Enhancing Open Source Software Security with CodeSonar – A Case Study on wolfSSL
Open source software is crucial to software development. It’s relied on to for countless applications, platforms and operating systems, from Linux, web servers to IoT and embedded devices. However, even the most rigorously tested open source projects may still contain defects and vulnerabilities. This post explores how Static Application Security Testing (SAST) tools, such as CodeSonar, can significantly improve open source software security. To illustrate this, a case study involving the well-known open source project wolfSSL is used as an example.
Helping with the “Best-Tested” SSL/TLS
wolfSSL is renowned for being one of the best-tested open source SSL/TLS and cryptography libraries. It’s also designed for the resource constraints typical of embedded devices with excellent speed, code size and portability.
We decided to take a look at the wolfSSL codebase and see if we could detect potential defects that may have eluded even the most thorough testing efforts. What transpired was a collaboration between CodeSecure and wolfSSL to enhance the security of this critical open source project.
CodeSonar – Early Detection CodeSecure CodeSonar, a SAST tool, unlike traditional run-time testing, aims to identify and address issues as early as possible, right when developers are writing the code. The primary goal is defect detection and prevention, with a focus on finding vulnerabilities before they can propagate through the development process. Early detection and removal are the lower risk, lower cost way to deal with security vulnerabilities.
CodeSonar was setup to perform static analysis on the wolfSSL codebase, specifically on the nightly snapshot branch. This approach allows for the early detection triggered by daily contributions to the code. When developers implement new features or resolve defects, CodeSonar analyzes these new changes. Bugs caught early mean they don’t foul up unit testing down the road. There is the obvious quality and security improvement but also the added reduction in testing effort.
Depth of Analysis
Most SAST tools provide a wide range of “rules” or “checkers” for security issues. This is known as “breadth of analysis” which is the variety of security vulnerabilities and coding practices that the tool can detect. It ensures comprehensive coverage of potential bugs and vulnerabilities across various programming languages and frameworks, aiding in compliance with industry standards and risk mitigation.
Depth of analysis, on the other hand, refers to how thoroughly the tool can investigate the root cause of a detected bug or vulnerability. It provides more accurate results by reducing false positives and negatives, allowing developers to focus on genuine security concerns. It was the depth of analysis that CodeSonar provides both in terms of finding especially tricky vulnerabilities but the comprehensive information needed to fix it. This includes detailed information on the software weakness detected and the trace information to find and fix the root cause.
The combination of breadth and depth in SAST tools is crucial for comprehensive coverage of security issues. Depth is particularly important as it uncovers complex bugs and vulnerabilities that may not be easily detectable through other testing and analysis techniques. It also explores paths within the code, enabling the identification of potential security flaws that arise due to specific combinations of control flow and data values.
CodeSecure and wolfSSL Collaboration
The collaboration with wolfSSL began when I detected a few interesting issues in their code base when doing some research on my own. After submitting the issues to the project, wolfSSL agreed to work with us on integrating CodeSonar into the project.
As stated above, CodeSecure is now part of wolfSSL’s nightly snapshot branch. This collaboration serves to uncover issues within the existing codebase, and secondly, to detect vulnerabilities in new code that’s introduced. Detection of vulnerabilities is what people usually associate with SAST tools, however, prevention is also important as it keeps new defects (security, quality, etc.) out of newly written code.
CodeSonar is offered as a hybrid solution, with on-premise and SaaS availability. A SaaS solution is a good option in this collaboration since wolfSSL doesn’t need to provide hardware to run CodeSonar.
The typical developer workflow with CodeSonar involves cloning the repository, creating a branch, implementing code changes, and running SAST analysis using CodeSonar. Developers can resolve warnings before merging their code into the main repository. The real-time feedback developers get, plus the detailed trace information, makes it easy to rectify any flagged issues.
Path analysis in CodeSonar shows the route through the source code that triggers a particular warning. This is valuable information for developers, as it leads to the root cause of the warning. This can include conditional statements where certain might lead to errors. Call graphs, which are also available in CodeSonar, illustrate how functions are interconnected and identify the functions that contribute to a problem, giving developers a clear roadmap to resolving issues.
Static Application Security Testing tools like CodeSonar play a pivotal role in enhancing the security of open source software projects like wolfSSL. By integrating SAST early in the development process, defects and vulnerabilities can be identified and addressed before they become embedded in the codebase. The collaboration between CodeSecure and wolfSSL serves as a case study of how open source projects can benefit from SAST.