Software Integrity Blog

 

Why your SAST tool needs to understand your web framework

Web frameworks can introduce security issues into web applications. Mitigate this risk with a static analysis tool that understands the frameworks you use.

Web framework security and static analysis

Writing a web application from scratch is a daunting effort. You need to write the UI elements from lower-level APIs, set up and manage the database connections, manage the HTTP requests and replies, and more. You also have to consider the application code itself and its corresponding business logic. Once the application moves into production, maintaining it is cumbersome.

This is not an efficient or effective method for developing web applications. Modern web application development relies on web frameworks instead. Frameworks offer prewritten code for standard components such as UIs and database management. This code helps developers manage common tasks so they can concentrate on application features and functionalities instead.

Web frameworks 101

Web frameworks are software that has been architected to ease, automate, and structure certain aspects of web application development. These frameworks provide precoded implementations of various subsystems and functions, giving developers more time to focus their coding efforts elsewhere.

Web frameworks provide precoded implementations of various subsystems and functions, giving developers more time to focus their coding efforts elsewhere.

Many frameworks cover popular languages used in web programming and applications. Java and JavaScript have the largest ecosystem of frameworks on the market, with more than 50 between them.

JavaScript frameworks fall into three main classes: client-side, server-side, and template engines. Popular JavaScript frameworks include Node.js for server-side scripting, the Angular.js front-end web framework, and Vue.js.

One of the most popular frameworks for Java is Spring, which provides a wide range of functions such as object management, database connectivity, messaging, persistence, network communications, and user interface elements. Spring also enforces a certain software architecture by implementing programming paradigms such as inversion of control and aspect-oriented programming. In an application, the Spring framework provides almost all the common (and reusable) code. Then the application code fills in the blanks with the application’s own objects and implements its business logic.

In an application, the Spring framework provides almost all the common (and reusable) code; the application code fills in the blanks with its own objects and implements its business logic.

Many web frameworks aim to provide cookie-cutter, ready-to-use implementations to simplify specific tasks. Just as a carpenter uses many tools for each project, developers commonly use more than one framework in an application. For database connectivity and data binding, MyBatis is used to connect objects to SQL procedures or statements. An object-relational mapping (ORM) framework such as Hibernate is another popular way of connecting database information to objects. In the domain of UIs and UI mapping to the underlying application, Struts, Apache Tiles, and Vaadin are some of the most widely used frameworks.

Application security and web frameworks

With so many web frameworks available, it’s no surprise that framework code often makes up most of the code in an application. But this also means framework code comes from a range of sources. How can you ensure that web framework code doesn’t introduce security vulnerabilities into your application?

Security tools must be able to understand framework code and how it interacts with the applications they scan. Static analysis is a leading security mechanism used to identify vulnerabilities in source code before deployment. It allows security to shift to the earliest phases of development, reducing the time and cost needed to resolve the vulnerabilities it identifies.

RELATED: How to avoid the blind spot in static analysis tools caused by frameworks

When searching for the static analysis tool that best suits your needs, consider each tool’s depth and breadth of scanning. The highest-quality tools supply nearly 400 checkers to bear on a codebase. They can detect both bugs and security issues.

Static analysis tools use a variety of techniques to analyze both web framework and application code for vulnerabilities.

Static analysis tools use a variety of techniques to analyze both web framework and application code for vulnerabilities. For example, cross-module dataflow tracking follows data as it originates from web requests and flows into the application’s functions. This type of analysis helps identify sources and sinks for cross-site scripting (XSS) and injection attacks.

Control flow analysis

A substantial challenge in analyzing framework-based applications for vulnerabilities is understanding the flow of control between the framework code and application code. Traditionally, applications call into libraries as needed. Modern web frameworks invert this control model. Instead, the framework and its components become the main body of the application, transferring control into your application at specific points in specific contexts.

Control flow across subsystems can pass data, possibly tainted, from the web, into the framework, and onto the application. Tainted data coming in from untrusted sources is a potential source of injection attacks. Other security issues related to web framework code include buffer handling, certificate management, credential management, insecure connection settings, and path manipulation scenarios. Look for a static analysis tool that detects all of these, as well as issues with authorization, hard-coded passwords, certificate usage, insecure (non-SSL) communication, and issues relating to leakage of sensitive data.

Broad coverage in a static analysis tooling solution frees up developers to focus on the application features and functionalities that require their attention and expertise.

Applications using web frameworks aren’t secure if the framework code has exploitable vulnerabilities or insecure configuration settings. Thus, scanning the application code alone isn’t enough. Static analysis must cover the combined stack of application code and the frameworks it uses. Some static analysis tools include a wide array of security-related checkers, many framework-specific. Checkers for Spring, Struts, Sequelize, and Socket.io are tuned to understand the frameworks’ behavior and interactions with applications. The result is high-accuracy findings and fewer false positives.

Broad coverage in a static analysis tooling solution frees up developers to focus on the application features and functionalities that require their attention and expertise. You need a solution that understands the programming languages you use as well as the web frameworks you build your applications on. Our white paper Enterprise or Open Source: Which SAST Tool Is Right for You? discusses these factors and offers recommendations.

Download the white paper

 

More by this author