Page 6 - Cyber Warnings
P. 6
vector, and attack difficulty is required.
A thorough threat assessment yields an understanding of what external interfaces are the
biggest threats for attack. This information pinpoints which interfaces and types of tainted data
(from input) allow security vulnerabilities to be exploited. Detecting vulnerabilities in source
code, including potentially hazardous data flows, is particularly well suited to advanced static
analysis tools. Knowing which interfaces need to be analyzed (for example, network) helps
narrow the scope of the analysis.
Configuring Static Analysis Tools
Advanced static analysis tools ship with a set of default warnings and errors. These are the
most critical and useful quality and security defects that customers need; however, these are
not always the most relevant to an individual case. When performing early security audits, it’s
more important to narrow down the analysis in order to create a reasonable amount of errors
and warnings for evaluation. This is done by adjusting the following parameters:
• Warning Classes: Most static analysis tools allow for turning on or off checkers and
warnings. The default settings are likely not ideal for a security audit. Enabling the key
error classes and limiting the non-essentials is recommended.
• Tainted data types: Not all sources of data are potential attack vectors or present in all
systems. For example, network sources of data are common for connected devices, but
user or file input may not be – the thread analysis and attack surface gained from the
previous step is important here. Trimming the analyzed sources reduces false positives
and number of reports.
• Uninteresting Code: It’s possible to limit the subsystems to analyze and remove
unwanted code from the analysis. The tools don’t understand the intent of the software
so trimming the applicable code manually focuses the analysis on key parts of the
system.
• Thoroughness versus time: The depth of analysis is sometimes tunable and should be
set to the highest settings for a security audit. It’s important that the analysis is as
complete as possible before taking action with regard to discovered vulnerabilities.
6 Cyber Warnings E-Magazine February 2017 Edition
Copyright © Cyber Defense Magazine, All rights reserved worldwide
