We experience data breaches for a number of reasons from hacking to carelessness to (sometimes famously) disgruntled employees. The Department of Homeland Security is reported to have traced many recent data breaches to poorly written software says software assurance company Secure Decisions. The number of US data breaches reached a record high in 2014 according to the Identity Theft Resource Center, increasing 27.5 percent over breaches reported in 2013.
This notion of software assurance emphasizes the need for Quality Control (QC) and code integrity throughout the software development lifecycle. Secure Decisions develops its Code Dx analysis tool for software developers and security analysts to “find, prioritize and visualize” vulnerabilities in production software code. The firm has recently completed the integration of Code Dx with Microsoft Visual Studio and Eclipse (as Integrated Development Environments) as well as Git (a revision control system) and Jenkins (an open source Continuous Integration tool).
Integrity for Microsoft Visual Studio & others
The concept is straightforward enough i.e. software application developers can use Microsoft Visual Studio or Eclipse with the Code Dx plugin before they get to the testing process that they would normally undertake once they step outside of their IDE. Obviously, fixing bugs inside an IDE before testing eliminates a lot of back and forth (as well as saving time and money), if it all works.
By using Static Application Security Testing (SAST) tools, vulnerabilities can be identified during the development cycle and as part of the acquisition (deployment and installation) process claims Secure Decisions.
“Code Dx helps eliminate weaknesses in software before hackers have a chance to exploit them. Developers can feed their source code into Code Dx anytime during the software development lifecycle and Code Dx automatically selects and runs the appropriate open-source SAST tools for each language in the software code base,” said Secure Decisions director Anita D’Amico. ”The primary focus of our development team for version 1.6 was integration. By providing integration with popular development tools, Code Dx enables a more streamlined process to continually include security in the software development lifecycle.”
Through integration with Git, Code Dx users now just need to configure it once and point Code Dx directly to their source code repository and Code Dx will then automatically fetch the source and run it through the scanners. This saves users from having to package up their source code each time, push it to Code Dx and scan it.
Finally looking at Jenkins then as a popular continuous integration server for Java environments, the Code Dx plugin can sit on the same project — as Jenkins processes the code and finds any errors, it can then pass artifacts over to Code Dx to be scanned for vulnerabilities.
Homeland security pedigree
According to the Department of Homeland Security Software and Supply Chain Assurance website, “Software is essential to the operation of the nation’s critical infrastructure. Vulnerabilities in software can jeopardize intellectual property, consumer trust, and business operations and services. A broad spectrum of critical applications and infrastructure, from process control systems to commercial application products, depend on secure, reliable software. Software assurance (SwA) is the level of confidence that software is free from vulnerabilities, either intentionally designed into the software or accidentally inserted at any time during its life cycle, and that the software functions in the intended manner.”
Code Dx was in fact developed under the Department of Homeland Security Science & Technology Directorate for Small Business Innovative Research program. In terms of usage here — yes you can consider software application developers as key users, but this software will also be on the radar for workers with jobs titles including: security auditors, compliance officers and quality assurance engineers.