For Software Developers
You’ve been hearing more and more often that application security is becoming critical, and that YOU, the developer, will be a key player to solve the software security problem in house.
First thing you do is groan, “Not that security stuff again.” I don’t know anything about how to write secure code and I’m expected to all of a sudden be a genius at how to fix broken code? It’s never been your job and you’d like to avoid it as much as possible.
But here’s the deal, this is the first security problem that your in-house security team can’t solve without you, the developer. The security analysts aren’t professional programmers and most wouldn’t know how to write even a simple application for the company picnic let alone a customer-facing app on the web that could inadvertently provide access to confidential customer and product information. Yet if an attacker exploits a vulnerability in YOUR code and puts your company or its customers at risk, then the security team might be visiting you to find out when and how those vulnerabilities got into your code, and how you’re going to fix them. It’s frustrating. When you signed on to your job, you were not supposed to be responsible for security, and software security testing is just a major pain that prolongs the already-too-short development process.
But software security is becoming more and more critical in a world run by customer-facing apps on the web–and according to the Department of Homeland Security, 90 percent of security incidents today can be traced back to vulnerabilities inadvertently inserted during the software development life cycle (SDLC). Yet if you are among the majority of developers that were never taught secure coding techniques, then you’re facing a dilemma. You certainly don’t want to build software that is inherently insecure, yet you don’t have the tools or the time to configure them to check your applications for security!
There is light at the end of the tunnel: Code Dx was built with the developer in mind so that you can check the security of the code you’re building as you build it, before the security team gets their hands on it.
Traditionally, in order to adequately test the security of an application, the security analysts (often near the time of software release) would have to run multiple static application security tests (SAST) on the source code and dynamic application security tests (DAST) when the application is running. They would then spend a lot of time just to download, configure, learn the interface, and run the SAST or DAST tools, one at a time. And “AppSec” best practices say that to find most of the vulnerabilities, the security analysts have to run multiple SAST and DAST tools making it even more time-consuming. After running all these tools against your code, each security analyst would then need to enter by hand the thousands of software weaknesses found by the tools into a spreadsheet and then generate reports of the potential vulnerabilities to be put onto YOUR desk. If you’re lucky, the security team will have prioritized the code weaknesses based on an industry standard such as the OWASP Top Ten so you would at least know which vulnerabilities are the most important to fix first.
How developers can quickly find vulnerabilities in their code using Code Dx
Here’s where Code Dx comes in. As a developer, you can use Code Dx Stat! to automatically run pre-configured SAST tools against your source code early in the SDLC to find both quality and security weaknesses in your code. In fact, if the source code to be analyzed is stored in Git, Code Dx will connect to the Git source control management system to retrieve the source code prior to running the SAST tools. That way, you can fix any found vulnerabilities before you release your code to the security team. And it’s easy to use because Code Dx integrates with your Eclipse or Visual Studio Integrated Development Environment (IDE) so it slips easily into your workflow. You feed your code into Code Dx and it figures out which languages your code is written in, selects the right SAST tool(s), runs the tools automatically, and gives you a report of the results down to the line of code where a potential vulnerability occurs. If you don’t have the source code, Code Dx automatically uploads the DAST testing results to give you the same kind of report of where the vulnerabilities are.
In addition to finding software weaknesses, Code Dx tells you which ones are considered to be the most severe based on industry standards such as OWASP Top Ten, CWE/SANS Top 25 or the Web Application Security Consortium (WASC) to guide the prioritization and remediation process. In fact, Code Dx gives you the ability to assign and track the vulnerabilities to be fixed, and offers remediation guidance through integration with the JIRA issue tracking system. It also provides support for custom JIRA fields. Finally, Code Dx runs special tools on those third party libraries you’ve incorporated into your code, and tells you if those libraries have known vulnerabilities.
Further along the SDLC, you or your security team may want to conduct dynamic penetration testing of your web app using Dynamic Application Security Testing (DAST) tools. Whereas SAST or “white-box” testing performs a deep analysis of the actual code to find vulnerabilities early in the SDLC, DAST tests the entire application while it is running. DAST is sometimes called “black box” testing because it mimics what the attacker would see without knowing the source code. If you or your security team wants to run a hybrid combination of both SAST and DAST tools, or combine either of those results with the findings from your manual code reviews, then you’ll want to use Code Dx Enterprise. Enterprise consolidates the results from manual code reviews with the results from SAST and DAST (open source and commercial) testing tools in one centralized console that can be used to run and track the entire remediation process. As a result, it is extremely easy to get a clear, prioritized picture of the application’s quality and vulnerability issues to be able to make confident decisions on how to address these problems.
Whether you run Enterprise or Stat!, Code Dx installs and runs in minutes, normalizes the results, and presents them in a visual display making it easy to triage and prioritize results, assign and track remediation, and collaborate within the development team and with the security team.
Overall, what Code Dx allows you and your development team to do is:
- Combine and normalize the output from commercial tools with the output from all the open source and free tools into a single consolidated set of results on a common severity scale
- Display the overlapping results of individual tools
- Compare the results between tools
- Map the results to the highest held community standards including the Common Weakness Enumeration (CWE); the Open Web Application Security Project (OWASP) Top 10; CWE/SANS Top 25; the Payment Card Industry Data Security Standard (PCI DSS); CERT Java and C/++ coding standards; Seven Pernicious Kingdoms (7PK); the Web Application Security Consortium (WASC); the Comprehensive, Lightweight Application Security Process (CLASP); and Software Fault Patterns (SFP) to ensure accuracy
- Map weaknesses to the exact line(s) of offending source code
- Have visual analytics of the status of triage of software weaknesses at any time
- Merge duplicate results with customizable correlation logic
- Carry over triage settings and comments from tools to further streamline the triage process
- Check the vulnerability status of third-party libraries in the code base
- Perform in-depth exploration of all of the results using the search filter capabilities
- Upload data incrementally to choose which results to upload when
- Generate CSV, XML and PDF reports
- Use a browser-based user interface to assign, collaborate and track the entire remediation process
- Integrate with JIRA issue trackers to associate Code Dx findings with JIRA issues and assign them to the development team for remediation
- Use a REST API to automate build server integration to enable continuous assurance or a DevOps procedure already in-house
- And ultimately, it reduces the pain in application security testing because one centralized console tells you exactly what you need to do, what is the most critical problems to solve, and provides status reports to anyone in your organization at any time.
Code Dx can also help you answer these questions now:
- Which software weaknesses are noise, and which are most important?
- What weakness categories are most common, or most severe?
- Which weaknesses have been found by multiple tools, increasing confidence that these weaknesses are a priority?
- Where in the source code were weaknesses found?
- What is the current status of each code weakness?
- Is it assigned for remediation, a false positive, escalated or fixed?
- Which weaknesses are new since the previous analysis?
- How well does your application play with all of the components needed to support it?
- When your application is running, do any serious vulnerabilities appear because of an incorrectly configured server or other hardware?
You can have Code Dx up and running in about 10 minutes. A browser-based application installed locally, Code Dx runs on Windows, Macintosh, Linux, and all modern browser clients. You can download a trial and check it out for yourself.