Static Code Analyzers - OWSAP LAPSE+, Codepro AnalytiX, FindSecurityBugs - How those help developers to prevent security problems in J2EE web applications code?

I hope, you have already read "Preface" of my static code analyzers series.

Recently reported Heartbleed Bug is a serious vulnerability in the implementation of popular OpenSSL cryptographic software library, which is already being called one of the biggest security threats the Internet has ever seen. Because the bug has affected many popular websites and services - ones you might use every day, like Gmail, Yahoo and Facebook - and could have quietly exposed your sensitive account information (such as passwords and credit card numbers) over the past two years!

Yeah, "Security" is one of the most critical parameters of non-functional requirements in most of applications.

So in this post, I would like to encourage developers for understanding critical web vulnerabilities and leveraging application code by adopting security auditing tools. Besides that I have shared my evaluation feedback about Codepro Analytix, Find Security Bugs, OWSAP LAPSE+ and VisualCodeGrepper tools for reviewing vulnerable J2EE web applications code.

As a matter of fact most of Java developers work on J2EE web application development sometime in their career, but most of might not be meticulous about understanding, exploiting and defending the application against known web vulnerabilities.

If we are working on J2EE web application development and security is one of quality attributes for the application (which would be majority time), then we must understand the known security risks for web applications and learn to write secure code by adopting "OWASP Top 10 Project" publications. Also we should use free or commercial tool to audit security problems in the code.

As per "OWASP Top 10 - 2013" project, below are the top 10 critical web application flows of the 2013 year:

• A1 Injection
• A2 Broken Authentication and Session Management
• A3 Cross-Site Scripting (XSS)
• A4 Insecure Direct Object References
• A5 Security Misconfiguration
• A6 Sensitive Data Exposure
• A7 Missing Function Level Access Control
• A8 Cross-Site Request Forgery (CSRF)
• A9 Using Components with Known Vulnerabilities
• A10 Unvalidated Redirects and Forwards

Straight from the horse's mouth

Now let's know the above-mentioned tools briefly.

• Codepro AnalytiX - A premier Java software testing tool for Eclipse developers who are concerned about improving software quality.
• Find Security Bugs - A plugin for FindBugs that aim to help security audit on Java web application. Also work with Scala and Groovy projects.
• OWSAP LAPSE+ - A security scanner for detecting vulnerabilities of untrusted data injection in Java EE Applications. It has been developed as a plugin for Eclipse Java Development Environment, working specifically with Eclipse Helios and Java 1.6 or higher. 
• VisualCodeGrepper - An automated code security review tool for C++, C#, VB, PHP, Java and PL/SQL which is intended to drastically speed up the code review process by identifying bad/insecure code.

Practical Shot and My Feedback

I evaluated Codepro AnalytiX, Find Security Bugs, LAPSE+ and VisualCodeGrepper tools to review code of WebGoat vulnerable J2EE web applications to identify security related problems. The highlights are as below,

CodePro AnalytiX

If you don't know power of CodePro AnalytiX tool, then please read my another post on GoogleCodePro AnalytiX - Why is it premium eclipse plugin for java developers?

This Eclipse plugin is really awesome. It offers option to review the code for "security" rule set only (Eclipse IDE -> Select Project -> CodePro Tools -> Code Audit Using -> Only select "Security" in "Choose Audit Rule Set" ->  OK). The tool reported 1100+ issues related to security by analyzing source code of "WebGoat" project using "Security" rule set (with default configuration). It also guides the developer that how to crack particular type of problem such as "SQL Injection" in below screen. When you double click on particular issue, it would open associated source code in Java Editor.

Find Security Bugs

Ifyou don't know what is FindBugs, then first please read my another post aboutit. Once FindBugs is installed in Eclipse and then configure it to report only potential security bugs using "Find Security Bugs" plugin.

The tool reported 54 potential security bugs by analyzing compiled class files of "WebGoat" project. Some of reported issues are common in analysis results of both CodePro Analytix and Find Security bugs. Though CodePro Analytix could report many additional issues compare to Find Security Bugs, Find Security Bugs could report some additional potential bugs which CodePro AnalytiX didn't report as highlighted in below screen. When you double click on particular issue, it would open associated source code in Java Editor.

