GitHub envisions a world with fewer software vulnerabilities

After five months in beta, the GitHub Code Scanning security feature has been made generally available to all users: for free for public repositories, as a paid option for private ones.

GitHub code scanning

“So much of the world’s development happens on GitHub that security is not just an opportunity for us, but our responsibility. To secure software at scale, we need to make a base-level impact that can drive the most change; and that starts with the code,” Grey Baker, GitHub’s Senior Director of Product Management, told Help Net Security.

“Everything we’ve built previously was about responding to security incidents (dependency scanning, secret scanning, Dependabot) — reacting in real time, quickly. Our future state is about fundamentally preventing vulnerabilities from ever happening, by moving security core into the developer workflow.”

GitHub Code Scanning

The Code Scanning feature is powered by CodeQL, a powerful static analysis engine built by Semmle, which was acquired by GitHub in September 2019.

The engine can analyze code written in C, C++, C#, Java, JavaScript, TypeScript, Python and Go, but since the Code Scanning feature built on the open SARIF standard, it can also work with third-party analysis engines available from the GitHub Marketplace.

“We want developers to be able to use their tools of choice, for any of their projects on GitHub, all within the native GitHub experience they love. We’ve partnered with more than a dozen open source and commercial security vendors to date and we’ll continue to integrate code scanning with other third-party vendors through GitHub Actions and Apps,” Baker noted.

GitHub Actions

Among the third parties that offer automated security scans via GitHub Actions are Checkmarx and DefenseCode.

GitHub code scanning

“The major value add here is that developers can work, and stay within, the code development ecosystem in which they’re most accustomed to while using their preferred scanning tools,” explained James Brotsos, Senior Solutions Engineer at Checkmarx.

“GitHub is an immensely popular resource for developers, so having something that ensures the security of code without hindering agility is critical. Our ability to automate SAST and SCA scans directly within GitHub repos simplifies workflows and removes tedious steps for the development cycle that can traditionally stand in the way of achieving DevSecOps.”

Checkmarx’s SCA (software composition analysis) help developers discover and remedy vulnerabilities within open source components that are being included into the application and prioritizing them accordingly based on severity. Checkmarx SAST (static application security testing) scans proprietary code bases – even uncompiled – to detect new and existing vulnerabilities.

“This is all done in an automated fashion, so as soon as a pull request takes place, a scan is triggered, and results are embedded directly into GitHub. Together, these integrations paint a holistic picture of the entire application’s security posture to ensure all potential gaps are accounted for,” Brotsos added.

Leon Juranic, CTO at DefenseCode, said that they are very excited by this initiative, as it provides access to security analysis to over 50+ million Github users.

“Having the security analysis results displayed as code scanning alerts in GitHub provides an convenient way to triage and prioritize fixes, a process that could be cumbersome usually requiring scrolling through many pages of exported reports, going back and forth between your code and the reported results, or reviewing them in dashboards provided by the security tool. The ease of use now means you can initiate scans, view, fix, and close alerts for potential vulnerabilities in your project’s code in an environment that is already familiar and where most of your other workflows are done,” he noted.

A week ago, GitHub also announced additional support for container scanning and standards and configuration scanning for infrastructure as code, with integration by 42Crunch, Accurics, Bridgecrew, Snyk, Aqua Security, and Anchore.

The benefits and future plans

“We expect code scanning to prevent thousands of vulnerabilities from ever existing, by catching them at code review time. We envisage a world with fewer software vulnerabilities because security review is an automated part of the developer workflow,” Baker explained.

“During the code scanning beta, developers fixed 72% of the security errors found by CodeQL and reported in the code scanning pull request experience. Achieving such a high fix rate is the result of years of research, as well as an integration that makes it easy to understand each result.”

Over 12,000 repositories tried code scanning during the beta, and another 7,000 have enabled it since it became generally available, he says, and the reception has been really positive, with many highlighting valuable security finds.

“We’ll continue to iterate and focus on feedback from the community, including around access control and permissions, which are of high priority to our users,” he concluded.

How do I select an application security testing solution for my business?

Software-related issues continue to plague organizations of all sizes, so IT leaders are turning to application security testing tools for help. Since there are many types of programs available on the market, choosing one is not a straightforward process.

To select the perfect application security testing solution for your business, you need to think about an array of details. We’ve talked to several industry professionals to get insight to help you get started.

Leon Juranic, CTO, DefenseCode

select application security testing solutionChoosing the right application security testing solution for your business can be a daunting task for any organization. On the surface, they all appear to function similarly and provide a list of vulnerabilities as part of the results.

