Developers face increased pressure to ship code rapidly, and are responding by adopting rapid development methodologies like CI/CD. In turn, application security needs to align with development processes and support this move toward more rapid development cycles. But this support is not solely about speed, it’s also about (1) understanding how developers use scanning results and (2) streamlining the process of managing those results.
Veracode’s new Custom Cleansers feature is designed to facilitate security results management by minimizing false positives and speeding the review process.
Specifically, developers often write their own libraries and functions to address common application security problems. Custom Cleansers allows a security architect or developer to mark certain functions in the application code as “trusted” ways to make user data safe for use, reducing the number of findings that the development team has to review.
With Custom Cleansers, application security managers give their teams a safe way to avoid and fix security findings, and developers get lower-noise reports.
Many common security issues are addressed by sanitizing or “cleansing” user input to remove the risk of attack. Open source and commercial cleansing functions exist, but many large organizations implement their own enterprise cleansing libraries, which may not be recognized by a scanning solution like Veracode.
Veracode Custom Cleansers allows an architect or security lead to “mark up” their enterprise cleansing library so that Veracode Static Analysis recognizes cleansing functions that address common vulnerability types, such as SQL Injection (found in one-third of all enterprise applications), URL redirection, log forging and header injection, and more. The markup uses standard Java or .NET annotations and allows the Veracode static engine to recognize a custom cleansing function without changing the functionality of the library.
In this way, security teams optimize enterprise security libraries, secure in the knowledge that they will be recognized in all their Veracode scans and will not require app-by-app tuning. And the results are mitigated, rather than suppressed, meaning that use of Custom Cleansers can be audited or subject to approval or rejection without requiring rescanning. That makes it easier for security teams to respond if a problem is found in the cleansing function.
Custom Cleaners gives developers more actionable security scan results, with fewer manual processes.
Veracode’s best-in-class static analysis engine checks all possible data paths to a vulnerability to make sure that all are correctly mitigated with the Custom Cleanser, avoiding false security.
Veracode also leaves a record when a security finding was closed because of use of a Custom Cleanser, and allows reopening of the finding if an issue is found with the cleanser.
Custom Cleansers is just one more way that Veracode is enabling secure DevOps by seamlessly integrating into development processes.
To find out more about our approach to securing applications at DevOps speed, see 5 Principles for Securing DevOps.
Get more details on Veracode Static Analysis.