Code Sight Standard Edition: Application Security Optimized for Developer Needs

Code Sight Standard Edition helps developers find and fix security issues while they code, without switching tools or interrupting their workflow.

As the pace and complexity of software development increases, organizations are looking for ways to improve the performance and efficiency of their application security testing, including “shifting left” by integrating security testing directly into developer tools and workflows. It makes a lot of sense. Faults, including security flaws, can often be dealt with more quickly and cost-effectively if detected early. Problems found during downstream testing or in production lead to costly and disruptive rework.

But most developers are not security experts and the tools optimized for the needs of security team may be too complex and disruptive to be adopted by developers. To make matters worse, these solutions often require developers to leave their interactive development environment (IDE) to analyze issues and determine potential fixes. All of these tools and context switches kill developer productivity. So even though teams recognize the benefit of checking their code and open source dependencies for security issues, they avoid using the security tools provided to them due to the downside of a drop in security. productivity.

Introducing Code Sight Standard Edition

In response to these issues, Synopsys developed Code Sight™ and today we are proud to announce the availability of Code Sight Standard Edition (SE). Code Sight SE is a standalone version of the Code Sight IDE plugin that works independently of application security testing (AST) such as Coverity® and Black Duck®, which are integrated into continuous integration (CI) build and test workflows. Code Sight SE provides fast and lightweight application security analysis of source code and open source dependencies in the IDE using Static Quick Scan and SCA Quick Scan. Developers don’t need to be security experts; Code Sight SE provides them with easy-to-understand defect descriptions along with severity data and remediation guidance so they can fix defects as quickly as possible. It is optimized to perform security scans on large files and projects in seconds with minimal system impact. And while developers don’t need to deploy centralized static application security testing (SAST) or software composition analysis (SCA) to use, Code Sight SE will help teams get the most out of central analytics when used in conjunction with tools like Coverity and Black Duck (as well as tools from other vendors).

Code Sight SE is an IDE-based application security solution that helps developers find and fix security issues while they code, without switching tools or interrupting their workflow.

Optimized Security Scanning for Developer Needs

Code Sight SE is easy to use and helps developers write better, more secure code. It also helps them avoid rework, thereby increasing their productivity. With an intuitive IDE extension user interface, installing Code Sight SE takes just minutes, allowing developers to quickly get to work analyzing and fixing code. The auto-scan feature ensures that alerts are sent whenever files are opened, saved, or modified. Code Sight SE also helps developers write better code by alerting them to source code issues, open source dependencies, API calls, cryptography, infrastructure as code (IaC), and more. And it provides clear and precise remediation guidance right in the IDE, so developers can troubleshoot issues. before check in the code.

Search for security vulnerabilities in the source code

Developers need an easy-to-use static analysis tool that doesn’t generate annoying false positives and provides guidance for resolving issues quickly. Code Sight SE’s built-in Rapid Scan Static analysis does all of this. It automatically scans and analyzes source code and IaC files while developers work. Code Sight SE checks for security vulnerabilities, API security issues, and hard-coded secrets in IaC source code templates and configuration files.

When Code Sight SE detects a problem, it is highlighted directly in the editor window for easy identification. Hovering over a highlighted line of code displays details, including the problem description and resolution tips. Developers never have to leave the IDE; Code Sight SE provides step-by-step guidance to speed resolution, and many issues can be resolved automatically.

SAST Issues Detected by Code Sight Standard Edition's Integrated Rapid Scan Static Analysis |  Synopsis

Figure 1: SAST issues detected by Code Sight SE’s built-in Rapid Scan Static analysis are highlighted in the editor window.

line of code shows more details |  SynopsisFigure 2: Hovering over a line of code displays more details, including the problem description and troubleshooting tips.

Identification of vulnerable open source dependencies

Code Sight SE doesn’t just analyze the code your developers write. It also provides Rapid Scan SCA, a fast software composition scanning engine that allows developers to run frequent scans to identify vulnerabilities in direct and transitive open source dependencies. When developers run a scan, they can view the vulnerability description and ID (CVE and/or Black Duck Security Advisory) directly in the IDE. They also have access to severity information based on the CVSS score, allowing them to quickly prioritize which issues to fix first. And as with Rapid Scan Static, Rapid Scan SCA offers remediation guidance to help developers select the next available version with no vulnerability or low risk of the component.

Integrating Code Sight Standard Edition with SCA Rapid Scan Results |  Synopsis
Figure 3: Integrated Code Sight SE Rapid Scan SCA results highlighted in the editor window.

vulnerability description and ID viewed directly in the IDE |  SynopsisFigure 4: Vulnerability description and ID (CVE and/or Black Duck Security Advisory) can be viewed directly in the IDE.

The integration of SAST and SCA into the IDE is what makes Code Sight SE unique and powerful. Let’s face it: as a developer, you want to make sure your software is both secure and bug-free. It doesn’t matter if a security flaw is in your code or in an open source dependency. Either way, you need to fix it. Using one tool to analyze your code and a separate tool to review open source is a pain. With Code Sight SE, you can comprehensively manage security across the entire application code base.

Code Sight SE is available for the Visual Studio Code IDE with support for Java, JavaScript, and TypeScript. Supported package managers include Maven and npm, and supported IaC platforms and file formats include AWS CloudFormation, ELK, Helm, Kubernetes, and Terraform. Supported file formats include HCL (Terraform), HTML, JSON, JSX, Properties, TOML, TSX, Vue, XML, and YAML. Additional language and IDE support is available when using the Code Sight IDE plug-in for Coverity SAST or Black Duck SCA.

Learn more about CodeSight SE


Source link

Comments are closed.