Companies, when choosing between commercial software and free software, prefer the latter in an attempt to save money. This is also true for software code security analyzers. Dan Chernov, Chief Technology Officer at DerSecur, explained why saving money on code analyzers can result in unexpected costs.
Why do they check the code
The task of code analysis concerns both the companies that develop and deliver software to the market and those that use somebody else’s software or develop it for internal use. In the first case, the release of software with vulnerabilities creates cyber threats to users who purchase this software. And the vendor risks its own reputation, the trust of customers and, as a consequence, revenues from the software sales.
Companies that do not develop software themselves or develop it only for themselves have significantly improved their resilience to cyber threats through regular checks of their software for vulnerabilities. Software vulnerabilities allow launching successful attacks on corporate infrastructure, stealing sensitive data, and deploying miners and encryption mechanisms. All this can paralyze the company for some time and result in serious financial losses.
Quality of algorithms
In most cases, free code verification solutions contain relatively simple algorithms that perform a simple text search on code snippets and look for matches with the database. Most threats cannot be found this way. Some vulnerabilities are complex, with their elements located in different parts of the code. To detect them, you need more sophisticated algorithms, such as taint analysis, which monitors the distribution of data obtained from an external source over the program.
Another important point related to the quality of the search algorithms is preventing false positives. All detected vulnerabilities need to be verified, and the more false positives there are, the more effort it takes to verify them. Ultimately, the savings will turn into losses: the working time of the IT department staff will be wasted on the endless verification of the detected vulnerabilities. A full-fledged commercial product uses far more complex technologies to find vulnerabilities and decide on whether they really exist in the code, including technologies based on mathematical theories. In addition, a good SAST tool has the option to adjust filters to find a balance to reduce false positives and missed vulnerabilities.
More complex algorithms and technologies used in the analyzer are the result of the work of a large team of developers, architects, engineers, mathematicians, and only a large vendor can afford them. Accordingly, to recoup the investment in the development of a major product, the vendor is simply unable to distribute their software for free. Therefore, even in the case of those full-fledged analyzers that are supposedly offered for free, only reduced functionality is usually offered. And you still have to pay for a full version with all the features.
It often happens that a company uses software whose source code is not available for some reason, but there are doubts about the security of the software. You can use DerScanner SAST tool to check executable files. For this purpose, technologies are used that allow reconstructing source code based on binary code and then check it for vulnerabilities.
In addition, binary code analysis allows detecting vulnerabilities caused by the compiler — a program that converts source code into machine code. A compiler is also software, which can contain bugs. And they will eventually affect the security of the software compiled in it. Therefore, even if you have access to the source code, such vulnerabilities can be detected only through binary analysis.
Obviously, such technologies may also only be available in an advanced commercial product for the reasons described above.
Relevance of databases
Another thing that makes commercial analyzers different from free ones is the timely updating of databases and regular addition of new vulnerability search rules. Vendors developing SAST solutions usually possess significant expertise in information security and get the most up-to-date information on cyber threats from various sources. As a result, they are able to respond to new breaches and attack vectors as quickly as possible.
Adding new rules to free solutions depends on enthusiasts who maintain and update the analyzer. Unlike a vendor who makes a commercial product, they have no obligation to users. As a result, search rules for some new vulnerabilities may not be available in the free solution or may be added when it is too late. And new threats associated with program code bugs are constantly detected in today’s world.
To work with some free analyzers, you need to be well versed in the code, have developer skills, and be familiar with at least several programming languages. But controlling the security of software which is used or created by the company is often the responsibility of the IS department, whose employees usually have no experience in software development.
From this point of view, a SAST tool should not only highlight the detected vulnerabilities but also give a clear idea of the level of threat and how to fix it. Vendors of commercial analyzers are guided by the needs of the product’s target audience. They are interested in making an intuitive and user-friendly analyzer interface, which can be used not only by developers but also by information security specialists.
In addition, vendors continue to be in contact with their customers after implementing their products, collect and process feedback from them, and make changes that their users request. Free solutions are often isolated from users. Open-source analyzers can be updated by the users themselves, but it requires the developer skills.
And another point related to product development and crucial for software code analysis is the ability to integrate SAST into various enterprise systems, development environments. In contrast to the developers of free solutions, a commercial product vendor is interested in expanding the analyzer’s integration capabilities to attract more users.
From all of the above, we can conclude that using any solution to analyze program code is better than no solution at all. To build really effective processes for software vulnerability scanning, you need a regularly updated and growing commercial analyzer that uses advanced threat detection technologies and does what its users need. Open-source and free solutions may seem cost-efficient, but using them may result in higher costs: you will need the resources of highly skilled IT staff, including developers who can maintain such products. And if you miss major vulnerabilities, even higher financial losses are possible.