Prospective users need to look beyond the superficial and closely examine a couple of important factors and capabilities of any application security testing solutions. Clients should focus on True Positive and False Positive (low noise levels) rates to determine how usable a vendor’s product is in the real world.

Having to spend hours triaging the results to determine if they are real is an expensive overhead for any business and undermines confidence in the results also increases the workload of development teams unnecessarily, ultimately even rejection of an AST product.

Secondly, understanding if your workflow can be supported is essential, otherwise, a standalone security product will never be used effectively by development teams. The best approach would be to invest upfront and evaluate a shortlist of vendors to determine if they are a good fit for your business.

Ferruh Mavituna, CEO, Invicti Security

select application security testing solutionThe most important thing is getting real value from your solution in a short time. The goal of application security testing is to get measurable security improvements, not just find issues.

There is no point spending money on a solution that will take months to deploy and get the first results. When selecting your application security solution, time to value in the real world should be your #1 consideration.

Every organization is different, so for web application security, the only approach that works for all sorts of environments is dynamic application security testing. DAST tools scan web applications and APIs by finding vulnerabilities regardless of programming languages, frameworks, libraries, and so on, so it’s much easier to deploy. It doesn’t require the application to be in an active development pipeline and you don’t need to install anything on the server.

To get value from your DAST product, you need results that directly lead to security improvements. This requires accuracy, so the scanner finds all the vulnerabilities that you really have, but also confidence in your results, so you don’t waste time on false alarms. You get a list of real, actionable vulnerabilities and you can start fixing them. Then you can see real value from your investment in days, not months.

James Rabon, Director of Product Management, Micro Focus

select application security testing solutionDuring the software development lifecycle, there are several approaches that should be followed in order to maintain the speed needed to keep up with releases today. These approaches, which are crucial for any application security testing tool are testing early, often and fast.

SAST identifies the root causes of security issues and helps remedi­ate the underlying security flaws. An effective SAST tool identifies and eliminates vulnerabilities in source, binary, or byte code, allows you to review scan results in real-time with access to recommendations, line-of-code navigation to find vulnerabilities faster and enable collaborative auditing and is fully integrated with the popular Integrated Developer Environments.

DAST simulates attacks on a running web application. By integrat­ing DAST tools into development, quality assurance and production, it can offer a continuous holistic view. A successful DAST tool offers an effective solution by quickly identifying risk in existing applications, automating dynamic application security testing of any technology, from development through production, validating vulnerabilities in running applications, prioritizing the most critical issues for root-cause analysis and streamlining the process of remediating vulnerabilities

Successful tools should be flexible to modern deployment by being available both on-premise and as a service.

Richard Rogerson, Managing Partner, Packetlabs

select application security testing solutionApplication security testing solutions can be delivered in various ways including as a tool/technology or as a professional service. Automation alone is often not enough because it misses critical areas of applications including business logic, authorization, identity management and several others. This is why professional services are the most comprehensive approach.

  • Qualifications: Successful consulting engagements have long relied on experience, but it’s difficult to assess experience before selecting a solution which is why certifications are often the best method to ensure a baseline level of knowledge or practical experience. Certifications to ask for include: GWAPT, GXPN, GPEN, OSWE, OSCE, OSCP.
  • Methodology: Having a methodical approach to assessing applications is important as it plays heavily into the consistency and thoroughness of the assessment. There are several open-source and industry-standard testing methodologies including the OWASP Testing Methodology, NIST, PTES, ISSAF and OSSTMM. It is also important to review a checklist of all potential vulnerabilities that your application will be tested for and for this – transparency is key.
  • Technology: Technology is important in reducing effort requirements and maximizing code coverage. Technologies include DAST, SAST, and IAST. DAST or dynamic Application security testing is the most common. It evaluates your applications while they’re running over the HTTP protocol. SAST or static application security testing evaluates applications at the line-of-code level. IAST or Interactive application security testing is an evolving technology that combines both approaches. Tools used must include both automated and manual testing capabilities to help the consultant evaluate vulnerabilities directly from the HTTP request or line of code.
  • Reporting: The deliverable of an assessment is a report. When evaluating solutions, it is worthwhile to review sample reports and ensure they meet your requirements and offer sufficient information to understand the discovered findings, and more importantly how to fix them.

Dr. Thomas P. Scanlon, Data Science Technical Manager, CERT Division, Software Engineering Institute, Carnegie Mellon University

select application security testing solutionThere is no universal, best tool for application security testing (AST). The most appropriate tool for one business environment may not be as suitable for another. When selecting an AST solution for a business, four of the most pertinent factors are budget, technology stack, source code availability, and use of open-source components.

