Agile & DevOps

Security Reviewer pragmatically integrates Security into Agile practices and DevOps to drive developer ownership and empowerment, automation of security compliance and ensure defensible and trustworthy DevOps pipelines.

 

In the classic Waterfall Methodology, each stage is completed before proceeding to the next stage. Security Reviewer Suite supports the implementation, testing, and maintenance stages:

The goal is to organically integrate the security assessment of software into both the Waterfall and DevOps software development workflows.

The continuous assurance model also fits into the DevOps model as part of the Verify phase. The addition of continuous assurance adds software assurance and security to the DevOps functional testing process.

Automation

Development teams can use Security Reviewer to automate static analysis wherever it’s most convenient for them in the SDLC.

Some developers find static analysis distracting and invasive. Others grow frustrated with the inaccuracy of SAST, which causes them to waste time separating false positives from true positives. To make SAST an integral part of the software development life cycle (SDLC), it must support developers and their goals.

While some teams prefer to find security vulnerabilities and quality defects in their IDE as they’re writing code, others prefer to automate static analysis into their CI/CD pipelines. Development teams can choose any combination of the offerings above—so they can determine the best approach to securing their SDLC on a per-project basis.

By automating static analysis in the IDE or CI/CD pipeline, Security Reviewer reduces the time it takes to debug code. The tools described above meet three crucial requirements to help development teams find and fix security weaknesses quickly:

  1. They can be automated and integrated into developer workflows without disrupting day-to-day activities.

  2. They present accurate results in a non-invasive, intuitive way.

  3. They offer actionable remediation guidance and developer education

DevOps in practice

Our DevOps Infrastructure Requirements

Our Static Reviewer | StaticReviewer DevOpsCI/CDIntegration

Our Involvement

We participate to ‘Managing Technical Debt’ Agile Alliance group for maintaining our Agile Best-Practices and SQALE related rules up-to-date. Ours are official SQALE Tools.

Our Solutions

We provide DevOps solutions about:

– Code Inspection

– Software Composition Analysis

– Container Security

Security Compliance

The following Security Compliance standards are supported:

OWASP Top 10 2021

OWASP Top 10 2017

OWASP API Security Top 10 2019

OWASP Mobile Top 10 2016

WASC Threat Classification

CWE 4.6

CVSS 3.1 and 2.0

2021 CWE Top 25 Most Dangerous Software Weaknesses

2019 CWE - SANS Top 25 Most Dangerous Software Errors

Payment Card Industry Data Security Standard (PCI DSS): 3.2.1 and 2.0 (for compatibility)

SAP BIZEC: Most Common SAP Vulnerabilities

NIST - SAMATE - CWE 700 - Seven Pernicious Kingdoms

DISA Control Correlation Identifier Version 2

NIST Special Publication 800-53 Revision 5

For further information see Compliance Modules.

Agile Alliance Compliance

The following is our current coverage of Agile Alliance’s Rules for 40+ programming languages:

Best Practices

Best Practice

Security Reviewer rule

Return without result code

Yes

Duplicated Method/Class

Duplicated Branch

Duplicated File

Yes

Yes

Yes

Reduce the number of returns of this method down to the maximum allowed

Yes

No explicit constants directly used in the code

Yes

Class should not be public

Yes

Switch Case - Improper use of throw

Yes

Expression is always true

Expression is always false

Impossible equality is always false

Yes

Yes

Yes

No assignment '=' within 'if' statement

No assignment '=' within 'while' statement

Yes

Unsigned Less Than Zero (Checking if unsigned variable is less than zero)

Yes

Comparison Error

Yes

Goto statement is deprecated

Yes

Suspicious Comment

Yes

Objects instantiated in a loop

Yes

A "for" loop iterator is modified in the body of the loop

Yes

A file has an insufficient level of code coverage

No

Source files have an insufficient density of comments

Yes

Components are calling too many other components

Yes

Class hierarchies are too deep

Yes

A method or a function have too many parameters

Yes

Test for equality between floating point variables

Yes

Method or constructor is accessed

without the expected lock

Yes

Methods or functions are highly complex

Yes

Too deeply nested statements

Yes

Classes are wrongly coupled

Yes

A parent class references any of its child classes

Yes

An interface has more than 50 services (functions or methods)

