WebCitz Blog


Performing a Security Audit for your Code: The Basics

Performing a Security Audit for your Code: The Basics
Timothy A
Timothy A
September 30, 2021
Posted in  Cybersecurity

Security is important, and it’s more important than ever in this day and age. With the rise of cyber-attacks, many people are taking security audits for their code seriously. In this blog post, we’ll discuss what a security audit entails and how you can perform one on your own code!


Common Techniques

1) Static Analysis

Static analysis is the process of examining code without executing it. This has many benefits, including being able to identify potential vulnerabilities before they are ever deployed!

You can do static security audits with tools like Brakeman and Peepcode. These tools look for common issues in Ruby on Rails applications, such as SQL injection attacks, Cross-Site Scripting (XSS) Flaws, session fixation flaws, etc.

You can also use these types of tools when doing a manual audit by grepping through your application’s source code files looking for certain strings or commands that might indicate an issue.

Note: Static Analysis should NOT be used alone since there are too many false positives when done manually using grep / findstr commands. It usually only tells you what you already know, and not the things that you don’t.

Advantages of Static Code Analysis
  • Identifies potential security flaws early on, which saves time and money in the future.
  • Provides a good starting point for further manual code review efforts.
  • Gives a high-level overview of your codebase.
  • Can be automated with tools.
Disadvantages of Static Code Analysis
  • Takes a long time to run if not done with automation tools.
  • Inaccurate when used in a runtime environment.
  • Automated tools can be great for automating repetitive tasks, but they may not support every programming language.
Brakeman Homepage

2) Dynamic Analysis

Dynamic analysis is the process of running code and tracking what it does. This gives you a better picture of how your application interacts with its environment, which can reveal potential flaws in the system.

You can use tools like Brakeman and WebInspect (for web applications) to identify common vulnerabilities during this phase, as well as using predefined rulesets that cover several types of attacks ,such as SQL injection or Cross-Site Scripting (XSS).

You can also monitor things like headers sent by your server, cookies used for sessions etc. It’s important to note that these engines will not find everything! They are always improving though so make sure to keep up with their updates/release notes on Github.

Advantages of Dynamic Code Analysis
  • It works in a runtime environment.
  • You can discover false negatives in your static code analysis.
  • Examine the analysis against the live applications.

Disadvantages of Dynamic Code Analysis

  • It’s a daunting task to find vulnerabilities in code. It takes time and patience, but it can be done with enough effort!
  • Automated tools in dynamic code analysis are prone to false positives and negatives.
  • They give a false sense of security.
Micro Focus homepage

The Importance of Performing Security Audit

Now that you have a better idea of what a security audit is, let’s take a look at why it’s important. There are several reasons:

  • Preventing damage from occurring due to an attack or hack on your application. You can prevent these types of things by using the tools mentioned above in this blog post! It won’t be perfect but it will help!
  • Avoid being fined for breach of policies/regulations, such as GDPR (General Data Protection Regulation). Fines like these can put you out of business if not handled correctly.
  • Keep customers happy when they see that their data has been secured against unauthorized access with encryption techniques etc. Customers want peace of mind knowing that their data is secure.
  • Remaining competitive in a market with a “security first” approach will always be beneficial if done correctly. Security audits should not just be performed to pass an audit, but because it’s the right thing to do for your application and business/customers!
  • You can also assist other developers to perform security audits on their code by publishing your findings publicly so that they know what issues you found while auditing them (if any). This helps improve overall software quality across all applications since these tools are open source and available for free download. It only takes one person to find something wrong before others start noticing too!
a person hacking on a computer

Performing Your Own Security Audit

Now that we’ve covered why performing security audits is important, let’s take a look at how you can perform your own security audits!

You should start by auditing the low-hanging fruit first. These include:

  • Log out and log in as an administrator or superuser to ensure credentials are not cached anywhere (log file, browser history, etc).
  • Run through any default admin accounts that come with your application, since they will be publicly accessible if left unchanged, such as /admin/users.
  • Check for password strength based on industry-standard rules set forth by NIST (National Institute of Standards & Technology) (if using Rails it has this built into Devise).
a person coding on a computer

FAQs

What are some of the most common issues in web applications?

SQL injection, Cross-Site Scripting (XSS), session fixation, insecure direct object references etc.

Is there a checklist I can go through when performing my security audit?

Yes, there is! Head over to OWASP (Open Web Application Security Project) and download their checklist for performing security audits.

What are some good resources for learning about web application security?

OWASP, OWASP Top Ten Project, SANS (SysAdmin, Audit, Network) Security Reading Room, etc.

How long will it take me to perform my own security audit?

It depends on how complex your application is, but you can usually get through all the low-hanging fruit in a couple of days or less depending on complexity.

Is there a point where I should outsource this security audit work or hire a consultant instead due to the complexity of my web application(s)?

If it takes too long, or if you have never performed these types of audits before, then it might make sense to consider hiring someone who is specialized. This is also a good idea if your application is too complex for you to do it on your own.


Conclusion

In conclusion, performing security audits is important to ensure code quality and protect against unauthorized access. It’s also important to note that these tools are NOT perfect, so you should always perform manual penetration tests in addition!


Related Topics: