Continuous Delivery is all about speed. Think fast, build fast, ship fast. But how do you ensure your software is safe when you’re so focused on speed?
By automating security checks with every build you can ship faster than ever, knowing you are delivering a safer product to your customers. That’s Continuous Delivery, Secured.
Today we’re thrilled to announce that SourceClear is bringing automated security analysis to millions of developers building software with the Atlassian Stack. Continuous Delivery, Secured.
In this blog post, we will talk a bit about traditional static analysis - what it is, what it’s used for, and where our vulnerable methods analysis fits in amongst the other kinds of static analysis.
Wikipedia tells us:
Static program analysis is the analysis of computer software that is performed without actually executing programs
Why wouldn’t we want to execute a program in order to analyze it? The main reason is that we gain stronger guarantees about whether our analyses will terminate (modulo bugs in it). Testing a program by executing it can only ever reveal the presence of bugs in paths that are exercised during the execution, on the other hand, static analysis can reason about all possible paths in the program.
A static analysis tells us about the possible runtime behavior of programs. What it computes is essentially an approximation – it cannot have knowledge of the exact inputs a program receives at runtime, for example, so it can only operate based on abstractions of them. This may lead to false positives or false negatives, depending on how conservative or permissive an analysis is. Advancing the accuracy of current analysis techniques is an active area of research.
Static analyses are usually found in compilers, IDEs, linters, and standalone agents (like SourceClear’s CI agent) that run as part of a continuous integration pipeline. They detect errors, discover properties about programs, and help us write better programs in general.
Before open source software took over the world, people bought software from companies with cold hard cash. There were rolex watches involved, but there were also regular security updates, too. Crazy, right?
Vulnerability disclosure for commercial software typically goes like this:
While this process usually works well for commercial software, there are many ways that it can fall apart when disclosing open source vulnerabilities.
SourceClear helps you use open source software safely. In order to analyze the security of your projects, we need to solve two problems:
To solve the first problem, there are three typical approaches:
We’ve been at this for a few years now, and our experience has taught us that only one of these methods actually works - dynamic analysis, running inside the build process.
Hi all! I’m Yaqin, working as a Security Researcher in the R&D team in Singapore.
We’ve made some improvements to how the SourceClear agent can be configured that make it easier for running inside continuous integration environments.
Scanning a specific branch or tag in your projects just got a whole lot easier. If you use feature branches, development branches, release tags, or even use branches to separate different projects in the same repository, you can now specify any existing branch or tag for your SourceClear scans.
Integrating SourceClear with your issue tracker makes fixing and updating things a breeze. In addition to our JIRA integration, you can now create GitHub Issues directly from your vulnerability reports.
These new issues will automatically include: