While we have been focusing on reducing false positives in vulnerability detection, my IEEE S&P'24 paper, in collaboration with Kevin Moran, Denys Poshyvanyk, and Adwait Nadkarni, shows the contrary: developers would rather have more false positives if the tool finds the vulnerabilities. FNs are of more concern to them. Key insights below:

1. While we found several insights that match existing literature, e.g., "Select situations can lead to the de-prioritization of software security," the rest challenge existing literature, identifying challenges that need attention from practitioners, SAST developers, and researchers.

2. For example, "Developer Happiness is Key" is the primary design goal of program analysis tools, thus focusing on reducing false positives in general. However, participants strongly favor reducing false negatives because "that one is going to kill you".

Further Key insights and the full paper are available below:

tags: #IEEESSP'24 #sp #security #sast #study #stem #WM

I've had my first :github: CodeQL query merged into the experimental section of the official CodeQL rules!

https://lnkd.in/dk_tTiQZ (and a "local" variant, https://lnkd.in/dP88QJwa).

That's query ids java/command-line-injection-extra and java/command-line-injection-extra-local

They spot something the existing :java: command injection query does, but in a way that's more robust to unusual code.

It’s an edge case, but one that was important to a customer.

#CodeQL #SAST #Java #CommandInjection

En este vídeo, en menos de 20 minutos ⏱️, te cuento cómo configurar Microsoft Defender for DevOps con Azure DevOps.

https://youtu.be/vQjErb1T8WU

#azuredevops #devsecops #sast #defenderforcloud #defenderfordevops

I've wrapped up SpotBugs/FindSecBugs in a bow 🎁 in a GitHub Action, so you can use it in GitHub Code Scanning - free for open source projects, and also available for paid users of GitHub Advanced Security.

SpotBugs and FindSecBugs work with JVM languages - Scala, Java, and Clojure, mainly.

https://github.com/marketplace/actions/spotbugs-with-findsecbugs

Point it at the results of the build, and go.

#GitHub #SAST #Scala #JVM #Clojure #Java #CodeSecurity #SpotBugs #FindSecBugs #DevSecOps #SDLC

@ovid and other Perl :perl: mongers. What, if anything, do you use for code security?

I know that using taint gets you far, but SAST is mostly what I’m thinking (especially for legacy code without taint). Any tips?

Does Perl::Critic do a decent job, and is there a list of what its security policy and 3rd party plug-ins cover?

Other OS SAST I found are: https://github.com/htrgouvea/zarn and this grep-based one: https://github.com/wireghoul/graudit

Are they OK?

#SAST #Perl #AppSec #CodeSecurity #PerlCritic

Just published: Some quick competitive analysis about @hashicorp 's acquisition of #blubracket.

Upshot: potentially sets the stage for increased competition between #HashiCorp #Vault and #Microsoft Defender, #GitHub and existing #SAST / #containersecurity tools.

#DevSecOps #secretsscanning #secretsmanagement #cybersecurity #appsec #applicationsecurity #cloud
https://www.techtarget.com/searchitoperations/news/366542881/HashiCorp-Vault-to-expand-in-DevSecOps-with-BluBracket-buy

My latest: A new #DevSecOps service links #AWS security code scanning to third-party pipeline tools, potentially a shot at GitHub Copilot that increases overlap with AWS SAST partners.

#AWSreInforce #SAST #cybersecurity #AWSCodeWhisperer #AWSCodeGuru https://www.techtarget.com/searchitoperations/news/366541719/AWS-shuffles-DevSecOps-deck-with-CodeGuru-Security-SAST

Swift support brings broader mobile application security to GitHub Advanced Security

Check it out! 👇
https://github.blog/2023-06-06-swift-support-brings-broader-mobile-application-security-to-github-advanced-security/

#Sast #MobileApplicationSecurity #GithubAdvancedSecurity #Codeql #CodeScanning #Security

I’ve just released attempt 2 at a workaround for monorepos with :github: Advanced Security Code Scanning results, to let you filter by project 🚀

My last try didn’t work out, but I’ve taken a new tack ⛵️ and come back with a new ✨ way…

https://github.com/advanced-security/monorepo-filtering-workaround

The sample Actions workflow I’ve shown works for CodeQL, but you can apply the same idea to any Code Scanning integration.

