Skip to content
VigilGuard Logo VigilGuard
Contact Us
EASM Platform VendorGuard ITRM Platform

Code Security

Code Security

Section titled “Code Security”

5 automated security scanners

Dynamic Analysis Effectiveness

Section titled “Dynamic Analysis Effectiveness”

Purpose: The Dynamic Analysis Effectiveness Scanner is designed to evaluate and analyze the effectiveness of dynamic application security testing (DAST) by assessing various aspects such as runtime vulnerability detection, authenticated scanning coverage, API testing capabilities, vulnerability validation accuracy, and continuous testing integration. This tool aims to identify inadequate dynamic analysis that may miss critical runtime vulnerabilities in applications.

What It Detects:

  • DAST Tool Presence: The scanner tests for the presence of dynamic analysis tools such as Burp Suite, OWASP ZAP, Acunetix, Netsparker, Qualys WAS, and Veracode Dynamic. It also checks for DAST vendor disclosures in application content to ensure runtime testing is performed.
  • Authenticated Scanning: The scanner verifies the presence of authenticated scanning capabilities, session management, proper handling of credentials during scans, and flags any instances where unauthenticated-only scans are conducted.
  • API Testing Coverage: It evaluates API security testing for RESTful APIs and GraphQL endpoints, checks for endpoint discovery mechanisms to ensure comprehensive coverage, and identifies gaps in API testing.
  • Continuous Testing: The scanner tests for the implementation of automated scanning processes integrated with CI/CD pipelines, scheduled scans, and flags any manual-only testing processes that may lead to coverage gaps.
  • Vulnerability Validation: It assesses the presence of validation evidence through security blogs or similar sections where exploit confirmations, finding accuracy, and reduction of false positives are checked.

Inputs Required:

  • domain (string): A fully qualified domain name (e.g., acme.com) which is essential for scanning the application’s runtime behavior and detecting any missing coverage areas.

Business Impact: Poor dynamic analysis can lead to significant security risks, including the potential for unauthorized access to sensitive data or systems due to unauthenticated scans, untested APIs that could be exploited, and false-positive vulnerabilities which may mislead decision-makers about the actual security posture of an application. This directly impacts the ability to maintain a secure and reliable software environment.

Risk Levels:

  • Critical: When there is no disclosure of any DAST tool or authenticated scanning methods across the domain, indicating a severe lack of runtime vulnerability detection capabilities.
  • High: When there are gaps in authenticated scanning, unauthenticated scans only, or incomplete API testing coverage, which significantly reduce the effectiveness of dynamic analysis.
  • Medium: When continuous testing is manual-only or lacks integration with CI/CD pipelines, leading to potential coverage gaps and reduced automated security checks.
  • Low: When DAST tools are present but some authenticated scanning, API testing, or validation evidence is missing, indicating a moderate level of risk requiring attention for improvement.
  • Info: When the scanner detects informational findings such as unclaimed mentions of DAST tools in the application content, which does not directly impact security but can be indicative of potential gaps needing documentation or awareness.

Example Findings:

  1. The scanner may flag a situation where an application only performs unauthenticated scans despite having capabilities for authenticated testing, potentially missing critical vulnerabilities that require user credentials to exploit.
  2. An instance where API endpoints are not tested through dynamic analysis tools, leaving these potential attack vectors unexplored and vulnerable to exploitation.

This structured documentation provides a clear understanding of the Dynamic Analysis Effectiveness Scanner’s purpose, what it detects, required inputs, business impact, risk levels, and illustrative examples of findings that could be flagged by the tool.

Software Composition Analysis

Section titled “Software Composition Analysis”

Purpose: The Software Composition Analysis Scanner is designed to assess the effectiveness of software composition analysis (SCA) within an organization. It evaluates various aspects such as tool presence, vulnerability detection, license compliance, supply chain controls, and automated remediation capabilities to identify any gaps that may lead to vulnerable dependencies or legal issues in production environments.

What It Detects:

  • SCA Tool Presence: The scanner identifies the presence of SCA tools like Snyk, Dependabot, WhiteSource, Sonatype, Black Duck, Fossa, and JFrog Xray. It checks for mentions in website content to ensure these tools are being used for dependency scanning.
  • Vulnerability Detection: It detects whether there is monitoring for Common Vulnerabilities and Exposures (CVE) and verifies the presence of security advisories related to outdated or vulnerable libraries.
  • License Compliance: The scanner checks for compliance with open source licenses by scanning for terms related to license scanning, tracking SPDX identifiers, and ensuring adherence to OSS licensing policies.
  • Supply Chain Controls: It evaluates the implementation of software bill of materials (SBOM) generation, provenance tracking, and artifact signing to manage risks associated with third-party components in the supply chain.
  • Automated Remediation: The scanner tests for automated update capabilities and pull request (PR) automation that could help in managing dependencies without manual intervention, which is crucial for timely patching of vulnerabilities.

Inputs Required:

  • domain (string): A fully qualified domain name (e.g., acme.com) representing the target organization’s website or system being analyzed. This input is essential to fetch and analyze web content related to SCA practices.

