How to fix security issues in code faster

How to fix security issues in code faster

Is there a way to fix security issues in codes faster? In this article, our Product Security team will share how they improved the timeline to fix security issues in the analysis part of the source code. 

We will walk you through how we created code that automatically posted the security issues in Slack so that other development teams also can utilize and benefit from it. 

From now on in this article, we will refer to the Static Code Analysis tool as Coverity, because that is the actual product we use. Coverity is a tool that automatically scans your code to find weaknesses. 

These weaknesses will then be displayed in a web portal where you can check, fix or report them as false positives – which is a very convenient way to find vulnerabilities at an early stage of the development process.

Also read: Better together through APIs.

How we make sure our products and services are secure

At Visma, we have a program called VASP (Visma application security program) and this program makes sure that our products and services are secure. When you’re fully onboarded, you will have tools at your disposal, all the way from source code analysis to Bug Bounty. 

We utilise Coverity because we want to be able to fix issues early on in the development process rather than later. Why? Because the later you fix problems in the development process the more expensive it gets.

We noticed that using Coverity was a tedious process – the interface is a little old fashioned, but it works.

So far so good, we wanted to block pull requests with any added vulnerabilities in them. Unfortunately, the run time of a snapshot/analysis process in Coverity is far too long to be suitable for us, so what’s the next best thing?

If we can’t fail fast, let’s notify fast instead. However, the only notification system that Coverity supports is email. This isn’t ideal  since that would mean we would have need developers to set up filtered views with their emails in coverity, which doesn’t really scale well.

Well, since we are already onboarded to Slack, and use it daily for all our needs, why not create a dedicated channel to funnel all of our security needs into one channel to rule them all?

One channel to rule them all?

So, what is the magic recipe? Luckily Coverity has a rest API, where you can fetch issues from a specific view.

We created a Cake script because developers prefer automation (or cake), that fetches a specific view from Coverity and posts it directly into the Slack channel, to rule them all. Cake is a cross-platform build automation system with a C# Domain Syntax Language (DSL), a fancy word for code. 

We needed it to reduce our triage time and so far we have reduced it from days to 20 minutes.

Maybe you are interested in baking your own cake? Why not start out with our automated baking script? It’s open-sourced on Github

Cake script

Feel free to fork it up and branch it to your heart’s content. If you follow the link to the GitHub repository there is also an example output for your viewing pleasure.

Interested in reading more about how we work with security? Visit our Technology category page here

Read more about technology

13