Are firms right to outsource scanning for flaws?

Bob Tarzey, Analyst and Director

Quocirca Comment April 2012

On-demand software offers a number of benefits over applications installed and managed on a companys own premises. These benefits include infrastructure costs being shared among multiple customers, and the availability of experts dedicated to running the app, which frees up in-house resources for other tasks. But the nature of the app can determine the extent of the benefits, and some benefits only apply to certain categories of software. For example, Quocirca has recently been researching the outsourcing of security scanning for software applications. Scanning applications should be an essential part of any businesss overall approach to software security. This process applies to end-user organisations that develop and procure software for use inhouse, as well as to independent software vendors who write and sell software. Software security scanning is an alternative, accepted by organisations such as the Payment Card Industry Security Standards Council (PCI SSC) to web application firewalls (WAFs), which are a way of protecting deployed software against application-specific attacks. Scanning ensures problems are identified and fixed early in the software development and deployment cycle rather than left to run-time, as WAFs do. New research published by Quocirca shows that code scanning in general is the most widely used approach to software security, and that the use of on-demand scanning services is now almost as widespread as the use of on-premise tools, especially for packaged applications bought from independent software vendors. Some may be surprised that third-party code can be scanned in this way. To understand this approach requires an understanding of the two basic ways of addressing the issue: static and dynamic software scanning. Static scanning is where software code or binaries are taken and run through a scanner. Every line is examined and analysed within the context of the development language and potential flaws identified with advice on how to fix. Static scanning is thorough. It looks at all areas of the code regardless of how likely it is to actually be executed at run-time. When using an on-demand service for static scanning the application is submitted to the service provider over a secure link for a report. Static scanning has traditionally been more suited to inhouse-developed code than commercially-acquired applications, because independent software vendors do not readily give up their source code for scrutiny. However, the advent of binary static analysis means any application can now be subjected to a static scan. All thats needed are the final executable files. This approach has the additional

Are firms right to outsource scanning for flaws?

http://www.quocirca.com

2012 Quocirca Ltd

benefit of including analysis of embedded third-party components, which sourcecode scanning would not provide. It may be advisable to seek the co-operation and permission of independent software vendors when scanning their applications. Indeed, they may well provide details of scans they themselves have commissioned. Dynamic scanning can also be carried out independently of the supplier. Here the focus is on web-enabled applications that are scanned in a test or run-time environment. It is not as thorough as static scanning, because only discovered executable roots through the code are followed. But these routes are the ones most prone to attack. Since no sources or details of binaries are required, dynamic testing can be used to test any web-enabled application, including those provided as on-demand services as well as inhouse-developed and deployed ones. The process is straightforward. Simply point the scanner at the URL for the application and let it get on with it. There seems little point in buying and installing tools to carry out such scans on-premise when you consider how easy it is to point an on-demand service at a web-enabled application. This advantage is especially true when the benefits of using an on-demand service specific to code scanning are taken in to account. Top among these benefits is the wisdom of crowds. Because code-scanning service providers are dealing with hundreds of customers, and scanning many thousands of applications on their behalf, they soon build up a picture of common problems.

When it comes to commercial code, they will often have seen it before and know what to look for and have an understanding of common flaws introduced through customisation. This familiarity allows service providers to benchmark the results of a given scan against the results they have had from other scans and indicate to a customer if its code is below or above average. This facility makes it easy to set thresholds and offer advice about the dangers of proceeding with the deployment of a given application without making modifications to the code or putting other security measures in place. Understanding software security is the core competence of the providers of ondemand scanning services. The developers of software code, whether theyre coders working for end-users organisations or ISVs, do not necessarily have this skill. Their focus should be on building the core functionality of their applications and ensuring they deliver the expected business value; the task of security testing can be outsourced. Those interested in finding out more about the benefits of the dynamic and static code scanning and the results of Quocircas latest research the report is freely available here.
This article first appeared in April 2012 on

http://www.techrepublic.com

Are firms right to outsource scanning for flaws?

http://www.quocirca.com

2012 Quocirca Ltd

About Quocirca
Quocirca is a primary research and analysis company specialising in the business impact of information technology and communications (ITC). With world-wide, native language reach, Quocirca provides in-depth insights into the views of buyers and influencers in large, mid-sized and small organisations. Its analyst team is made up of realworld practitioners with first-hand experience of ITC delivery who continuously research and track the industry and its real usage in the markets. Through researching perceptions, Quocirca uncovers the real hurdles to technology adoption the personal and political aspects of an organisations environment and the pressures of the need for demonstrable business value in any implementation. This capability to uncover and report back on the end-user perceptions in the market enables Quocirca to advise on the realities of technology adoption, not the promises. Quocirca research is always pragmatic, business orientated and conducted in the context of the bigger picture. ITC has the ability to transform businesses and the processes that drive them, but often fails to do so. Quocircas mission is to help organisations improve their success rate in process enablement through better levels of understanding and the adoption of the correct technologies at the correct time. Quocirca has a pro-active primary research programme, regularly surveying users, purchasers and resellers of ITC products and services on emerging, evolving and maturing technologies. Over time, Quocirca has built a picture of long term investment trends, providing invaluable information for the whole of the ITC community. Quocirca works with global and local providers of ITC products and services to help them deliver on the promise that ITC holds for business. Quocircas clients include Oracle, Microsoft, IBM, O2, T-Mobile, HP, Xerox, EMC, Symantec and Cisco, along with other large and medium sized vendors, service providers and more specialist firms.

Full access to all of Quocircas public output (reports, articles, presentations, blogs and videos) can be made at http://www.quocirca.com

Are firms right to outsource scanning for flaws?

http://www.quocirca.com

2012 Quocirca Ltd