Security Scanner Doesn’t Need Source-Code Access
Researchers at Germany’s Fraunhofer Institute have come up with a new way to scan software for costly errors and vulnerabilities, and do so without access to source code. The tool is also being touted as a way to evaluate the growing number of open-source products deployed by enterprise users.
The vulnerability scanner developed by Fraunhofer Institute for Secure Information Technology in Darmstadt is billed as able to detect flaws in minutes. It then provides a “generally intelligible” description for each vulnerability. The near-real time capability allows software developers and users to prioritize vulnerable code and fix the most serious problems first.
Among the details delivered by the code scanner are the effect of vulnerabilities on data, where data—and, with it, vulnerabilities--are being sent and the types of encryption used with tested software.
"The file to be examined is simply loaded into the scanner by drag and drop," said Steven Arzt, one of the code scanner developers and head of software security at the Fraunhofer unit. No source code is required for scanning, a capability that is “a unique feature of our development," Arzt added. The scanning tool also works on-premise, meaning sensitive data remains with users and need not be exposed on external servers.
Along with evaluating the security of third-party software, proponents of the code scanner claim it adds a layer of quality assurance to enterprise software development. That, they add, will be increasingly important as more open-source software is deployed in production workloads.
Other features include data governance and compliance analyses along with risk management. Researchers said the code scanner can so far detect about 200 vulnerabilities ranging from insecure encryption and network connections to vulnerable file storage and database access.
It also targets vulnerable points such as the reloading of code during runtimes.
The code scanner supports widely used Java enterprise and Web Start applications, the latter software used to download and run Java applications on the web. It also supports Android and iOS apps.
The scanner service runs either on-premise or as a hosted service. Fraunhofer also said it can customize its code scanner to specified security requirements.
Open-source groups like the Linux Foundation have moved recently to expand infrastructure initiatives designed to promote secure code development. Among them is a certification program and development tools that would boost the security of open-source and unlicensed software.
In an illustration of the breadth of the problem, the very security products intended to protect IT infrastructure have been found to contain vulnerabilities. Security researchers have noted that a growing number of security products fail under direct attack by hackers.