HCL SW Blogs
Select Page
profile image
Leo Goldstien
Mr. Goldstien holds an M.Sc. in Biotech Engineering and has been engaged in research for close to a decade. For the past couple of years, Mr. Goldstien focused on research in the cyber-security sector, doing anything that catches his eye, including firmware analysis, reverse engineering & WebApp security.
Posts by Leo Goldstien
Secure DevOps | November 25, 2019
Security Should Not Be an Afterthought for Code Quality Checkers
Security should never be an afterthought!    Application security testing has been around for a long time, but few development teams are genuinely interested in testing their code for vulnerabilities. Security is still very much the concern of security specialists and the CISO. While progressively higher stakes are forcing development teams to "do something" about application security, they often take the path of least effort.   Recently, I was asked to evaluate SonarQube as a security testing tool. Due to its widespread use as a code quality checker, development teams perceive it as an easy and cost-effective way to implement security testing procedures to make their apps more secure.   My first impression of SonarQube was extremely positive. Easy navigation, clear views and contextually relevant information made it obvious why development teams love it. However, as a security researcher, I was disappointed with its security-related features.  While the application security testing landscape is littered with solutions, the primary benchmark for preferring one solution over another is the accuracy of its findings. I expect these tools to indicate precisely where vulnerabilities exist, point me to the cause of each, and provide fix recommendations that are clear and easy to implement in my code. And it goes without saying, they should avoid false positives.    SonarQube, however, seems to only enumerate the locations of possible (not actual) issues and offers only general advice as to what should be done to avoid such issues.    It's a 'good practices' checklist and not a security testing tool.   To be fair, SonarQube is quite open about the limitations of their security testing tool (https://docs.sonarqube.org/latest/user-guide/security-rules/) and through their documentation, cautions users from expecting the same level of accuracy found in their code quality analysis.    SonarQube's security analysis reports distinguish between "vulnerabilities" and "hotspots." According to the documentation, vulnerabilities are actual issues that require immediate action. SonarQube provides issue descriptions...
Filters result by