Business Impact: Poor software composition analysis can lead to significant risks, including exposure to known CVEs through missing dependency scanning, introduction of vulnerabilities via outdated libraries, legal issues due to license violations, lack of transparency in supply chain components, and delayed patching processes that could leave systems vulnerable for extended periods. This directly impacts the security posture of an organization by exposing it to potential cyber threats and regulatory non-compliance risks.

Risk Levels:

  • Critical: The scanner identifies no SCA tools or missing critical monitoring capabilities such as CVE scanning, which significantly increases the risk of encountering vulnerabilities in production environments.
  • High: There is a significant gap in at least one area of SCA practices, leading to potential exposure to known CVEs and outdated libraries that could be exploited by malicious actors.
  • Medium: The organization has partial coverage or mixed implementation across different aspects of SCA, indicating moderate risk where some dependencies might not be adequately managed for vulnerabilities or compliance issues.
  • Low: The organization demonstrates a good balance between tooling, monitoring, and automation in managing software composition risks effectively without significant gaps that could impact security significantly.
  • Info: The scanner finds informational findings such as mentions of SCA tools but no critical deficiencies in vulnerability detection or license compliance, indicating minimal risk with room for improvement.

Example Findings:

  1. The organization does not disclose any SCA tools on their website, which could lead to blind spots in detecting and managing software dependencies that might introduce vulnerabilities.
  2. There is a notable gap in automated remediation capabilities as evidenced by the absence of PR automation or other forms of automatic dependency updates mentioned across relevant pages.

Interactive Application Security Testing

Section titled “Interactive Application Security Testing”

Purpose: The Interactive Application Security Testing Scanner is designed to evaluate and analyze the effectiveness of interactive application security testing (IAST) tools in detecting runtime vulnerabilities within applications. It assesses various aspects such as tool presence, instrumentation coverage, real-time detection capabilities, and development workflow integration to ensure comprehensive vulnerability detection without missing critical runtime issues.

What It Detects:

  • IAST Tool Presence: The scanner tests for the presence of interactive analysis tools like Contrast Security, Hdiv, Seeker by Synopsys, Checkmarx IAST, Veracode IAST, and Parasoft IAST to identify if they are mentioned or used in the application’s runtime environment.
  • Runtime Instrumentation: It checks for agent-based monitoring and code instrumentation to ensure that vulnerabilities can be detected in real-time during runtime.
  • Code-Level Context: The scanner verifies the accuracy of stack trace analysis and vulnerability mapping within the source code context, crucial for providing precise alerts during development.
  • Real-Time Detection: It evaluates whether tools provide immediate feedback on detected vulnerabilities to facilitate swift remediation.
  • Development Integration: The scanner tests IDE integration and developer feedback mechanisms to ensure seamless workflow adjustments that enhance security practices throughout the software development lifecycle.

Inputs Required:

  • domain (string): A fully qualified domain name (e.g., acme.com) which is essential for testing against specific applications or websites.

Business Impact: The primary impact of this scanner lies in enhancing the security posture of interactive applications by ensuring that vulnerabilities are not only detected but also understood within their runtime context, thereby facilitating faster and more effective remediation strategies.

Risk Levels:

  • Critical: This risk level is triggered when there is a significant gap in IAST tool presence, instrumentation coverage, or real-time detection capabilities, leading to substantial blind spots that could be exploited by malicious actors.
  • High: Triggered when the scanner detects missing instrumentation, inadequate code context awareness, or delayed vulnerability detection, which can lead to high false positives and reduced security effectiveness.
  • Medium: Applies when there are gaps in tooling presence, incomplete real-time detection features, or insufficient integration with development environments, potentially compromising both runtime security and developer experience.
  • Low: Indicates minimal issues with IAST implementation, focusing on informational findings that might suggest areas for optimization rather than immediate vulnerabilities.
  • Info: Used for scenarios where the scanner identifies potential improvements in tooling disclosure, instrumentation methods, or context accuracy without necessarily indicating a critical vulnerability.

Example Findings:

  1. The application under test does not disclose any interactive analysis tools despite being advertised as supporting IAST.
  2. The runtime instrumentation is limited to basic monitoring, failing to provide detailed code-level insights into potential vulnerabilities.

This structured documentation provides a clear and comprehensive overview of the Interactive Application Security Testing Scanner’s purpose, detection capabilities, input requirements, business impact, risk levels, and possible findings, tailored for security professionals and stakeholders interested in enhancing application security through effective IAST implementations.

Manual Code Review

Section titled “Manual Code Review”

Purpose: The Manual Code Review Scanner is designed to analyze and assess the effectiveness of manual code review processes within organizations. It evaluates various aspects such as peer review processes, security expertise, review guidelines, coverage metrics, and security focus to identify potential gaps that may lead to inadequate handling of critical vulnerabilities and design flaws.