OWSAP LAPSE+

LAPSE+ has been developed as a Eclipse plugin for working specifically with Eclipse Helios and lastly updated in 2011. When I installed in Eclipse Keper, "Vulnerability Sources and Vulnerability Sinks" views worked without any issue, but somehow "Provenance Tracker" view didn't work. Also LAPSE+ tool expects that projects are properly configured in Eclipse and don't have compilation errors. Because compilation errors will prevent LAPSE+ from detecting all the potential vulnerabilities.

LAPSE+ provides three different views for the analysis of vulnerabilities and reported many issues as show next. And "Find Source" option would open associated source code in Java Editor.

Vulnerability Sources View - It shows the points of code that can be source of untrusted data injection. It detects vulnerabilities corresponds to Information Leakage, Parameter Tampering, URL Tampering, Header Manipulation and Cookie Poisoning.

Vulnerability Sinks View - It shows the points of code that can insert the untrusted data in the application, manipulating its behavior. It detects vulnerabilities corresponds to SQL Injection, Cross-site scripting, Path Traversal, Command Injection, HTTP Response Splitting, Xpath Injection, XML Injection and LDAP Injection. When "Perform backward propagation from this sink" is clicked, it would show it in "Provenance Tracker View".

Provenance Tracker View - This view traces the backward propagation tree from a vulnerability sink in order to check if it reaches a vulnerability source. If this happens we have a vulnerability in our code. When this occurs, ProvenanceTracker View shows the matches in red. On the other hand, if it reaches a safe source it shows it in blue.

VisualCodeGrepper

This standalone tool could find some of bad/insecure issues, but I didn't find it capable enough like LAPSE+, CodePro Analytix, etc.  Also it got closed due to errors randomly while performing some of operations.

My Final Thoughts

CodePro Analytix, Find Security Bugs and OWSAP LAPSE+ are Eclipse plugins. Though you would see some duplicate findings in reported issues by all three, each has some unique abilities too. So if you use Eclipse IDE for J2EE web applications development, then these tools would be highly helpful to perform code review for vulnerability issues.

If you are not using Eclipse IDE, you should explore most suitable plugin/tool for security code auditing in your given situation. For example, you may consider a standalone VisualCodeGrepper tool which can help at some extent. Though I tried for only Java, it claims to be an automated code security review tool for C++, C#, VB, PHP and PL/SQL too.

Free code security review tool vs. Commercial security solution offering

• CodePro Analytix, Find Security Bugs, LAPSE+, VisualCodeGrepper - such free tools are not intended as a comprehensive solution for Web Application Security, but rather as an aid in the code review process. Instead of any of one of those, you may consider using multiple tools for taking optimum possible benefits.
• If you are looking for more comprehensive solutions to identify and fix vulnerabilities in web and mobile applications, then you should look at some of the commercial offerings such as IBM Security AppScan Source, HP Software Security Solutions - Fortify Static Code Analyzer, etc.

What's next?

• I would highly recommend to attend Application Security - Understanding, Exploiting and Defending against Top Web Vulnerabilities (1 hour video) for getting started with web vulnerabilities concepts.
• Explore typical security flaws within web-applications using WebGoat, which is a insecure J2EE web application deliberately designed to teach web application security concepts. You may consider to setup Virtual Security LAB (OWASP Broken Web Application Security LAB) for this.
• If you are excited to explore more applications and tools in this area, then there are many vulnerable web applications available which you can use to evaluate and practice choice of static analysis tools for security auditing.

Disclaimer

I don't aim to exploit code of any open source project or sample application, while I share my evaluation feedback of given tool on selected publicly available code. Also I am not biased to particular free or commercial tools, rather my objective is about sharing my own experience on set of tools.

Also Refer

• Tech Talk Notes on Top Web Vulnerabilities - http://jmoses.co/2014/03/31/tech-talk-notes-web-vulnerabilities.html
• List of static analysis tools for security  - http://www.dwheeler.com/flawfinder/#othertools
• Vulnerable web applications list to evaluate security auditing tools - http://blog.taddong.com/2011/10/hacking-vulnerable-web-applications.html
• OWSAP WebGoat project - https://www.owasp.org/index.php/Category:OWASP_WebGoat_Project
• OWSAP Lapse+ Tutorial - https://code.google.com/p/lapse-plus/downloads/detail?name=LapsePlusTutorial.pdf
• Find Security Bugs - https://github.com/h3xstream/find-sec-bugs/wiki/Eclipse-tutorial