In this blog, we’ll go over how you can find security vulnerabilities in your source code, then dive into several open-source tools you can use in your code base. We’ll also highlight some limitations of security vulnerability testing so that you can stay on top of best practices.
With the recent increase in high-profile cyber threats over the past few years, cybersecurity has become a bit of a trend in technology as of late, even for those outside of the security/technology industry. The growing interconnectivity of devices and systems, as well as the availability and evolving sophistication of technology, means actors from all sides of the equation are adapting quickly.
Finding and fixing security vulnerabilities in the source code is an obvious way to improve the security posture of an organization. It means that vulnerabilities are nullified right at the source before any code is merged and pushed to the outside world and has the potential to cause issues. But this can be hard to achieve, especially in large organizations with teams with varying functions, and hundreds if not thousands of projects.
Why is finding security vulnerabilities in source code so desirable?
You will have probably heard of the term “shifting left” at some point in your career. Shifting left refers to the practice of addressing and integrating activities related to quality, security, and testing earlier in the software development lifecycle (SDLC). Traditionally, these activities were performed later in the development process, closer to the deployment or release phase. Moving these activities earlier in the SDLC aims to identify and address issues as early as possible, reducing the cost and impact of fixing them later in the process or in production.
The idea of shifting left has been around for a while since Larry Smith coined it in 2001. But it’s notoriously hard to implement, as it not only encompasses the tools and systems of a software engineering team, but the culture and day-to-day practice. Cyber-security expert Alex Kreilein (VP of Security at Qualys, and ex-Microsoft) has stated:
“To realize the promise of the Shift Left unicorn, security must become an integrated and habitual part of all software development through behavioral and cultural shifts that prioritize security throughout the software development lifecycle.”
While it’s easier said than done, finding security vulnerabilities in the source code is one of the ways organizations can improve software quality, increase time-to-market, and reduce costs.
Finding security vulnerabilities in source code
- Static application security testing (SAST): Your teams can use automated tools to automatically detect potential security weaknesses, code quality issues, and possible exploit vectors in your codebase. These tools can scan the source code for common security flaws, such as SQL injection, cross-site scripting (XSS), buffer overflow, and more.
- Software composition analysis (SCA): SCA tools help you stay informed about known vulnerabilities present in third-party libraries and dependencies. You can then upgrade to the most secure packages when new vulnerabilities are announced.
- Secret scanning: There are many open-source tools available that scan not just your source code, but your entire codebase, commit history and configuration files for sensitive information like hard-coded API keys, access tokens, and plain-text passwords.
- Dynamic application security testing (DAST): DAST tools assess the security of web applications and APIs. DAST tools work by dynamically scanning an application while it is running and interacting with it, just like a real user would, to identify potential security vulnerabilities and weaknesses.
- SBOM and Supply Chain: An SBOM (Software Bill of Materials) or supply chain tool in software development helps manage and track the components and dependencies used in a software project. It provides visibility into the software supply chain, which includes both direct and indirect dependencies, libraries, frameworks, and other components used in the development process.
- Secure Coding Guidelines: Ensure that developers follow secure coding practices from the beginning. Define and enforce coding standards that include security requirements. Regularly train developers on secure coding principles to reduce the introduction of vulnerabilities.
- Security Community: Engage with the broader security community to leverage their expertise. Participate in bug bounty programs or hire third-party security experts for external code reviews. Collaborating with others can help identify vulnerabilities that might have been missed internally.
List of open-source tools
- Bandit (SAST tool): Bandit is a tool designed to find common security issues in Python code. It processes each file, builds an AST from it, and runs appropriate plugins against the AST nodes. Once Bandit has finished scanning all the files, it generates a report.
- OSV (SCA tool): OSV-Scanner can be used to find existing vulnerabilities affecting your project's dependencies. OSV-Scanner provides an officially supported frontend to the OSV database that connects a project’s list of dependencies with the vulnerabilities that affect them.
- TruffleHog (Secrets scanning tool): TruffleHog actively scans your environment for leaked keys to make sure you don’t become the next headline.
- OWASP ZAP (DAST tool): OWASP ZAP is an open-source web application security scanner. It is intended to be used by both those new to application security as well as professional penetration testers. It is one of the most active Open Web Application Security Project projects and has been given Flagship status.
- Syft (SBOM tool): Syft is a CLI tool and Go library for generating a Software Bill of Materials (SBOM) from container images and filesystems.
Limitations of the open source tools
- Manual process: It’s not ideal to have to manually add each scanning to each repository in your organization. This can lead to further trouble when it comes to updates to the tools; when new repositories are created; and other organization-specific situations.
- Limited language support: Open source code scanning tools are language-specific. Bandit, for example, is primarily designed for Python.
- Lack of contextual understanding: Code scanning tools analyze code in isolation, without a complete understanding of the broader application architecture, business logic, or runtime context. As a result, they may not be able to accurately assess the severity or impact of reported vulnerabilities, leading to false positives and even the overlooking of critical issues.
- Limited coverage: While open-source code scanning tools aim to cover a wide range of vulnerabilities, they may not catch all possible security flaws. New or uncommon types of vulnerabilities may not be well-supported or may not have been discovered and incorporated into the tool's rule set yet.
- Limited code execution: Static code scanning tools like Bandit analyze code without executing it. This means they may not be able to detect certain vulnerabilities that can only be identified through dynamic analysis or by simulating specific runtime conditions.
Finding and fixing security vulnerabilities
Some solutions aggregate all the key open-source AI tools that have been tried and tested (including the ones listed in this blog) so that developers can harness all of their individual powers in one app. Not only can you use solutions like these to find vulnerabilities, but some solutions use AI to suggest fixes to the issues it finds. Currently, Nullify is the leading GitHub app that does this.
Security teams and developers can install one Github app, and instantly have access to all the features available through open-source tools. Because Nullify orchestrates existing tools, it has more capability than other solutions that only perform specific tests. Nullify gives security and developer teams access to the whole suite of tests currently available, and it’s free for all public repositories.
In conclusion, finding and addressing security vulnerabilities in source code is crucial for improving the overall security of organizations and their software projects. Shifting security activities left in the software development lifecycle can help identify and mitigate issues earlier, reducing costs and potential impacts.
However, it’s important to consider that security is an ongoing process, and finding vulnerabilities is just the first step. Once vulnerabilities are identified, they need to be addressed promptly by implementing appropriate fixes and applying security patches. Regular code audits and security testing should be part of the development lifecycle to ensure continuous improvement and protection against emerging threats.
Overall, a proactive approach to identifying and addressing security vulnerabilities in source code is essential in today's threat landscape, promoting secure software development practices and protecting organizations from potential cyber threats.