Posted on

SAST in Secure SDLC: 3 Reasons to Integrate It in a DevSecOps Pipeline

Vulnerabilities produce enormous reputational and financial risks. As a result, many companies are fascinated by security and desire to build a secure development life cycle (SSDLC). So, today we're going to discuss SAST — one of the SSDLC components.

SAST (static application security testing) searches for security defects in application source code. SAST examines the code for potential vulnerabilities — possible SQL injections, XSS, SSRF, data encryption issues, etc. These vulnerabilities are included in OWASP Top 10, CWE Top 25, and other lists.

Posted on

Enabling High-Quality Code in .NET

Introduction to Code Quality

When we talk about code quality, we can think of different aspects of it. We mainly refer to the attributes and characteristics of code. While there is no widely adopted definition of high-quality code, we know some of the characteristics of good code:

  • It is clean.
  • Absence of code smells
  • Consistent
  • Functional: it does what we say it does.
  • Easy to understand
  • Efficient
  • Testable
  • Easy to maintain
  • Well documented

There are probably additional characteristics of good code, but these are the core of the high-quality code.

Posted on

Static Analysis with ESLint and LWC

As we learned in our last post, static analysis is useful in various situations, whether that’s keeping a codebase consistent, catching potential performance issues, or rewriting code to be more idiomatic. In our previous post, we used PMD to analyze Apex code. In this post, however, we’ll consider how to analyze another Salesforce programming environment: Lighting Web Components.

Salesforce developed Lightning Web Components (LWC) as a fast, enterprise-grade wrapper around vanilla web components. LWC is built on the same HTML, CSS, and JavaScript that powers the web, so any analyzer for those languages can be applied here.

Posted on

Writing Clean and Consistent Code with Static Analysis using PMD and Apex

One of the key requirements to developing good, maintainable software is to ensure that it works under a variety of conditions. This is typically done by automating a suite of tests on the various features and code paths your application can take. While unit tests are excellent for making sure that your application technically runs, there’s another category of verification which ensures that your application has no other detectable issues: static analysis.

Static analysis is a method of analyzing your code without executing it. If you’ve ever worked with a compiled language like Kotlin, the compiler implements one form of static analysis by ensuring that your program adheres to the grammatical rules of the language. For example, if you call a function but forget to pass in required arguments, a static analyzer alerts you to this error before you compile your application. This is in contrast to an interpreted language such as JavaScript, in which the error would occur when executing the code because there’s no compiler to anticipate the issue.

Posted on

Virtual Function Calls in Constructors and Destructors (C++)

In different programming languages, the behavior of virtual functions differs when it comes to constructors and destructors. Incorrect use of virtual functions is a classic mistake. Developers often use virtual functions incorrectly. In this article, we"ll discuss some of these classic mistakes.

Theory    

I suppose the reader is familiar with virtual functions in C++. Let's get straight to the point. When we call a virtual function in a constructor, the function is overridden only within a base class or a currently created class. Constructors in the derived classes have not yet been called. Therefore, the virtual functions implemented in them will not be called.

Posted on

All Hail Bug Reports: How We Reduced the Analysis Time of the User’s Project From 80 to 4 Hours

People often see work in support as something negative. Today we'll look at it from a different perspective. This article is about a real communication of 100+ messages, exceptions, the analysis that didn't complete in three days.

Actually, bug reports are great If a bug report is adequately handled from both sides, it means that both the user and the software developer are interested in solving the problem. If both sides achieve the desired result, it's a win-win situation.

Posted on

OWASP Top Ten and Software Composition Analysis (SCA)

One of the priority areas for PVS-Studio development is to cover categories from the OWASP Top Ten 2017 in the C# analyzer. We also plan to cover the Top Ten 2021 in the future. The most unusual for us is the A9:2017 category: Using Components with Known Vulnerabilities. This category has the A6 position in the preliminary version of OWASP 2021. The rule implementation for this category is an important task for our analyzer. It allows us to classify PVS-Studio as an SCA (Software Composition Analysis) tool. Which approach to implementation should we choose? Let's figure it out!

Using Components With Known Vulnerabilities

The A9 threat category (which turned into A6 in the preliminary OWASP 2021 version) is dedicated to using components with known vulnerabilities. These are the components that have the corresponding entries in the CVE database. CVE (Common Vulnerabilities and Exposures) is a database of records about real-life vulnerabilities in software, hardware, service components, etc.

Posted on

Why You Need the MISRA Compliance Report and How to Generate One in PVS-Studio

If you are strongly interested in MISRA and would like to understand whether your project meets one of the MISRA association's standards, there is a solution. Its name is MISRA Compliance. PVS-Studio has recently learned how to generate the MISRA Compliance report. This article describes how you can use this feature, potentially making somebody's life better.

What Is MISRA Compliance?

MISRA Compliance is a standard that allows you to understand whether your project conforms to the MISRA C/C++ standards, its deviations, and re-categorizations. MISRA Compliance can be applied to all MISRA association standards, but in this article, we'll review its use with the MISRA C 2012 standard.

