/aug 7, 2023

Find Security Flaws in Your Dart & Flutter Applications: Veracode Expands Mobile Application Security Support

By Mike Mcgreevey

Veracode recently released Static Analysis support for Dart 3 and Flutter 3.10. This makes it possible for developers to leverage the power of Dart and Flutter and deliver more secure mobile applications by finding and resolving security flaws earlier in the development lifecycle when they are fastest and least expensive to fix. The release also expanded Veracode’s extensive support covering over 100 languages and frameworks, and we thought it presented a good opportunity to dive into the topic of language support: how we prioritize languages to support, the research process and what goes into actually developing support, what the team is currently working on – and how customers can influence that direction through our Community Ideas Portal.

How Does Veracode Prioritize Languages and Frameworks to Support?

There are more languages and frameworks than resources and time to support them. This means prioritization is key. Veracode takes a highly considered approach to selecting languages and frameworks for new or expanded support. There are three key factors we consider when building out our language support roadmap: 

  1. Adoption and need within our existing customer base (again, to recommend, upvote, and influence our support decisions go to the Customer Ideas Portal).

  1. Evaluation of a language and framework’s value – what is the anticipated adoption and opportunity to justify the time and effort? 

  1. Assessment of the level of effort and resources to develop support. 

These three factors inform a business case for language support and influence priorities. In the case of Dart and Flutter, we came through our evaluation impressed by the language and framework and convinced they will be highly adopted. This in concert with feedback from our customer base and the opportunity to strengthen our mobile applications security testing made a strong case to prioritize support. That does not mean we solely focus on a single language, however. In parallel with support for Dart and Flutter, we also released support for .NET Maui – again prioritizing support based on customer needs and anticipated adoption. Veracode boasts a remarkable team of researchers who have delivered new and expanded support for over 20 languages and frameworks in past 12 months. We also have a robust pipeline of languages actively under research and development – reach out to learn about what the team is researching now and what support is on the roadmap.

What Goes Into Supporting a Language?

There is no common standard for what “language support” means. A wide gap exists between functional support (can a scan complete without failing) and effective support (can a scan accurately model an application and identify security vulnerabilities). Making it worse, there is often little visibility into what vendors support – not just what languages but what versions of that language. This makes the evaluation process frustrating for customers who need to identify viable solutions that support the languages and frameworks across their application portfolio.  

Veracode defines language support as the successful completion of Research, Development, and Documentation, so existing and new customers know what is supported and can easily onboard and scan their applications. Let’s investigate what goes into successful completion of each of those areas.  

Research: Build a deep understanding of the language – and the security concerns associated with it. 

Language support begins with research. The Veracode research team approaches languages from two perspectives: the developer perspective and the security perspective. First, researchers want to understand what developers are using the language to build. What is a Dart and Flutter application? Most likely, it is a mobile application. So, what does that ecosystem look like? How fast is the language moving?  

Once they understand the language from a developer perspective and how it is being used, the team then starts to investigate the language from a security perspective. Researchers are security experts able to identify vulnerabilities in the code. The research team will build applications that demonstrate expected data flows, flaws, and vulnerabilities. They then bring these test applications to the engineering team and work together to build a model that can accurately identify those issues to develop support.  

Development: Leverage research and test applications to engineer accurate scans. 

The next step is taking research findings and testing applications to engineer a model that can scan the language and identify security issues with consistency and accuracy. The engineering team needs to first develop a functional model so they can upload and scan an application for analysis. Next, researchers and engineers work together to scan and analyze test cases. They review actual findings against expected findings and build additional test cases to build and refine scans. 

Creating an accurate model is an intensive process with a lot of collaboration between research and development teams. For new languages like Dart and Flutter, the initial research phase may take a few months for researchers to dive into the nuances of the language and build initial test cases before looping in the engineering teams. Then the back and forth between development and research goes through many iterations to build and refine support.  

Document: Inform customers and prospects and make it easy to onboard and scan applications. 

The value of language support is realized when customers apply it to build more secure applications, faster, and with less effort. To that end, ensuring customers have a clear understanding of what languages, frameworks, and versions therein we support is critical. This helps teams select languages with confidence they will be able to deliver security assurance, and it helps select vendors with capabilities that conform to the needs of the organization. Veracode maintains documentation of supported languages and frameworks so users know exactly what we support and how to successfully scan supported applications.  

To that end, our documentation provides clear guidance on how to package applications for scanning – a step often automated in the build process. For Dart and Flutter applications, Veracode supports applications packaged as an iOS Archive (IPA) or Android Package (APK). Developers can use the CLI to run a simple build command to build the application and then submit that for scanning, or this process can easily be automated to build and scan the application when a workflow is triggered. Here, the hard work of the research and development teams pays off. Users can rapidly scan their applications and view any policy-violating flaws right in their workflow. They can address any issues, pass security policy, and deliver secure applications faster. 

What Comes Next?

Veracode’s language research and development teams are constantly working to expand language and framework support so you can secure your entire application portfolio – from business critical and legacy applications to new cloud-native mobile apps leveraging the latest and greatest. It takes a lot of expertise, time, and effort to deliver effective support, so – like with most things – prioritization is key. And customers have the greatest influence on our language roadmap. So, let us know what you want us to prioritize. What languages and frameworks are you using? What are you exploring? Let us know – and see what others are asking for – on the Customer Ideas Portal, or you can schedule time to talk with the team to learn more about Veracode and our language roadmap. 

Related Posts

By Mike Mcgreevey

Mike is a Technical Product Manager responsible for the Veracode Static Application Security Testing (SAST) Languages and Frameworks portfolio, ensuring organizations receive the required coverage to enhance their software security posture and safeguard against potential vulnerabilities.