Automate review for security risks with source code analysis

Security issues are created in custom code when developers cut corners during development or don't make proper use of the APIs, among other reasons. There are several ways to discover such issues, including peer-review, code scanners, vulnerability scanning, and even by being exploited -- tho certainly undesirable! While each has its place and individual merits, let’s talk about security-focused source code scanning for Drupal and preview Acquia’s static code analysis, in development for Acquia Insight.

Being open source and because of its long development and use, Drupal core has been heavily peer reviewed. But the thousands of contributed modules and themes are usually only reviewed by a handful of developers at most and may have left easy-to-exploit security holes. Furthermore, from security audits of actual Drupal sites we know that most vulnerabilities exist in custom modules or themes (see drupalsecurityreport.org for more).

Clearly we need to make it harder to introduce vulnerabilities by making stronger APIs, better defaults, easier DX, and better documentation; but code review is a necessity of software development and something we can adapt to help us spot security risks.

Code review

Reviewing code is time-consuming and difficult to make routine. Implementing automated source code scans can save time by focusing human involvement on reviewing potential risks and enhancing system stability with more accurate and useable results. Static code analysis tools look at source code for syntax errors, violations in coding standards and possible security and best practice errors. By scanning the source code these tools can pinpoint the file and specific line where issues might be best resolved. These scans allow developers to review and prioritize issues in the greater context of the application.

Source code analysis for Drupal is not new, you’ve probably seen or used it in the Coder module. Coder now uses the PHP CodeSniffer for its coding standards review. PHP CodeSniffer is a PHP tokenizing project for detecting violations in coding standards and language best practices. Coder’s PHPCS checks implement the Drupal coding standard so you can be sure your code is following best practices.

Acquia’s source code analysis service builds upon PHP CodeSniffer to detect insecurities in Drupal code so you can catch vulnerabilities before they’ve made it onto your production site. Simple mistakes like printing node titles or fields without sanitization or filtering could open your site up to a Cross Site Scripting attack. Source code analysis can trace variables, function calls, and properties through your code and alert to possible issues. For example, a node title returned in a custom callback function might be a vector for a Cross Site Scripting attack. Use of that variable is discovered and traced and an error is thrown if it’s not passed through one of Drupal’s methods for text filtering.

Acquia CodeScan - DrupalCon preview

You can try out the preview of source code security analysis with the Acquia CodeScan module or come by our DrupalCon booth for a demo!

Try Acquia CodeScan

The security tests are still in early development and need to be expanded for the multitude of ways to write Drupal code, but I hope this gives an indication of the value of adding source code analysis to your review processes. The CodeScan module is a drush command around the CodeSniffer tests and not meant for permanency. If you’d like to help develop the actual checks you can find them at my sandbox project. We plan to tightly integrate this with Acquia Network and Cloud to help reduce the security risks to your websites. Other uses include automated review of projects hosted on Drupal.org as part of continues integration testing and in the project application process http://groups.drupal.org/code-review.

Tags: 

Comments

Posted on by Scott Whittaker (not verified).

Hi Ben,

This looks really interesting, will it be available to the Drupal community at large, or will it be restricted to sites hosted on Acquia?

Posted on by bjeavons.

Hi Scott, thanks for your comment.

The actual code running the analysis is already available in a drupal.org sandbox as linked in the final paragraph. It's very early in development so I'm very intentionally making that clear (such as calling this a "preview") since it needs much more refinement.

Note that part of this is the application lifecycle maintenance use that Insight provides by giving visibility into these results in a unified dashboard. That part lives outside of the module.

Add new comment

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.

Filtered HTML

  • Use [acphone_sales], [acphone_sales_text], [acphone_support], [acphone_international], [acphone_devcloud], [acphone_extra1] and [acphone_extra2] as placeholders for Acquia phone numbers. Add class "acquia-phones-link" to wrapper element to make number a link.
  • To post pieces of code, surround them with <code>...</code> tags. For PHP code, you can use <?php ... ?>, which will also colour it based on syntax.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Allowed HTML tags: <a> <em> <strong> <cite> <blockquote> <code> <ul> <ol> <li> <h4> <h5> <h2> <img>
  • Lines and paragraphs break automatically.
By submitting this form, you accept the Mollom privacy policy.