Agile & DevOps
- David Syman (Unlicensed)
- Laura Mandolini
Security Reviewer pragmatically integrates Security into Agile practices and DevOps to drive developer ownership and empowerment, automation of security compliance and ensure defensible and trustworthy DevOps pipelines.
In the classic Waterfall Methodology, each stage is completed before proceeding to the next stage. Security Reviewer Suite supports the implementation, testing, and maintenance stages:
The goal is to organically integrate the security assessment of software into both the Waterfall and DevOps software development workflows.
The continuous assurance model also fits into the DevOps model as part of the Verify phase. The addition of continuous assurance adds software assurance and security to the DevOps functional testing process.
Automation
Development teams can use Security Reviewer to automate static analysis wherever it’s most convenient for them in the SDLC.
Some developers find static analysis distracting and invasive. Others grow frustrated with the inaccuracy of SAST, which causes them to waste time separating false positives from true positives. To make SAST an integral part of the software development life cycle (SDLC), it must support developers and their goals.
While some teams prefer to find security vulnerabilities and quality defects in their IDE as they’re writing code, others prefer to automate static analysis into their CI/CD pipelines. Development teams can choose any combination of the offerings above—so they can determine the best approach to securing their SDLC on a per-project basis.
By automating static analysis in the IDE or CI/CD pipeline, Security Reviewer reduces the time it takes to debug code. The tools described above meet three crucial requirements to help development teams find and fix security weaknesses quickly:
They can be automated and integrated into developer workflows without disrupting day-to-day activities.
They present accurate results in a non-invasive, intuitive way.
They offer actionable remediation guidance and developer education
DevOps in practice
Our DevOps Infrastructure Requirements
Our Static Reviewer | StaticReviewer DevOpsCI/CDIntegration
Our Involvement
We participate to ‘Managing Technical Debt’ Agile Alliance group for maintaining our Agile Best-Practices and SQALE related rules up-to-date. Ours are official SQALE Tools.
Our Solutions
We provide DevOps solutions about:
– Software Composition Analysis
Security Compliance
The following Security Compliance standards are supported:
OWASP API Security Top 10 2019
2021 CWE Top 25 Most Dangerous Software Weaknesses
2019 CWE - SANS Top 25 Most Dangerous Software Errors
Payment Card Industry Data Security Standard (PCI DSS): 3.2.1 and 2.0 (for compatibility)
SAP BIZEC: Most Common SAP Vulnerabilities
NIST - SAMATE - CWE 700 - Seven Pernicious Kingdoms
DISA Control Correlation Identifier Version 2
NIST Special Publication 800-53 Revision 5
For further information see Compliance Modules.
Agile Alliance Compliance
The following is our current coverage of Agile Alliance’s Rules for 40+ programming languages:
Best Practices
Best Practice | Security Reviewer rule |
Return without result code | Yes |
Duplicated Method/Class Duplicated Branch Duplicated File | Yes Yes Yes |
Reduce the number of returns of this method down to the maximum allowed | Yes |
No explicit constants directly used in the code | Yes |
Class should not be public | Yes |
Switch Case - Improper use of throw | Yes |
Expression is always true Expression is always false Impossible equality is always false | Yes Yes Yes |
No assignment '=' within 'if' statement No assignment '=' within 'while' statement | Yes |
Unsigned Less Than Zero (Checking if unsigned variable is less than zero) | Yes |
Comparison Error | Yes |
Goto statement is deprecated | Yes |
Suspicious Comment | Yes |
Objects instantiated in a loop | Yes |
A "for" loop iterator is modified in the body of the loop | Yes |
A file has an insufficient level of code coverage | No |
Source files have an insufficient density of comments | Yes |
Components are calling too many other components | Yes |
Class hierarchies are too deep | Yes |