What It Detects:

  • Peer Review Process: The scanner tests for the presence of a formal code review process, including requirements, policies, approval gates, and detection of any missing or insufficient processes.
  • Security Expertise: It checks for the involvement of security professionals in reviews, identifying whether security champions are present and ensuring that general reviews do not dominate.
  • Review Guidelines: The scanner verifies the presence of specific security checklists and standards to ensure comprehensive review criteria are followed.
  • Coverage Metrics: It evaluates the tracking and reporting of code reviews to determine if there are any unreviewed sections or inadequate coverage metrics.
  • Security Focus: The scanner also assesses whether reviews are focused on identifying threats, vulnerabilities, and ensuring secure coding practices are adhered to.

Inputs Required:

  • domain (string): Fully qualified domain name (e.g., acme.com), which is essential for the scanner to analyze the relevant web pages and gather necessary information about the manual code review processes.

Business Impact: Poor manual review practices can significantly impact security posture by allowing vulnerable code to pass through undetected, missing critical threats assessment, and overlooking design flaws that could be exploited. This can lead to severe vulnerabilities being introduced into systems, posing significant risks to data integrity and availability.

Risk Levels:

  • Critical: The scanner flags a critical risk when there is no evidence of any review process, security expertise, or guidelines present during the analysis.
  • High: A high risk is indicated by incomplete coverage metrics or lack of focus on security aspects in reviews, which can lead to blind spots and undetected vulnerabilities.
  • Medium: Medium risk is assigned when there are gaps in the review process, insufficient involvement of security experts, or inadequate guidelines that could be improved with better practices.
  • Low: Low risk is present if all review processes, expertise, guidelines, metrics, and focus on security are adequately covered without significant gaps.
  • Info: Informational findings may include cases where generic guidelines exist without specific security content, which does not directly impact security but could be improved for better outcomes.

If the README doesn’t specify exact risk levels, infer them based on the scanner’s purpose and impact.

Example Findings:

  • “Review process disclosed: peer review, pull request review”
  • “Security expertise mentioned: security champion, appsec team”
  • “Review guidelines found: security checklist, secure coding standards”
  • “Manual code review effectiveness gap detected”

Static Analysis Effectiveness

Section titled “Static Analysis Effectiveness”

Purpose: The Static Analysis Effectiveness Scanner is designed to evaluate the effectiveness of static code analysis in identifying potential vulnerabilities within a software project. It assesses various aspects such as SAST tool presence, rule configuration, integration points with CI/CD pipelines, detection accuracy, and coverage indicators across different programming languages and frameworks.

What It Detects:

  • SAST Tool Presence: The scanner tests for the presence of static analysis tools like SonarQube, Checkmarx, Fortify, Veracode, Snyk, Semgrep, and CodeQL to ensure they are present and correctly configured within the software development environment.
  • Rule Configuration: It examines custom rules, framework-specific detection capabilities, language coverage, and default configurations to verify that all potential vulnerabilities are being identified by the static analysis tools.
  • Integration Points: The scanner checks for automated scanning processes integrated with CI/CD pipelines, security gates, and pre-commit hooks to ensure continuous monitoring of code quality and security throughout the development lifecycle.
  • Detection Accuracy: It evaluates the ability of the SAST tools to accurately identify vulnerabilities in the source code, track remediation efforts, and address persistent issues that may pose a risk when deployed into production environments.
  • Coverage Indicators: The scanner verifies the breadth of languages and frameworks supported by the static analysis tools, ensuring they cover critical areas of development such as Java, Python, JavaScript/TypeScript, C#, Ruby, PHP, and Go.

Inputs Required:

  • domain (string): A fully qualified domain name (e.g., acme.com), which is essential for querying the software’s web presence to detect SAST tools, rule configurations, integration points, coverage claims, and remediation evidence.

Business Impact: Poor static analysis can lead to significant security risks by allowing vulnerable code to be deployed without detection, missing critical patterns that could indicate vulnerabilities, causing alert fatigue due to high false positives, bypassing security gates through incomplete integrations, and failing to cover all relevant languages or frameworks. This directly impacts the integrity and security of software products, potentially leading to data breaches, system failures, and other adverse outcomes.

Risk Levels:

  • Critical: When there is a significant gap in SAST tool coverage, rule configuration completeness, integration with CI/CD pipelines, or detection accuracy that significantly compromises the ability to identify critical vulnerabilities before deployment.
  • High: When there are incomplete rule sets, missing integrations with security gates, or inadequate language/framework coverage which may lead to missed vulnerabilities and increased risk of exploitation.
  • Medium: When configurations are default-only, lacking custom rules or framework-specific detection, leading to partial or ineffective static analysis that fails to meet recommended standards for vulnerability management.
  • Low: When SAST tools are present, rule sets are comprehensive, integrations are automated, and coverage is complete, indicating a robust static analysis process with minimal risk of missing critical vulnerabilities.
  • Info: When there are no significant findings or gaps in the static analysis effectiveness, generally indicating a well-configured and functioning static analysis setup that aligns with security best practices.

Example Findings:

  1. The scanner identifies that the deployed SAST tool is absent, leading to potential exposure of undetected vulnerabilities in the software code.
  2. A critical rule set for detecting SQL injection flaws within the application is missing from the configuration, which could lead to significant security risks if exploited by malicious actors.