During our recent Coding Bootcamp I had several sessions covering a broad range of topics. One session looked at static analysis of your Delphi code. Static analysis, or to be more correct, static code analysis is a process that can locate sections of your app’s source code which, despite being syntactically correct and generating no compiler errors or warnings are, in fact, potential gaping security holes.
Table of Contents
Compliance with GDPR, data protection laws, and HIPAA, is it really such a problem?
My session laid out a lot of reference material to make it clear that this is not FUD. I’m not trying to spread fear, but that doesn’t mean to say you shouldn’t be worried. The fines for failing to comply with GDPR and other data protection laws are astronomical. The current trend is for the fines and punishments to increase as our world moves ever more to everything being ‘online’ or ‘in the cloud’. Medical records, or indeed any personally identifiable data, even simple things like photos, are generally protected by a law, and that protection comes in the form of eye-watering financial penalties for non-compliance with best practices or breaches. If you’re a small business and you’re unlucky enough to fall foul of a hacker’s attentions the fines and even less judicial enforcements such as having to provide free identity clean-up services to your clients might mean the end your business and potentially personal financial ruin for you too.
I know that sounds a lot like scare-mongering – which is why the session contains a whole raft of facts and figures to back it up. Due to my role at the time, I was one of the original signatories and advisors to the first British Data Protection Act in the late 1980s. Times were simpler then, but governmental committees had already started to worry that the mass processing of data by computers exposed a risk which had not previously existed. The release of the excellent War Games movie caught the feeling of the moment with its fanciful depiction of David Lightman (Matthew Broderick) phone-phreaking free calls by using a Coke can ring pull on a public phone box and hacky high jinks such as altering Ally Sheedy’s school grades by simply overtyping them on ‘the school mainframe’.
But it doesn’t take the accidental triggering of global thermonuclear war to be in some serious legal trouble. Danish web hosting firm Cloud Nordic has just had to tell its entire customer base that all their data has been irretrievably lost due to a ransomware attack. Not a great day to be working on their support desk, I think.
How can static analysis stop hackers?
The crux of the movie [spoiler alert] is that there had been a ‘backdoor’ left in the military computer’s online menu. David could access the out-of-control war game computer by choosing an unlisted option: Falken’s Maze. But note something important: there is not a bug. The code presumably compiles with zero errors (and, like all good Delphi coders: zero warnings) – and it runs correctly. Any automated user interface tool or unit tests would pass. The problem is that the original developer had left in hidden functionality – the Falken’s Maze backdoor.
The movie makes a lot of nonsensical leaps of faith, like Joshua, the computer, chasing Lightman around to any nearby phone with ubiquitous robotic text to speech seemingly existing at a time when I can assure you it definitely did not, but it does serve to illustrate a good point, code quality and security is not just about the syntax of your Delphi code being right.
Static analysis of your code by a tool with meaningful capabilities is the only way to lessen the burden on you.
What is static analysis?
Static code analysis examines all of the source code used in your application – including component libraries, runtime library, and other items such as resource files. It is called static analysis because it’s done directly from the source code without your app running. There is an adjunct to this which is dynamic analysis – checking the app while it is running but the session didn’t cover that.
What kind of things can static analysis find?
Well, a worrying number of things really! Everything from obvious errors like weak default passwords embedded in your code to inclusion of libraries with known vulnerabilities. A proper static code analysis tool goes a long way beyond that. For example, take a look at the following screen shot.
This is just a very small sub-section of 3,601 vulnerabilities found by static analysis of a medium-sized example Delphi app. As you can see, the call is using HTTP instead of HTTPs to open a web page. That’s the first error, the other, less obvious error is that it’s doing so using ShellExecute
which means it is vulnerable to a ‘man in the middle attack’ since the shell handler can be replaced, and quite easily for HTTP. A ‘grep’ search might have found the first condition, but only static analysis of the code would have found the second one. Unless, of course, you think you’re really capable of reading through the 836,394 lines of code manually and faultlessly spot every single problem. Oh, and do it again the next time you have a major release? Note that in this case the automated scan took 27 minutes to complete and gave you a full rundown of all the vulnerabilities found, including the exact line of code at which they occur.
What tool did Ian Barker use for static analysis in the “How secure is your app” webinar session?
The static analysis tool I demonstrated during the webinar was DerScanner from Embarcadero’s newest Technology Partner, DerSecur. DerSecur supplied the demo data you see in the session and these screenshots and as you can see DerScanner fully understands Delphi code at a very deep level of detail.
The pricing model is per scan, but that scan is hugely comprehensive and finds a frightening number of types of unintentional and, more importantly, intentional code vulnerabilities, backdoors, errors, and security holes.
Static code analysis doesn’t help you write code in the way that code completion, error insight, and compiler warnings can do, but as I skimmed through the things it found I started to see how some common constructs in code are actually potential security risks. It was a bit of an eye opener to be honest and I think that given the increasing complexity, variety, and frequency of hacking and other related attacks it’s obvious that adding static analysis of your code to your release process not only gives you peace of mind but can also demonstrate due diligence to corporate customers and auditors too.
How Secure Is Your App? Video replay of Ian Barker’s static analysis Coding Bootcamp session
Here’s a replay of my Coding Bootcamp “How secure is your app” session.
How Secure Is Your App? Static analysis Coding Bootcamp session – Slides gallery
The image gallery below includes all of the slides used in the static code analysis session.