#GitHub #SAST #GitHubAdvancedSecurity #MonoRepo #DevSecOps #SecureCoding

return(GiS); | Escanear repositorio en GitHub con Snyk e integrarlo con GitHub Advanced Security | https://www.returngis.net/2023/05/escanear-repositorios-en-github-con-snyk-e-integrarlo-con-github-advanced-security/ #snyk @snyksec #docker #iac #terraform @GHSecurityLab #githubactions #returngis #security #sast #vulnerabilities

Manage your application security stack effectively with the tool status page

Check it out! 👇
https://github.blog/2023-05-04-manage-your-application-security-stack-effectively-with-the-tool-status-page/

#Sast #GithubAdvancedSecurity #Codeql #CodeScanning #Security

I've opensourced Actions/scripts to enhance #GitHub Code Scanning

🔖 tag-sarif: for filtering results in a #monorepo
🧭 remap-sarif: for scanning code that transpiles to #JavaScript

tag-sarif attaches custom tags to results to allow filtering in the Code Scanning UI

remap-sarif lets you scan languages/frameworks, such as Dart/Next.is, using Source Maps

Source:
https://lnkd.in/dZerNsGs
https://lnkd.in/dvmruWDJ

Actions:
https://lnkd.in/dTzVg-X3
https://lnkd.in/d9dSZ2ER

#SAST #DevSecOps #AppSec

Multi-repository enablement: effortlessly scale code scanning across your repositories

Check it out! 👇
https://github.blog/2023-04-17-multi-repository-enablement-effortlessly-scale-code-scanning-across-your-repositories/

#SecurityOverview #Sast #Codeql #CodeScanning #Security

:github: is looking for #Swift #opensource projects to try out the upcoming Swift support in #GitHub code scanning.

Sign up here:

https://github.com/github/codeql/discussions/12522

You’ll be able to get access to the new CodeQL-powered static source code analysis before it ships to everyone else.

#SwiftLang #IOSdev #SAST #SecureCoding #DevSecOps #CodeQL #BetaTesting #PrivateBeta #MobileDev

:github: is looking for #Swift #opensource projects to try out the upcoming Swift support in #GitHub code scanning.

Sign up here:

https://github.com/github/codeql/discussions/12522

You’ll be able to get access to the new CodeQL-powered static source code analysis before it ships to everyone else.

#SwiftLang #IOSdev #SAST #SecureCoding #DevSecOps #CodeQL #BetaTesting #PrivateBeta #MobileDev

I open sourced a tool to create lists of repos to run GitHub CodeQL’s Multi-Repository Variant Analysis on, using a keyword search on GitHub.

It's a Bash script you can trigger with a VSCode build task. It uses the GitHub API (via the GitHub CLI) to fill a list in the VSCode settings.

It’s a stopgap before this sort of feature makes it into the product.

https://github.com/advanced-security/mrva-code-search

#MRVA #VariantAnalysis #CodeQL #GitHub #VSCode #BuildTask #SAST #VulnerabilityResearch

#SAST success factors:
- Integration with SCMs at PR level
- False positive management
- Rules management
#ssdl

You can now run a single static analysis query across thousands of repos on GitHub using CodeQL's MRVA (Multi-repo Variant Analysis).

That's great both for security research and rapidly auditing exposure to a single vuln or weakness for security teams.

It works from the CodeQL extension for VSCode, with open source public repos & private repos where CodeQL Code Scanning is enabled.

https://github.blog/2023-03-09-multi-repository-variant-analysis-a-powerful-new-way-to-perform-security-research-across-github/

#GitHub #SecurityResearch #VulnerabilityResearch #CodeQL #VariantAnalysis #MRVA #SAST

Open source #sast security tool I’ve been working on finally made it to v1 check it out if you use #javascript or #ruby long way to go but already quite cool! https://github.com/bearer/bearer

For those working in australian #cybersecurity there is a new march 2023 drop of the ISM it spells out the requirement for #SAST and DAST and compliance with even more @owasp guidance. I like the call-out of authorisation in the API security for IDOR prevention #appsec