This case study from company ABC discusses ways to develop and maintain secure systems and applications, including selecting suitable static-analysis code scanning tools for application development. ABC is implementing web application firewalls to protect web based applications and acknowledges that secure development will take a long time to implement partly based on expensive and time-consuming manual code reviews. ABC is selecting a solution based on code reviews and scanning of internal code for non-web applications. ABC also identified a long term project that will include penetration testing, scanning and review of the web application code base.

An effective code-scanning tool would definitely be useful in ABC development. Being a security oriented organization, it’s very important to minimize the number of bugs. The use of code scanning tools is also mandated by Microsoft’s SDL (Secure Development Lifecycle) that ABC is adopting. No matter what tool used, this should be accompanied with code reviews, appropriate testing including such as fuzzy testing, code standards that are followed, and proper education.

Apply coding and testing standards SDL describes requirements for different phases in development, with the main goal to reduce the number of vulnerabilities in software products. It has been proposed that ABC should follow SDL rules by the end of 2009. The ABC coding standards will help developers to avoid introducing flaws that can lead to security vulnerabilities. The testing standards and best practices will help to ensure that testing focuses on detecting potential security vulnerabilities rather than concentrating only on correct operation of software functions and features. ABC are also introducing "Fuzzing" that will supply structured but invalid inputs to software application programming interfaces (APIs) and network interfaces so as to maximize the likelihood of detecting errors that may lead to software vulnerabilities.

Apply static-analysis code scanning tools and code reviews

Tools can detect some kinds of coding flaws that result in vulnerabilities, including buffer overruns, integer overruns, and uninitialized variables. Microsoft has made a major investment in the development of such tools (the two that have been in longest use are known as PREfix and PREfast) and continually enhances those tools as new kinds of coding flaws and software vulnerabilities are discovered. Code reviews supplement automated tools and tests by applying the efforts of trained developers to examine source code and detect and remove potential security vulnerabilities. They are crucial steps in the process of removing security vulnerabilities from software during the development process.

Separated code reviews will enhance security

Both PCI DSS (Payment Card Industry Data Security Standard) and SDL mention separate code reviews as a way to enhance security. In addition SDL mentions the use of static-analysis code scanning tools. Such tools often assists during code reviews, but may also be applied during normal development.