6 security points to consider for your software

6 security points to consider for your software

Would you say that the above presented building is a safe building? I would probably not. It might even be more unsafe than I originally thought. This issue does not only count for buildings, it also count for something we’re dealing with every single day: software. Nowadays security in software is a significant issue. And rightly so! Have you ever stopped and considered that security risks could also be lurking in the basis of your software – e.g. the source code? We touch on 6 points from our experience, in order to help you get started with eliminating risks. Safely towards the future!

 

1. Be aware of the changes that are made in the software:

Our experience shows that change introduces risks. We live in a world where change is cemented into the foundation of any business. We all want to innovate, renew and above all, be able to meet the demands of our (potential) customers. In order to ensure this degree of flexibility, it’s a requirement that IT is able to grow in the direction of the business. This means frequent programming in your software, which in many cases is the engine of your business. Are you aware that each of these changes increases the likelihood of a security risk? In itself logical, and fortunately there’s plenty to do in order to ensure that you remain in control.

 2. Outdated software:

Did you know that outdated software is not only a business obstacle, but also poses a risk in terms of security? Outdated software is often not developed in the spirit of “security by design” and may cause systems to become less stable and reliable over time. Of course you always want to rely on your software, especially in times when a lot has to be changed in the software.

 

3. Open source:

The use of open source components is becoming more common. We, (in our eyes) like every IT company, also welcome this. Yet there are still some snags with the use of open source. Do you know if your open source components are all up to date? Maybe security issues were found in previous versions and you’re running a greater risk than you might think.  It all starts with the question: what open source components do I use, and what open source components use these components? Do you know?

 

4. Specific source code security risk: SQL (Structured Query Language) injection:

These are all great points, but what exactly can go wrong in the source code? Well, take a so-called SQL injection: a hacking technique that is often applied to applications and websites. Using such an injection, data may be extracted from a database, changed and in some cases you can actually end up losing control of your server. Thus there are loads of things that can cause headaches. What can you do about it? By protecting your source code in the base, you can make it impossible for outsiders to enter your source code. To do this, you first have to have a full understanding of your source code and source code reviews can give you this.

 

5. Secure Programming: everything must be consistent

With a transfer of money, the amount deducted must be equal to the amount to be credited. If not, then money has disappeared. This comparison also applies to the data that handle many applications and this applies to each application in its own way. Of course you know this as a developer, but under the overall pressure of time, this happens more often than we would like. Consistency in programming is a factor that contributes to the reliability and security of applications. Are you aware of how consistently your programmers set about things?

 

6. Control and understanding: you can only eliminate risks with a full scope

A review of source code provides an overview of risks and other imperfections in the source code. Such a review may be carried out manually and automatically. In many cases, carrying out a combination of both is recommended. Why? According to experts, an automated review is indeed fast, but it often produces false-positives, and it won’t recognize any weaknesses. Well, we would like to convince you that in this, Omnext provides a complete service: a rapid, objective and automated review overseen by in-house experts who are able to remove false-positives, can discover patterns and at the same time can focus themselves on your situation and what results are important for your organization. Thus customised advice, based on objective observations of the entire source code. Know where you have to start!

Which of these points would you tackle first?

 

Anna Willems

Anna Willems

Brand Manager

Anna Willems is brand manager at Omnext, expert in the measurement analysis of the source code of software applications with the aid of Fit Tests and Stay Fit programs. Anna has a clear vision on combining IT and business – from a marketing perspective – and how information from the source code can support business incentives.

Any questions? Ask Anna!

Source code revitalisation, a diet for Uniface® applications

Source code revitalisation, a diet for Uniface® applications

I’ve just been inspired by our minister for Public Health Edith Schippers who is calling for our food and lifestyle to be made healthier.  For me, every other day is an opportunity to pick up issues that haven’t been addressed before. Personally and given my age, I think that I’m in quite good shape J. So I’m only focussing on software, for example a diet for Uniface® applications.