Posted on

Intermodular Analysis of C++ Projects in PVS-Studio

Why would we need intermodular analysis? How does the analyzer benefit from it? Normally, our tool is checking only one source file at a time. The analyzer doesn't know about the contents of other project files. Intermodular analysis allows us to provide the analyzer with information about the entire project structure. This way, the analysis becomes more accurate and qualitative. This approach is similar to Link Time Optimization (LTO). For example, the analyzer can learn about a function behavior from another project file and issue a warning. It may be, for instance, dereference of a null pointer that was passed as an argument to an external function.

Implementation of intermodular analysis is a challenging task. Why? To find out the answer to this question, let's first dig into the structure of C++ projects.

Posted on

Apache Kafka’s Code Under the Scanner

Apache Kafka is the open-source distributed event streaming platform built for data-driven apps that needs real-time handling of the data. Kafka was open-sourced by LinkedIn in 2011. Its use-cases are endless and it's used by thousands of companies for various operations to process real-time data. Kafka provides several [APIs] to process the data streams in real-time with low latency and high throughput. It's used in major companies like Airbnb, Netflix, LinkedIn, etc. It includes publish (write), subscribes (read), store and processes the stream of events for various operations according to the use-case of the application. It uses Binary protocol over TCP for Communication. Since it is open-source licensed under Apache License 2.0, it helps us to examine the code further to explore the inner workings and structure of Apache Kafka with the free static code analyser tool Embold

The results are surprisingly interesting. 

Posted on

OWASP, Vulnerabilities, and Taint Analysis in PVS-Studio for C#. Stir, but Don’t Shake

We continue to develop PVS-Studio as a SAST solution. Thus, one of our major goals is expanding OWASP coverage. You might ask, what's the use when there's no taint analysis? That's exactly what we thought - and decided to implement taint analysis in the C# analyzer. Curious about what we accomplished? Read on!

Note. This article briefly touches upon the topics of SQL injections and working with SQL in C#. This theory serves as context. For in-depth information on these topics, do additional research.

Posted on

Scanning for Secrets in Source Code

Meme of a woman starting to fall asleep before her brain tells her, "You committed the API Keys to a public repo."Image is sourced from DZone's Twitter

As a developer, I admit that I’ve committed secrets to public Github repositories before. Hardcoded secrets have always been a problem in organizations and are one of the first things I look for during a penetration test. When developers write secrets such as passwords and API keys directly into source code, these secrets can make their way to public repositories or application packages, then into an attacker’s hands.

Posted on

Common Python Security Pitfalls and How to Avoid Them

Introduction

Python is undoubtedly a popular language. It consistently ranks among the most popular and most loved languages year after year. That's not hard to explain, considering how fluent and expressive it is. Its pseudocode-like syntax makes it extremely easy for beginners to pick it up as their first language, while its vast library of packages (including the likes of giants like Django and TensorFlow) ensure that it scales up for any task required of it.

Being such a widely-used language makes Python a very attractive target for malicious hackers. Let's see a few simple ways to secure your Python apps and keep the black-hats at bay.

Posted on

What Happened When PVS-Studio Checked ELKI in January

If you feel like the New Year just came, and you missed the first half of January, then all this time you've been busy looking for tricky bugs in the code you maintain. It also means that our article is what you need. PVS-Studio has checked the ELKI open source project to show you errors that may occur in the code, how cunningly they can hide there, and how you can deal with them.

What Kind of Library Is ELKI?

The abbreviation ELKI stands for Environment for DeveLoping KDD-Applications Supported by Index-Structures. This project is written in Java and is designed for data mining. Most users of this library are students, researchers, data scientists, and software engineers. No wonder, since this library was developed for research only.

Posted on

Best Ruby Practices Beginners Should Know

Python’s dominance is never really questioned when it comes to the best for programming novices because it checks almost every box that defines a simple language. It’s remarkably easy to pick up and can rise to any challenge. But what about Ruby?

Although it does not get enough credit for being one, Ruby is an awesome language for beginners. It provides powerful constructs (like blocks) and versatile concepts (like message passing à la Smalltalk) but retains Python’s fluid and elegant English-like syntax. In fact, in many cases, one might argue that the unique design choices that went into the Ruby syntax beat even Python in terms of readability and expressiveness. If you’re getting into programming, it’s very easy to recommend that you start with Ruby.

Posted on

Shifting Left: A Penetration Tester’s Journey to the Code Analysis Camp

Most of you know me as an offensive security gal. The fact that I decided to join a SAST team frankly surprised me, as well. Now that I have officially started my job at ShiftLeft, I am taking this moment to reflect on how I got here and how I see the future of application security.

Confessions of a Newbie Web Developer

I started my career as a web developer. And I absolutely loved it! I loved building tools that solve someone else’s problems. And there is no feeling like seeing your vision materialize right in front of your eyes.