Static Source Code Analysis Introduction Binary analysis and fuzzing are essential testing techniques for finding vulnerabilities

Subject:Computer SciencePrice: Bought3

Share With

Static Source Code Analysis

Introduction

Binary analysis and fuzzing are essential testing techniques for finding vulnerabilities. These kinds of techniques can be regarded as black-box testing/analysis techniques. Because testers don't see the source code. (Black-box testing is a method of software testing that examines an application's functionality without peering into its internal structures or workings-Wikipedia) Web application penetration testing is another example of black-box testing. You will be doing web application penetration testing labs in Modules 10, 11, and 12.

Another essential software testing is the static source code analysis (aka static code analysis or source code analysis). Source code analysis is a white box testing technique. There are many ways of performing source code analysis. It can be done without using any special tools; this is also known as peer-review. It can be done by using tools or by integrating both methods (hybrid way). Source code analysis is an integral part of the SDLC. In today's modern cloud environments, cloud-based source code analysis services are integrated into CI/CD pipelines in a fully automated way, including submitting tickets to project management tools (such as Azure Boards) and assigning the tasks to the developers. Companies can find and subscribe to these services in marketplaces of cloud providers and the places like GitHub.

In this lab, you will use an open-source command-line tool called bandit to analyze the source code of a web service written in Python. (https://pypi.org/project/bandit/)

Resources - Optional

To learn more about Github Marketplace, check out this link: https://openclassrooms.com/en/courses/5671626-manage-your-code-project-with-git-github/6152331-enhance-your-github-experience-with-extra-tools#/id/r-6225566

Lab Environment

This virtual machine hosts the source codes of a project named Vulpy. (https://github.com/fportantier/vulpy) Vulpy is a vulnerable web application developed in Python. In this lab, you will analyze the source of the Vulpy project.

1. Open a terminal by clicking the terminal icon on the left menu.

2. Type “ll” to see the Vulpy project folder in the directory content. It has already been cloned to Ubuntu virtual machine using the following command:

git clone https://github.com/portantier/vulpy

3. Type bandit -r vulpy > result.txt to start source code analysis. It will take a couple of seconds to complete the analysis, and the results will be written in the results.txt file.

4. Open the results.txt file using an editor and take a screenshot of the beginning part of the report. You can use gedit (GUI), nano, or vi to open the file.

Questions

1. Submit the screenshot.

2. Choose one of the vulnerabilities within Bandit results and describe the countermeasure(s) to mitigate the vulnerability.

3. Determine the CWE (https://cwe.mitre.org/) that describes the vulnerability that you chose. Explain the CWE.

4. Summarize the vulnerability and the corresponding action as if you are explaining it to a non-technical person.