Static Analysis-Tools and Applications-WhiteHat Security Products

Cutting-edge Security Requires the Right Blades

For many people, having the right pocket knife when you need it can be quite handy. For example, if you want to open a bottle,WH-DZone-Research-Guide-Blog-Image a corkscrew tool is useful and if you want to open a letter, then a knife blade is what you need.

For developers who are doing Agile app development and need to adhere to continuous integration and DevOps workflows, they need a SAST pocket knife with multiple blades that are fine-tuned for a specific purpose and meets their many needs.

First and foremost they need a solution that has integrations with key developer tools, IDEs, bug trackers and ALM tools. Developers often use multiple plug-ins for different tools for their favorite IDE, that they use every day. They also need integrations with bug trackers, so security vulnerabilities appear as tickets and are fixed and tracked in a similar manner as other software flaws. Developers don’t want to have to learn and use a new tool or UI in order to integrate security testing into their development process.

Fortunately, WhiteHat Security Sentinel Source has all the right integrations developers need to help them get the job done. Developers who are WhiteHat customers can go to the customer portal to download the recently updated Sentinel Source IDE plugins for Eclipse, Visual Studio, Xcode and IntelliJ, as they all now have a more uniform UI and functionality. In addition, our latest Jira plug-in automatically syncs vulnerabilities from Sentinel to Jira, and developers can ask a question to Threat Research Center (TRC) security experts from within Jira. Developers can also ask a question to the TRC about a specific vulnerability from within their IDE or the Sentinel web portal and typically receive a response within 24 hours.

All scan vulnerability results are pre-verified by TRC engineers to remove false positives, and provide custom vulnerability descriptions and remediation advice.  Having direct access to security experts as well as actionable prioritized vulnerability results greatly reduces the time it takes for developers to fix vulnerabilities in their code and improves their productivity.

Developers also need to have accurate Software Composition Analysis (SCA) for identifying license types and versions of third-party and open source components that they use in their apps. Our TRC engineers have created rule packs for the top frameworks and libraries used for each supported language. SCA also includes CVE analysis for those frameworks for supported rule packs. TRC rule pack researchers analyze data gathered from app scans and investigate the security properties of new frameworks and libraries used by current applications and update the rule packs on a weekly basis. This ongoing TRC research greatly improves the coverage and accuracy of Sentinel scans, compared to alternative solutions.

In addition, developers and build engineers need support for continuous integration build tools, like Jenkins. Our updated Jenkins plug-in now allows developers to set as a post-build action automated scanning of websites (Sentinel Dynamic) and scanning of selected code development projects and workspaces (Sentinel Source). This helps developers deliver secure apps more quickly at different stages in the software development life cycle.

Stay tuned for additional blog posts that describe other ways how using Sentinel Source can help developers better secure their apps and improve their productivity. 

Tags: application security, static analysis, whitehat security