OWASP vulnerabilities in real time when coding with Code Sight and Rapid Scan Static
Using Code Sight and Rapid Scan Static, DevSecOps teams can identify vulnerabilities and fixes as they code without leaving the IDE.
By: Rody Kersten, Wanying Luo, Cameron Forbis and DeWang Li.
Imagine you’re developing an application – whether it’s a web, mobile, or desktop application – and your IDE alerts you to security vulnerabilities as you code. The release of Code Sight 2022.9.0 for VS Code and IntelliJ makes this a reality. With Synopsys’ industry-leading Static Application Security Testing (SAST) engine powering Code Sight’s Rapid Scan Static, there’s no setup or tuning. This is a sophisticated contamination stream and not just fluff. Patches for vulnerabilities are also confirmed in real time. If you are part of a security team or the security champion, you will appreciate the confirmed fix without having to search for it in the next security review.
Detect OWASP vulnerabilities in the IDE while you code
Code Sight scans your projects in real time, as you write code, so you can see new vulnerabilities and fixes as you type. The lightweight scanning engine minimizes resource consumption and maximizes speed so you can fix quickly before pushing vulnerable code downstream. You can access detailed risk information and remediation guidance in addition to the source code in the IDE, helping you maintain problem context and learn safer development techniques.
One of the most impactful examples of this are tint flow controls, which clearly list events that describe the complete flow of user-controlled data so you can understand the problem and implement the correct fix as soon as possible. the first time. With the Code Sight IDE plugin, finding and fixing security vulnerabilities without interrupting your workflows has never been faster.
Soil flow analysis with Rapid Scan Static
We developed Code Sight’s SAST engine for speed from scratch. It builds on the efficient and resilient frameworks and APIs that have benefited Synopsys Coverity for years.
Rapid Scan Static currently has a set of 24 Trace Flow Checkers for Java that will help you find vulnerabilities such as SQL Injection, Path Traversal, and Command Injection. The team is currently hard at work adding more controllers and bringing task flow analysis to other languages supported by Rapid Scan Static. In terms of modeling, the current engine focuses on the dominant framework for developing Java web applications, Spring. Of course, we plan to evolve our Spring support and extend it to other frameworks.
Download the Code Sight IDE plugin for real-time security testing
If you’re eager to try out this new feature, you can easily install Code Sight now and start securing code and open source in minutes. Download Synopsys Code Sight from VS Code Marketplace or from JetBrains Marketplace (IntelliJ) and get started with a free trial, or import your team’s license if you are already a Synopsys Coverity or Synopsys Black Duck user. Avoid pushing vulnerable code into the code review, or even into your main product branch. Instead, find and fix vulnerabilities as they are introduced, directly in the IDE, with Synopsys Code Sight.