Are Firms Right to Outsource Scanning for Flaws?

By Bob Tarzey, Quocirca \\ May 2012

Quocirca`s new research shows that code scanning is the most widely used approach to software security. Moreover, many end-user organizations and independent software vendors have started to outsource scanning services. So what are the benefits of outsourcing security scanning and are they really worth it?

Software Security: Use Scanning Applications

On-demand software offers a number of benefits over applications installed and managed on a company’s own premises. These benefits include infrastructure costs being shared among multiple customers, and the availability of experts dedicated to running the app, which frees up in-house resources for other tasks.

But the nature of the app can determine the extent of the benefits, and some benefits only apply to certain categories of software. For example, Quocirca has recently been researching the outsourcing of security scanning for software applications.

Scanning applications should be an essential part of any business’s overall approach to software security. This process applies to end-user organisations that develop and procure software for use inhouse, as well as to independent software vendors who write and sell software.

Software security scanning is an alternative, applied by organisations such as the Payment Card Industry Security Standards Council (PCI SSC) to web application firewalls (WAFs), which are a way of protecting deployed software against application-specific attacks.

Scanning ensures problems are identified and fixed early in the software development and deployment cycle rather than left to run-time, as WAFs do.

On-demand Scanning Services

New research published by Quocirca shows that code scanning in general is the most widely used approach to software security, and that the use of on-demand scanning services is now almost as widespread as the use of on-premise tools, especially for packaged applications bought from independent software vendors.

Some may be surprised that third-party code can be scanned in this way. In order to understand this approach one has to understand the two basic ways of addressing the issue: static and dynamic software scanning.

Static Scanning

Static scanning is where software code or binaries are taken and run through a scanner. Every line is examined and analysed within the context of the development language and potential flaws identified with advice on how to fix.

Static scanning is thorough. It looks at all areas of the code regardless of how likely it is to actually be executed at run-time. When using an on-demand service for static scanning the application is submitted to the service provider over a secure link for a report.

Static scanning has traditionally been more suited to inhouse-developed code than commercially-acquired applications, because independent software vendors do not readily give up their source code for scrutiny. However, the advent of binary static analysis means any application can now be subjected to a static scan.

Comments

Email:
Password:
Confirm:
First Name:
Last Name:
Company:
Job Title:
Website:
Please enter the text you see below: