As the pace and complexity of software development increases, organizations are looking for ways to improve the performance and effectiveness of their application security testing, including “shifting left” by integrating security testing directly into developer tools and workflows. This makes a lot of sense. Defects, including security defects, can often be addressed faster and more cost-effectively if they are caught early. Issues found during downstream testing or in production result in costly and disruptive rework.
But most developers aren’t security experts, and tools that are optimized for the needs of the security team can be too complex and disruptive to be embraced by developers. To make matters worse, these solutions often require developers to leave their interactive development environment (IDE) to analyze issues and determine potential fixes. All this tool and context-switching kills developer productivity, so even though teams recognize the upside of checking their code and open source dependencies for security issues, they avoid using the security tools they’ve been given due to the downside of decreased productivity.
Introducing Code Sight Standard Edition
In response to these problems, Synopsys developed Code Sight™ and today, we’re proud to announce the availability of Code Sight Standard Edition (SE). Code Sight SE is a standalone version of the Code Sight IDE plug-in that works independently of application security testing (AST) tools like Coverity® and Black Duck®, which are incorporated into continuous integration (CI) build and test workflows. Code Sight SE provides fast, lightweight application security analysis of source code and open source dependencies in the IDE using integrated Rapid Scan Static and Rapid Scan SCA. Developers don’t need to be security experts; Code Sight SE gives them easy-to-understand defect descriptions as well as severity data and remediation guidance so they can fix defects as quickly as possible. It’s optimized to perform security analysis scans on large files and projects in seconds, with minimal system impact. And while developers don’t need to deploy a centralized static application security testing (SAST) or software composition analysis (SCA) solution to use it, Code Sight SE will help teams get more out of central analysis when used in conjunction with tools like Coverity and Black Duck (as well as tools from other vendors).
Code Sight SE is an IDE-based application security solution that helps developers find and fix security issues as they code, without switching tools or interrupting their workflow."
|
Optimizing security analysis for the needs of developers
Code Sight SE is easy to use and helps developers write better, more secure code. It also helps them avoid rework, increasing their productivity. With an intuitive IDE extension user interface, Code Sight SE installation takes only a few minutes, so developers can get to work scanning and fixing code quickly. The auto-scanning feature ensures that alerts are delivered every time files are opened, saved, or edited. Code Sight SE also helps developers write better code by alerting them to issues in source code, open source dependencies, API calls, cryptography, infrastructure-as-code (IaC), and more. And it delivers clear and precise remediation guidance directly in the IDE, so developers can fix issues before checking in code.
Finding security defects in source code
Developers need a static analysis tool that is easy to use, doesn’t throw distracting false positives, and provides guidance to fix issues quickly. Code Sight SE’s integrated Rapid Scan Static analysis does all this. It automatically scans and analyzes source code and IaC files as developers work. Code Sight SE checks for security vulnerabilities, API safety issues, and hard-coded secrets in IaC source code templates and configuration files.
When Code Sight SE detects an issue, it’s highlighted directly in the editor window for easy identification. Hovering over a highlighted line of code displays details including issue description and remediation guidance. Developers never have to leave the IDE; Code Sight SE provides detailed guidance to speed remediation, and many issues can be fixed automatically.
Figure 1: SAST issues detected by Code Sight SE’s integrated Rapid Scan Static analysis are highlighted in the editor window.
Figure 2: Hovering over a line of code displays more details including issue description and remediation guidance.
Identifying vulnerable open source dependencies
Code Sight SE doesn’t just scan the code your developers write. It also provides Rapid Scan SCA, a fast software composition analysis engine that enables developers to run frequent scans to identify vulnerabilities in direct and transitive open source dependencies. When developers run a scan, they can view the vulnerability description and the ID (CVE and/or Black Duck Security Advisory) directly in the IDE. They also have access to severity information based on CVSS score, so they can quickly prioritize which issues to fix first. And as with Rapid Scan Static, Rapid Scan SCA offers remediation guidance to help developers select the next available vulnerability-free or lower-risk version of the component.
Figure 3: Code Sight SE’s integrated Rapid Scan SCA results are highlighted in the editor window.
Figure 4: The vulnerability description and ID (CVE and/or Black Duck Security Advisory) can be viewed directly in the IDE.
The integration of SAST and SCA in the IDE is what makes Code Sight SE unique and powerful. Let’s face it: As a developer, you want to ensure your software is both secure and bug-free. It doesn’t matter whether a security vulnerability is in your code or in an open source dependency. Either way, you need to fix it. Using one tool to analyze your code and a separate tool to look at open source is a pain. With Code Sight SE, you can address security holistically across the entire application codebase.
Code Sight SE is available for the Visual Studio Code IDE with support for Java, JavaScript, and TypeScript. Supported package managers include Maven and npm, and supported IaC platforms and file formats include AWS CloudFormation, ELK, Helm, Kubernetes, and Terraform. File formats supported include HCL (Terraform), HTML, JSON, JSX, Properties, TOML, TSX, Vue, XML, and YAML. Additional language and IDE support is available when using the Code Sight IDE plug-in for Coverity SAST or Black Duck SCA.
Continue Reading
Introducing fAST Dynamic: Streamlining dynamic application security testing
Mar 19, 2024 / 3 min read
