnerabilities back to a specific area or location in the code.
  2. Automated tools in dynamic code analysis provide false positives and false negatives.
  3. Also, automated tools in dynamic code analysis may provide a false sense of security. 

How to Audit a PHP Source Code

To give you an idea on how to audit a source code, let’s run it through a basic code checker. And for this tutorial, we will run a PHP source code through PHPcodechecker. Of course, there are other tools available out there, which you are also free to check out.

PHPcodechecker is quite different from other PHP static code analysis such as Pixy, an open-source vulnerability scanner for PHP applications.  To keep things simple, let’s choose PHPcodechecker over Pixy to audit our basic PHP source code. However, for complex PHP application, it is advisable to opt for Pixy or other more robust tools.

Let’s begin!

Now let’s create an application that allows motivational speakers to enter inspiring quotes into the website. Their inspiring quotes will be e-mailed to subscribers.  The application also allows motivational authors to upload images alongside inspiring quotes to make it more appealing to subscribers.

Please note that there is an error on the code below and it is done on purpose for this tutorial:

<?php
//let create user interface(UI)

$hmtl - beginHtml();

$html - '<form name' -\'enter_quote \ 'action-\'motivatiorsbooks\.php\'
method - \'POST'\'>'

if($_POST['err']) {
$html = $_POST['err'];
$html = '<br>';

}

$html - 'Please post your lovely quotes here:';
$html - '<textarea rows -\'20\' cols- \ ' 100 \ 'name - \ 'comment \ '>&nbsp: <\textarea>';
$html - '<input type - \' submit \'value \'send your quotes\'>';
$html - <\form>';
$html - endhtml();

//Now let's store authors' quotes in the database
//If the input field is blank, error handler response

$error_message = "Blank field is not accepted.";
$error_message = "Please try again.";
if($POST['comment']) && $_POST [ 'comment'] ! = " ) {
storecomments($_POST ['comment']) ;
}

else {

error($error_message);

}

// HTML functions
function beginHtml() {
return '<html><head><title>Guestbook</title></head><body>\n';

}

function endHtml() {
return '</body></html>';

}

Because we are aware of how PHP is susceptible to basic vulnerabilities such as Cross-Site Request Forgery and Cross-Site Scripting, there is an error handling mechanism to take care of corrupt input(blank input) by malicious users. Mind you, the error mechanism in PHPcodechecker is not strong enough to handle complex vulnerabilities such as buffer overflows.

Now let’s audit the above source code with PHPcodechecker for basic errors.

To check for errors, just input your the code above in the text panel, like so:

security audit

If you pasted the example code above, you should get this result:

security audit

According to PHPcodechecker, it spotted some syntax errors.  Many code checkers behave in diverse ways and are capable of spotting different types of errors depending on the complexity of the source code.  Though the application we used for this example is not complex enough to provide room for buffer overflow, some code checkers or vulnerability scanners can check for subtle holes that may lead to a zero-day attack.

Conclusion

Technology is getting more sophisticated these days, and so are the security risks that come along with it. This tutorial is a basic look into performing security audit of your source code, but the best way is still to get an actual expert to look at it (especially when you know your website or app is at risk). Whether you’re a developer or you own a company, it’s always better to bring in another person who will check your code. And if you are worried about the cost of hiring an expert to do it, just remember that it’s cheaper to have someone check it than to have to rebuild it after a major data breach.

Bonus tip

Nevertheless, PHP developers eager to abide by secure coding rules can check out the Securing PHP ebooks for extensive information on secure coding. Moreover, developers can opt for available code checkers with great features to check for complex errors instead of basic flaws.

Related tutorials you might be interested in:


Author’s Biosecurity audit

Michael is a budding Cybersecurity Engineer and a technical writer based in Ghana, Africa. He works with AmericanEyes Security as a part-time WordPress security consultant. He is interested in Ruby on Rails and PHP security.




Questions about this tutorial?  Get Live 1:1 help from Programming experts!
Jason Davey
Jason Davey
5.0
Engineer focused on crafting software that brings joy and fosters change
Hello! I have over 15 years of programming experience, and graduated with a first-class degree in computer science from a well-known university in...
Hire this Expert
Lily R.
Lily R.
5.0
Software Engineer
I'm a Software Engineer at XXX (privacy). I've also worked as a Software Development Engineer at Amazon (Alexa) for 3 years, and I've also done a...
Hire this Expert
comments powered by Disqus