NO

Operations that might be incorrect because of numerical approximations

Yes

Incorrect uses of == and equals()

Yes

Inconsistent class redefinitions or method overriding

NO

Missing call to super()

Yes

Suspicious call over arrays

NO

Incorrect class loading

Yes

Incorrect object cloning

Yes

Infinite recursion

Yes

Logical bitwise operation is used instead of a logical Boolean operation

Yes

Nullable Parameter

Yes

Null Array length

Yes

toString on array

Yes

Commented-out code > 20%

Yes

Method should not return null

Yes

Float Counter used in a loop

Yes

Coverage

92%

Dead Code

Rule

Security Reviewer

Empty Event Handler

Empty control statement

Empty try block

Empty catch block

Empty Class Declaration

Empty Function or Method

Yes

NO

Yes

Yes

Yes

Yes

Code is unreachable

Yes

Unused Object

Unused Private Method

Unused Function

Unused Label

Unused Return Value

Yes

Yes

Yes

Yes

NO

Redundant control flow jump statement

Redundant code (unreachable Code)

Redundant Assign In Switch

Redundant code (redundant Get And Set)

Redundant code (Assignment of function parameter has no effect outside the function)

Redundant code (Const Statement)

Yes

Yes

Yes

Yes

Yes

 

Yes

Useless call

NO

Variable is assigned a value that is never used

Unused Variable

Field|Costant is never used or is only assigned but its value is never used

Yes

Yes

Yes

Unused Parameter

Yes

Unused Local Variable

Yes

Useless code

Useless Constructor

Useless Field

Yes

Yes

Yes

Unused resources

Yes

Unused classes

Yes

Useless instanceof operations

Yes

Useless test statements

Yes

Coverage

94%

This is the best coverage available in the market. Further to Agile Alliance’s rules reported above, we provide additional 300+ Dead Code and Best Practices rules.

Security

About Security, we cover 100% of Web Security Application Consortium (WASC) rules:

Attack

Security Reviewer

API Abuse

Yes

Application Misconfiguration

Yes

Auto-complete Not Disabled on Password Parameters

Yes

Buffer Overflow

Yes

Command Injection

Yes

Credential/Session Prediction

Yes

Cross-site Scripting

Yes

Dangerous Native Method

Yes

Denial of Service

Yes

Escalation of Privileges

Yes

Insecure Cryptography

Yes

Format String

Yes

Hardcoded Credentials

Yes

HTTP Response Splitting

Yes

Improper Input Handling

Yes

Improper Output Encoding

Yes

Information Leakage

Yes

Insecure Data Caching

Yes

Insecure File Upload

Yes

Insufficient Account Lockout

Yes

Insufficient Authentication

Yes

Insufficient Authorization

Yes

Insufficient/Insecure Logging

Yes

Insufficient Password Complexity Requirements

Yes

Insufficient Password History Requirements

Yes

Insufficient Session Expiration

Yes

Insecure Randomness

Yes

Integer Overflows

Yes

LDAP Injection

Yes

Mail Command Injection

Yes

Null Byte Injection

Yes

Open Redirect Attacks

Yes

OS Command Injection

Yes

Path Traversal

Yes

Race Conditions

Yes

Reflection Injection

Yes

Resource Injection

Yes

Remote File Inclusion

Yes

Second Order Injection

Yes

Session Fixation

Session Injection

Session HighJacking

Yes

Yes

Yes

SQL Injection

Yes

Unreleased Resource

Yes

URL Injection

Yes

URL Redirection Abuse

Yes

XPATH Injection

Yes

XML External Entities

Yes

XML Entity Expansion

Yes

XML Injection Attacks

Yes

XPATH Injection

Yes

Coverage

100%

Further to WASC rules reported above, we provide additional 600+ Security rules, each one having up to 12 variants, constantly updated thanks to our Indipendent Advisory Network.

COPYRIGHT (C) 2015-2024 SECURITY REVIEWER SRL. ALL RIGHTS RESERVED.