The Power of Hybrid Application Security Analysis: Increasing the Reliability of Security Testing Results

Page 1 of 2
  1. The Guessing Game
  2. The Fuzz

The Guessing Game

To increase the reliability of security testing results, developers are finding that security testing should be a combination of analysis techniques — utilizing source code analysis information to direct a second, more practical approach called dynamic analysis. This enables developers to identify vulnerabilities more accurately and confidently than with either technique individually. This combination approach, known as hybrid analysis, produces the accurate and reliable security information that developers need to assess the security of their code.

The Guessing Game

Source code analysis products use a technique called variable tracing. Developers use these tools to inject test data into the application during security testing to study the software’s potential values and behaviors through the call graphs that represent data flows through the application. By injecting test data this way, the source code analysis product infers what behavior may occur for a certain scenario and variable value--some refer to this technology as an inference engine.

The danger of the source code analysis technique is that it produces inferences, or guesses, as to how the system might behave during run-time and production configuration conditions. Source code analysis can only determine possible security vulnerabilities in the application, which usually results in high false positive rates during security testing.

In the security testing field, trusting the inferred results of source code analysis is analogous to trusting that an application will function according to design when it compiles cleanly. If all code is syntactically and semantically correct, then it will compile. But do you have confidence that it will meet the functional requirements simply because it compiled? Similarly, developers who rely on source code analysis to infer security problems in the application must also perform additional security testing in order to validate the application’s real run-time behavior with respect to the potential vulnerabilities.

You might also like...


About the author

Jason Schmitt United States

Jason Schmitt is group product manager for SPI Dynamics, the Web application security expert. He is responsible for overseeing product strategy and dire...

Interested in writing for us? Find out more.


Why not write for us? Or you could submit an event or a user group in your area. Alternatively just tell us what you think!

Our tools

We've got automatic conversion tools to convert C# to VB.NET, VB.NET to C#. Also you can compress javascript and compress css and generate sql connection strings.

“The trouble with programmers is that you can never tell what a programmer is doing until it's too late.” - Seymour Cray