  • Budget – There are many quality open-source AST tools available for little or no cost. Commercial tools typically have more features and capabilities, so they are worth the investment if they fit the budget. A wise approach is to use an open-source tool first to gain domain experience, then shop and compare commercial tools.
  • Technology stack – Large commercial AST tools support multiple programming languages, which may save costs when a business uses many technologies. Some smaller AST tools support only one or two languages but provide much deeper coverage, often best if you only need to support those languages.
  • Source code availability – If the applications are developed in-house or the developer provides application source code, testing should use static code analysis tools. Without source code, testing should use dynamic analysis tools.
  • Use of open-source components – If the application was developed with many third-party, open-source components, a software composition analysis (SCA) tool is a must. SCA tools detect the versions of all such components in use and list all their known vulnerabilities and, often, mitigations.

Susan St. Clair, Senior Cybersecurity Strategist, Checkmarx

select application security testing solutionApplications are what drive the vast majority of organizations today, so keeping them secure really means keeping your broader business and customers secure. However, before diving head-first into adopting a new AST solution, it’s important to look at what you already have in place.

Do you have established AppSec security policies or a standard that you’d like to adopt? Do you have an established CI/CD process? Are you already using SAST and looking to add more advanced tools like IAST and SCA into the mix? How closely do your AppSec, DevOps, and development teams work together? What are your developers hoping to get out of an AST tool? How about your AppSec team? Having a solid understanding of where you stand in your AST journey is just as important as the solution(s) you use.

At a minimum, ensure that the tools you choose:

  • Work with DevOps to automatically trigger security scans and reduce remediation cycles
  • Seamlessly integrate into your DevSecOps and CI/CD pipelines
  • Are compatible with the framework and databases you’re already working with
  • Offer a one-stop shop model so you can get SAST, IAST, SCA, etc. all in one place without needing to mix-and-match across vendors, ultimately reducing TCO

Making AST a priority can set your organization apart, not only in your ability to build better, more secure applications and code, but also by letting your customers know that you place the utmost importance on delivering an end product they can feel confident in using.

New infosec products of the week: April 24, 2020

Trustwave Security Colony delivers resources, playbooks and expertise to bolster security posture

Trustwave Security Colony is based on thousands of hours of actual consulting projects helping organizations implement new information security programs and heightening levels of security maturity. The platform is available to any organization as a standalone resource or can be tied to existing Trustwave Consulting and Professional Services.

infosec products April 2020

Amazon AppFlow automates bidirectional data flows between AWS and SaaS apps

Amazon AppFlow allows customers with diverse technical skills, including CRM administrators and BI specialists, to easily configure private, bidirectional data flows between AWS services and SaaS applications without writing code or performing data transformation.

infosec products April 2020

DefenseCode ThunderScan SAST 2.1.0 supports Go and ABAP languages

DefenseCode announced support for two additional programming languages Go and ABAP with its SAST solution ThunderScan 2.1.0, designed to highlight security vulnerabilities in source code against published standards including PCI-DSS, CWE/SANS Top 25, OWASP Top 10 and along with DefenseCode’s own experience of security vulnerabilities analysis.

infosec products April 2020

Claroty Platform: Enhanced continuous threat detection and secure remote access

The Claroty Platform leverages protocol coverage, scanning, segmentation, and secure remote access capabilities to grant visibility across all three OT dimensions critical to risk reduction: assets, network sessions, and processes.

infosec products April 2020

DefenseCode ThunderScan SAST 2.1.0 supports Go and ABAP languages

DefenseCode announced support for two additional programming languages Go and ABAP with its Static Application Security Testing (SAST) solution ThunderScan 2.1.0., designed to highlight security vulnerabilities in source code against published standards including PCI-DSS, CWE/SANS Top 25, OWASP Top 10 and along with DefenseCode’s own experience of security vulnerabilities analysis.

DefenseCode ThunderScan SAST 2.1.0

With the new additions of Go and ABAP, the native language parsing capability of ThunderScan now supports the security analysis of 27 programming languages.

“With our ongoing approach of native language support and analysis to ensure that false positives/negatives are minimized making sure that the results are accurate and actionable,” said Leon Juranic, CTO, DefenseCode.

DefenseCode ThunderScan SAST 2.1.0

Go is widely considered as an innovation in conservative programming languages, constantly ranking among the top 5 language skills that are ‘most in demand’.

The need for supporting ABAP, has been based on growing requirements shared with DefenseCode to create a state-of-the-art parser, given that many business-critical systems are based on SAP’s ABAP.

ThunderScan release 2.1.0 is available from April 20, 2020.