You no doubt know the phrase, “if you don’t have anything nice to say, don’t say anything at all.” A better take on this idea might be: “if you don’t have anything helpful to say, don’t say anything at all.” In other words, pointing out problems is not necessarily a bad thing. But simply pointing out problems without offering guidance on solving them adds little value.
You could apply this wisdom to many domains of life. But let’s consider it within the context of software security scanning. After all, if you’re reading this blog, chances are you’re interested in development or security.
The point I’d like to make is this: security scanning tools that simply find problems, but do little or nothing to help you solve them, don’t really enhance software security in a meaningful way. For security scanning to be worth the time and effort, you need tools that not only point out the problems within your code, but also provide meaningful guidance on resolving them.
What All Security Scanning Tools Do
To illustrate this point, let’s start out by discussing what any code scanning tool worth its name does: it scans source code and identifies what it thinks are potential security or quality problems within the code.
Different tools may have different deployment processes and different algorithms for identifying issues within code. But at the end of the day, they all perform the same core function.
What Good Security Scanning Tools Do
Now, let’s talk about what a good security scanning tool does.
Like all scanning tools, it scans your code for potential quality and security issues. But a good scanning tool does more than that. It also helps you assess, prioritize, and fix the issues.
It may do this in a variety of ways. One is determining which specific part of your source code contains the vulnerability and assessing how likely it is that the affected code will be called, whether by end users or by attackers who create a customizable query intended to exploit the vulnerability. This data helps you determine how much priority to assign to a vulnerability.
Good scanning tools can also help you find the exploitable path of a vulnerability. The exploitable path helps you determine which parts of your source code you must change in order to resolve the vulnerability. This insight makes it faster and easier to remediate the problem. It also helps ensure that you fix the problem completely, rather than overlooking some places where it lingers within your codebase.
A good scanning tool will also automate the process of determining which versions of an upstream library or other application component are affected by a vulnerability. Just because a vulnerability exists in a library doesn’t mean it exists in the specific version you are using. A code scanner that merely tells you “this library has a known vulnerability” won’t do much good if it can’t confirm whether your version of the library is impacted.
Make Software Security Better, Not Worse
Arguably, code scanners that merely tell you that problems might exist, while doing little to help you take action to fix them, hinder rather than help overall application security.
If your scanner generates a bunch of alerts without providing data about how exploitable each issue is within your specific configuration, you end up with a lot of noise. You risk drowning in cybersecurity alerts, unable to find the critical issues so that you can focus on fixing them before attackers exploit them.
Tools that simply generate alerts without providing informational scan results are also likely to produce false positives and false negatives because they lack the enriched contextual data to identify vulnerabilities with complete accuracy.
Improving Security Scanning with Checkmarx
Checkmarx’s Software Composition Analysis (SCA) and Application Security Testing (AST) tools do more than just tell you that you may have a security problem. They help you understand the exact nature of the problem, assign it a priority level, and determine the most efficient method for remediating it. They help developers, regardless of their security background or level of expertise, take meaningful action to fix security issues within their code fast.
To see Checkmarx in action, request a live demo.
Chris Tozzi has worked as a journalist and Linux systems administrator. He has particular interests in open source, agile infrastructure, and networking. He is Senior Editor of content and a DevOps Analyst at Fixate IO. His latest book, For Fun and Profit: A History of the Free and Open Source Software Revolution, was published in 2017.