fasoo 소개 - rosaec.snu.ac.krrosaec.snu.ac.kr/meet/file/20140730l.pdf · 분석기 체커 구현...
TRANSCRIPT
정적 프로그램 분석 솔루션
(PA)
콘텐트 퍼블리싱 서비스
(e-Publishing Service)
클라우드 보안 서비스
(Secure Cloud Service)
기업용 문서 보안 솔루션
(Enterprise DRM)
Fasoo Program Analysis
SPARROW 개발 프로세스
소스코드 관리 도구 (Git)
소스코드 등록
이슈 관리 시스템 (Redmine)
일감 할당 지속적인 통합 도구 (Teamcity)
자동 테스팅 서버
빌드 자동화리포트
코드 구현
연동
소스코드 가져오기
SPARROW 개발 프로세스
소스코드 관리 도구 (Git)
소스코드 등록
이슈 관리 시스템 (Redmine)
일감 할당 지속적인 통합 도구 (Teamcity)
자동 테스팅 서버
빌드 자동화리포트
코드 구현
연동
소스코드 가져오기
Gartner Report
This research note is restricted to the personal use of [email protected]
This research note is restricted to the personal use of [email protected]
Figure 1. Evolution of Application and Security Technologies
Accuracy and Breadth of Detection
TimeIsolated Combined Correlated
2006 2009
SAST orDAST
Early 2000
SAST, DAST SAST+DASTInteractive
2011
IAST
Source: Gartner (November 2011)
SAST and DAST Technologies
SAST technology analyzes application source, byte or binary code for security vulnerabilities atprogramming and/or testing software life cycle (SLC) phases. SAST includes several technologyadvantages: Vulnerability analysis starts early in the SLC, making remediation inexpensive; SASTdetermines the location of the detected (or rather, a suspected) vulnerability because it analyzes theactual application code. SAST technology, at the same time, has a serious weakness/limitation: Itanalyzes not a real application, but just the code. A detected vulnerability might never be executed(let alone be exploited) in the application's "real" life, at the operation phase of SLC (see Figure 2).What's worse is that the suspected vulnerability may not be a real vulnerability at all, but a "falsepositive." Moreover, SAST technologies can't detect configuration vulnerabilities created at runtime.
Figure 2. SAST and DAST — Strengths and Limitations
Software Life Cycle OperationsAnalysis Design Programming Testing
Unknown vulnerability origin
Preproduction code testing
Real app testing
Known vulnerability originSAST
DAST
Source: Gartner (November 2011)
Gartner, Inc. | G00224968 Page 3 of 9
SPARROW
Gartner ReportThis research note is restricted to the personal use of [email protected]
This research note is restricted to the personal use of [email protected]
Figure 1. Evolution of Application and Security Technologies
Accuracy and Breadth of Detection
TimeIsolated Combined Correlated
2006 2009
SAST orDAST
Early 2000
SAST, DAST SAST+DASTInteractive
2011
IAST
Source: Gartner (November 2011)
SAST and DAST Technologies
SAST technology analyzes application source, byte or binary code for security vulnerabilities atprogramming and/or testing software life cycle (SLC) phases. SAST includes several technologyadvantages: Vulnerability analysis starts early in the SLC, making remediation inexpensive; SASTdetermines the location of the detected (or rather, a suspected) vulnerability because it analyzes theactual application code. SAST technology, at the same time, has a serious weakness/limitation: Itanalyzes not a real application, but just the code. A detected vulnerability might never be executed(let alone be exploited) in the application's "real" life, at the operation phase of SLC (see Figure 2).What's worse is that the suspected vulnerability may not be a real vulnerability at all, but a "falsepositive." Moreover, SAST technologies can't detect configuration vulnerabilities created at runtime.
Figure 2. SAST and DAST — Strengths and Limitations
Software Life Cycle OperationsAnalysis Design Programming Testing
Unknown vulnerability origin
Preproduction code testing
Real app testing
Known vulnerability originSAST
DAST
Source: Gartner (November 2011)
Gartner, Inc. | G00224968 Page 3 of 9