Using up source code

A characteristic for applications built in Uniface® is that they have invariably been contributing to critical business processes of organizations for many years. In fact, these types of applications are functionally everlasting.  A characteristic of these types of application that have been in operation for a long time, is that they suffer from a form of source code overweight. This is because software developers rarely have the opportunity to achieve a balance day, which is needed in order to remove excess functionality from source code. Functional fat then automatically occurs on the application body.

Experienced, but also Fit?

It is expected of these applications, which include extensive knowledge of and about the business processes, that they can move with changing demand and technological developments. Fortunately, the Uniface® development product provides opportunities for this, thus a vital old age is within reach for these applications.

The diet …

In order to keep your application up to par, it helps if you first get the application to the right weight. This can be done by identifying source code overweight, such as the fat in complexity, dual and unused source code.  After this, it’s helpful if the training is focused on losing weight around the vital parts. Experience shows that this usually only covers 20% to 30% of the application body.

Take action!

This brings me to the older but socially so important applications. They’re also entitled to a vigorous old age. When the world power may be in the hands of a pensioner who uses the latest technologies, then our software crown jewels certainly deserve a vital future. This in an eco-system of new technological applications.

Jaco de Vries

Jaco is director at Omnext, a company that investigates the vitality of software applications with the aid of Fit Tests and Stay fit programs.

Jaco de Vries

Jaco de Vries

CEO Omnext

The Health Check on your dashboard

The Health Check on your dashboard

The Omnext® Portal is equiped with a management dashboard which shows an overview of the Health Check quality model. The Progress diagram shows the changes in violations in your source code. As explained in the previous article about the Health Check the different standards and guidelines rules that are selected show various results, ranging from number of violations to exact limits for this rule.

When looking at a large amount of violations it can be hard to identify new violations. In this case it is possible to, by clicking on the legenda text, eliminate one or more of the objects.

 

Health Check Dashboard_3

Example: in the dashboard shown above, the Unresolved issues are eliminated. Which gives you a clearer overview of how many resolved and new issues there have been found in your source code.

 

New: A city map to visualize your source code

New: A city map to visualize your source code

The Omnext® Portal has been updated with a new quality model: the Health Check. Following a diagram that visualizes the source code as a city map, violations in the system can be shown. Just like a real-life city, the map contains different districts and buildings. The higher the building, the more violations the system contains. The city map shows the progress of the Standards & guidelines that are of relevance to you, our client. When the portal will be delivered for the first time, the standards and guidelines will be selected by Omnext. After that standards and guidelines can be configured by the client him- or herself.

Health Check widgets

In the picture shown above you can see an example of the city map. The different widgets that are shown above relate to the object that is selected in the ‘tree view’ on the left side of the screen. The Unresolved issues are issues that have been in the source code since the last analysis. The New issues are violations that have appeared in the time between the two analyses, Resolved issues are issues that are solved in between the analyses. When looking at the widget ‘Progress’, it shows the relationship between the resolved, unresolved and new issues. A positive number means that more issues have appeared than have been solved. A negative number means the exact opposite.

Health Check details

picture2

The details tab shows us exactly where the different violations can be found in the source code. The list shows the standards and guidelines that have been selected beforehand and which were marked as relevant. Every rule is showed separately and gives a number of violations which are either resolved, unresolved or new.

The list below shows the separate objects with violations. By using the Relevance column priorities can be set on which issue to resolve first. Relevance is determined by the number of violations (sometimes size of the violations matters too), the priority of the violation, the volatility (how many times the object has been changed) and the Afferent coupling (how many times the object is invoked).

The column Toxicity shows how many of the selected standards and guidelines are violated. Remaining columns show the results of the standard and guideline rules. When no violations are detected on an object a green checkmark is shown. When violations are detected the shown number gives an actual value of violations. In the list the limits of the rule are shown as well. I.e. AvoidLongUnits gives 67 as the number of lines of code. The given limit is 50, therefore it violates this rule.

Standards and guidelines

Health Check Dashboard

The Standards & Guidelines tab, but also other tabs which show Standards & Guidelines i.e. Cloud Readiness, contains rules that can be selected for the Health Check quality model. Other than selecting individual rules, priorities can be selected as well. In this case violations that belong to the different priorities are shown in the Health Check.