How to do Static Code Analysis for Better Security
Working at Hootsuite has helped enforce one ideal: security matters. In Hootsuite’s continuous implementation and deployment environment, our developers take security to heart and this is reflected in our code base. Working hand-in-hand with our developers, the security team strives to improve by staying updated and evolving with latest practices. As part of our commitment to staying relevant, we continuously look for tools that may simplify or remove our pain points. One of these pain points is the management of the large amounts of code flowing through the pipeline, and ensuring that they reach our security standards: with thousands of lines of code coming through every day, how do we guarantee those standards are met?
Security is now a thing in Static Code Analysis
Enter Static Code Analysis, which allows users to identify bugs in code without execution. Within this technology, one of the emerging branches is security analysis tools. The ability to check code for security vulnerabilities pre-execution allows both our developers and security team to spot issues that may have otherwise slipped through the cracks. While this does not remove the need for pentesting, it serves as a sanity check for our Scala builds and increases the visibility of potential issues.
How we wove Static Analysis into Continuous Deployment
The tool implemented must be able to integrate with our current pipeline with minimal impact to developers. That said, we have approached this by trying to reduce the code footprint added as well as the number of extraneous steps needed in a build.
As seen below, adding 6 lines of code will enable the tool’s functionality:
In our current phase, the finished package is configured to notify a Hipchat room after run. This integration with Hipchat is done via modification of the Findbugs Jenkins Plugin.
Building on an Open Source Foundation
Based on top of the popular Findbugs plugin for java, the security analysis plugin Find-Sec-Bugs is developed by Philippe Arteau. Originally, Find-Sec-Bugs reported a relatively high rate of detection errors, but as of Q4 2015 stronger data-flow and taint analysis was added to improve accuracy. Scala analysis is a relatively new addition to the package and is actively being developed on further.
To use FindBugs in our pipeline, findbugs4sbt developed by Joachim Hofer was used to do the actual analysis. As of writing this post, findbugs4sbt does not have native external plugin support. To solve this we are using a workaround.
Integration with Hipchat requires some modifications to the existing Jenkins findbugs report aggregator. By utilizing Hipchat’s REST APIv2, we were able to output summarized findings from each build to a Hipchat room of our choice.
After all these moving parts have been put together, the output looks like this:
Security static code analysis is actively being developed and is gaining support and momentum. While being able to save users time and give developers or security team members an initial safety check, it adds time to the overall pipeline, which must be accounted for.
About the Author
Dominic is a 2016 Winter co-op Security Developer on the Security and Compliance team. He spends his spare time crawling through news feeds, Reddit, and playing copious amounts of video games. Disconnected from the IOT, his hobbies include racquet sports, inline skating, and solving puzzles.