1. Field of the Invention
This invention relates to vulnerability assessment of computer software. More particularly, this invention relates to scanning application source code automatically to detect application level vulnerabilities.
2. Description of the Related Art
Enterprise security solutions have historically focused on network and host security, e.g., using so-called “perimeter protection” techniques. Despite these efforts, application level vulnerabilities remain as serious threats. Detection of such vulnerabilities has been attempted by lexical analysis of source code. This typically results in large numbers of false positive indications. Line-by-line code analysis has been proposed. However, this has proved to be impractical, as modern software suites typically have thousands of lines of code. Indeed, even in relatively compact environments, such as J2EE™ (Java™ 2 Standard Edition), a runtime module may include thousands of classes.
One technique for detection of vulnerabilities is exemplified by U.S. Patent Application Publication No. 2006/0253841, entitled “Software Analysis Framework”. This technique involves decompilation to parse executable code, identifying and recursively modeling data flows, identifying and recursively modeling control flow, and iteratively refining these models to provide a complete model at the nanocode level.
Static analysis of program code is disclosed in U.S. Patent Application Publication No. 2005/0015752, entitled “Static Analysis Based Error Reduction for Software Applications”. A set of analyses sifts through the program code and identifies programming security and/or privacy model coding errors. A further evaluation of the program is then performed using control and data flow analyses.
Another approach is proposed in U.S. Patent Application Publication No. 2004/0255277, entitled “Method and system for Detecting Race Condition Vulnerabilities in Source Code”. Source code is parsed into an intermediate representation. Models are derived for the code and then analyzed in conjunction with pre-specified rules about the routines to determine if the routines possess one or more of pre-selected vulnerabilities.
Some attempts have been made to examine source code. U.S. Patent Application Publication No. 2003/0056192, entitled “Source Code Analysis System and Method”, proposes building a database associated with a software application. A viewer provides access to the contents of the database. Relevant information may then be displayed, including module-to-module communication, calls made to databases or external files, and variable usage throughout the application. Presumably, the operator would be able to identify vulnerabilities from the display.