A method or a function have too many parameters | Yes |
Test for equality between floating point variables | Yes |
Method or constructor is accessed without the expected lock | Yes |
Methods or functions are highly complex | Yes |
Too deeply nested statements | Yes |
Classes are wrongly coupled | Yes |
A parent class references any of its child classes | Yes |
An interface has more than 50 services (functions or methods) | NO |
Operations that might be incorrect because of numerical approximations | Yes |
Incorrect uses of == and equals() | Yes |
Inconsistent class redefinitions or method overriding | NO |
Missing call to super() | Yes |
Suspicious call over arrays | NO |
Incorrect class loading | Yes |
Incorrect object cloning | Yes |
Infinite recursion | Yes |
Logical bitwise operation is used instead of a logical Boolean operation | Yes |
Nullable Parameter | Yes |
Null Array length | Yes |
toString on array | Yes |
Commented-out code > 20% | Yes |
Method should not return null | Yes |
Float Counter used in a loop | Yes |
Coverage | 92% |
Dead Code
Rule | Security Reviewer |
Empty Event Handler Empty control statement Empty try block Empty catch block Empty Class Declaration Empty Function or Method | Yes NO Yes Yes Yes Yes |
Code is unreachable | Yes |
Unused Object Unused Private Method Unused Function Unused Label Unused Return Value | Yes Yes Yes Yes NO |
Redundant control flow jump statement Redundant code (unreachable Code) Redundant Assign In Switch Redundant code (redundant Get And Set) Redundant code (Assignment of function parameter has no effect outside the function) Redundant code (Const Statement) | Yes Yes Yes Yes Yes
Yes |
Useless call | NO |
Variable is assigned a value that is never used Unused Variable Field|Costant is never used or is only assigned but its value is never used | Yes Yes Yes |
Unused Parameter | Yes |
Unused Local Variable | Yes |
Useless code Useless Constructor Useless Field | Yes Yes Yes |
Unused resources | Yes |
Unused classes | Yes |
Useless instanceof operations | Yes |
Useless test statements | Yes |
Coverage | 94% |
This is the best coverage available in the market. Further to Agile Alliance’s rules reported above, we provide additional 300+ Dead Code and Best Practices rules.
Security
About Security, we cover 100% of Web Security Application Consortium (WASC) rules:
Attack | Security Reviewer |
API Abuse | Yes |
Application Misconfiguration | Yes |
Auto-complete Not Disabled on Password Parameters | Yes |
Buffer Overflow | Yes |
Command Injection | Yes |
Credential/Session Prediction | Yes |
Cross-site Scripting | Yes |
Dangerous Native Method | Yes |
Denial of Service | Yes |
Escalation of Privileges | Yes |
Insecure Cryptography | Yes |
Format String | Yes |
Hardcoded Credentials | Yes |
HTTP Response Splitting | Yes |
Improper Input Handling | Yes |
Improper Output Encoding | Yes |
Information Leakage | Yes |
Insecure Data Caching | Yes |
Insecure File Upload | Yes |
Insufficient Account Lockout | Yes |
Insufficient Authentication | Yes |
Insufficient Authorization | Yes |
Insufficient/Insecure Logging | Yes |
Insufficient Password Complexity Requirements | Yes |
Insufficient Password History Requirements | Yes |
Insufficient Session Expiration | Yes |
Insecure Randomness | Yes |
Integer Overflows | Yes |
LDAP Injection | Yes |
Mail Command Injection | Yes |
Null Byte Injection | Yes |
Open Redirect Attacks | Yes |
OS Command Injection | Yes |
Path Traversal | Yes |
Race Conditions | Yes |
Reflection Injection | Yes |
Resource Injection | Yes |
Remote File Inclusion | Yes |
Second Order Injection | Yes |
Session Fixation Session Injection Session HighJacking | Yes Yes Yes |
SQL Injection | Yes |
Unreleased Resource | Yes |
URL Injection | Yes |
URL Redirection Abuse | Yes |
XPATH Injection | Yes |
XML External Entities | Yes |
XML Entity Expansion | Yes |
XML Injection Attacks | Yes |
XPATH Injection | Yes |
Coverage | 100% |
Further to WASC rules reported above, we provide additional 600+ Security rules, each one having up to 12 variants, constantly updated thanks to our Indipendent Advisory Network.
COPYRIGHT (C) 2015-2024 SECURITY REVIEWER SRL. ALL RIGHTS RESERVED.