Recommended SAST tools from Security Cow
With the rapid development of science and technology, the sovereignty integrity and security of cyberspace have become an important factor affecting international relations. The competition between countries is gradually shifting from physical space to cyberspace, and domestic cybersecurity is also facing more and more challenges. risks and challenges.
According to the data provided by Gartner, 75% of security attacks are caused by software vulnerabilities. The illegal behavior of attacking the chain has brought major security risks to software systems that are related to the national economy and people's livelihood. In addition, the prevalence of open source culture has greatly improved the efficiency of software development, but also increased potential risks. Potential security holes in these open source components are likely to be exploited by attackers.
In the face of these threats, traditional software security detection methods based on "penetration testing" have found that the coverage of security vulnerabilities is far from sufficient, and the penetration testing performed before the product goes online is relatively lagging behind, and the cost of fixing security vulnerabilities is too high. Therefore, in the case of increasingly high requirements for development efficiency and security, enterprise organizations must face more severe challenges:
-
Rapid iteration of agile development, shorter development cycle, higher requirements for security detection response;
-
Many enterprises adopt reinforcement, firewall, WAF and other measures after the system goes online. These passive defense measures can only prevent existing security vulnerabilities, and cannot defend against unknown security vulnerabilities, resulting in huge software risks;
-
In the research and development stage, there are no effective safety detection methods, effective detection tools are lacking, or detection tools cannot be effectively used.
Traditional software testing emphasizes shifting to the left, requiring unit testing and interface testing. In fact, security vulnerabilities in code are also defects. Such security defects bring greater risks to enterprises than functional defects. Therefore, in the research and development stage, It is necessary to introduce the Static Application Security Testing Tool (SAST) to perform iterative detection while iteratively developing the code. Due to the above-mentioned industry background and technological development status, we release this issue of Niupin Recommendation——Open source network security: CodeSec code review platform.
Label
Static application security testing tools;
code audit tools;
code audit;
source code scanning;
development security;
user pain points
At present, the SAST product market has matured. Many security vendors have launched SAST-type detection tools, forming a situation where a hundred flowers bloom and a hundred schools of thought contend. Mistakes in knowledge. Mainly reflected in the following points:
- The false positive rate of SAST is high, and the review of detected vulnerabilities requires a large workload; the description of security vulnerabilities is too specialized, making it difficult for developers to understand;
- No direct, code-level fixes are provided, and developers need to spend extra time finding workable fixes;
- For medium and large-scale enterprises, iterative testing of a large number of software is often required, and a high-concurrency and high-schedulability solution is required;
- The SAST tool cannot meet the consistency between the enterprise and the existing process specification;
- The integration of SAST tools is not enough, and it takes manual time to process;
solution
The "CodeSec code review platform" of Open Source Network Security is a new generation of static application security testing (SAST) solution, mainly used for software code security review and quality analysis, providing vulnerability details and repair solutions, which can help development and security teams during the development phase Early detection and repair of vulnerabilities, improvement of software code security quality, realization of "safety shift left", comprehensively help enterprise users solve the above pain points; first,
due to the limitations of static analysis technology, static analysis tools have a certain percentage of false positives. In response to this problem, CodeSec of open source network security uses a self-developed core detection engine, and on the basis of traditional tools that mostly use data flow analysis, it uses function summary, pointing analysis, etc. to conduct context-sensitive analysis, and then finds that traditional detection tools Security defects and loopholes that cannot be detected. At the same time, by analyzing the commonality of user-developed software and further optimizing the detection rules of software products, false positives can be greatly reduced.
Secondly, on the basis of extensive research on security vulnerabilities such as CWE and OWASP, the security experts of CodesSec made a new description of security vulnerabilities, including existing risks, mitigation measures, sample codes, taint track tracking, locating to code lines, etc. The description information allows developers to quickly understand the introduction point and trigger point of the vulnerability, find the best repair location, and eliminate risks. In addition, Open Source Network Security can provide developers with training in secure coding, and provide additional services such as interpretation services for test reports and remote support, helping developers to solve practical problems in security development to the greatest extent.
Third, CodeSec provides code repair examples in the description of security vulnerabilities detected and reported, allowing developers to quickly repair vulnerabilities. At the same time, the CodeSec team is also researching the automatic repair technology of security vulnerabilities, and plans to launch a version that can automatically repair security vulnerabilities in the near future, thereby providing comprehensive support for code-level solutions.
Fourth, in terms of concurrent detection requirements, CodeSec adopts a multi-process and multi-thread approach. Each detection task is detected and analyzed in one thread, and independent threads are used to process queries and audits, which can support multiple detection tasks. Concurrency detection. For users with higher concurrency requirements, a distributed deployment solution can be adopted.
Fifth, for the compliance requirements of the enterprise's own coding standards, CodeSec security experts compare and analyze the thousands of detection rules provided by the tool with the enterprise's own coding rules, and provide customization for the detection rules that the tool does not meet to meet user requirements to the greatest extent. Guarantee the continuity of its business and standards.
Finally, based on the user's requirements for integration of detection tools with other tools, CodeSec can be integrated with Git, GitLab, GitHub, SVN, TFS, Perforce, Mercurial, Jira, Zen Road, Bugzilla, Eclipse, IDEA, VS-Code, Visual Studio , Android Studio and other tools can basically meet the requirements of most users.
customer feedback
Open source network security has deployed hundreds of CodeSec code review platforms for users such as finance, communications, government, transportation, and evaluation agencies. It has established a code review SaaS platform in large enterprises with multiple projects and high concurrency requirements to help companies avoid application vulnerabilities. resulting in losses. The following is user feedback for two typical cases:
- A city’s information center:
“The open source network security CodeSec code audit platform provides code audit services for several information systems in our city, and provides professional security training for information center technicians, helping information technicians improve their software security capabilities; at the same time, the information center Security personnel use the CodeSec code review platform to conduct security scans on the source code of internal systems, which is convenient for daily security operations.”
- A large basic software company:
"The CodeSec code review platform advances the security control line, which greatly reduces the workload of security personnel. The source code security scanning covers hundreds of applications in our company, ensuring the security before going online, and greatly improving the security quality of the software. At the same time, it also meets the user's requirements for the supplier's software security."
Safety cattle review
"Code security" is the "root" of software security, and "immersion" code security is the lowest-cost security solution. Improving the ease of use, increasing the detection rate of vulnerabilities, reducing the difficulty of modifying vulnerabilities, and the feasibility of repair solutions are severe challenges to static security tools. At the same time, detection capabilities, management of core vulnerability databases, and application of security rules are all aspects of How to reduce the cost of use for developers is another challenge for source code security tools.
The solution recommended by Niupin this time combines source code testing with a variety of commonly used development project management processes and is not limited to the integration of DevOps platforms, which can make source code testing more widely used and improve the efficiency and efficiency of code development iteration quality. Another advantage of open source network security is to break the traditional testing method and combine multiple source-level testing capabilities.