Time’s up. The shot clock’s run out. The egg timer’s ringing. For all you developers out there, this means you need to start upping your game by writing secure code and patching open source vulnerabilities in your projects. For all you AppSec folks out there, this means you need to help developers do this quickly and easily so you don’t derail software shipping deadlines. I maintain that the best way to do this is at the developer desktop, with the Black Duck® Code Sight™ IDE plugin.
For years, Code Sight has given developers clear visibility into low-quality source code and vulnerable open source components within their project files, and instant access to fix recommendations to resolve issues before pushing code. Now, in the Code Sight 2024.9.0 release, Black Duck makes it easier for developers to
- Customize the security scans that are best suited to their project
- Prioritize new issues brought in by recent code changes
- Close feedback loops with security teams—all without leaving the IDE
The 2024.9.0 release for Code Sight rolls these enhancements out to VS Code users, with expansion to Visual Studio, IntelliJ, and Eclipse in the coming weeks. Let’s examine these enhancements so you hop in and start writing more-secure software quickly.
Faster scan configuration for any situation
Code Sight 2024.9.0 introduces a game-changing feature that lets you create and save scan configurations suitable for any task or project. That means whenever you modify a project file, you can quickly run the most appropriate security scan that balances coverage with speed. For example:
- If you only modified source code, pick a SAST-only scan associated with an existing project on Black Duck Polaris™ Platform servers.
- If you only updated open source libraries, opt for an SCA-only scan.
- If you need a comprehensive scan before the end of a sprint, run both SAST and SCA.
- If you’re disconnected from the internet (say, on the beach with a tiny umbrella drink), run a local Black Duck Rapid Scan.
You can also add or delete scan configurations without leaving the IDE. Start by adding or modifying a scan type, which will automatically display configuration options based on the scan engines selected in the Local View pane within the IDE. Available options depend on whether you organization use Polaris, Coverity® Static Analysis, Black Duck® SCA, or Rapid Scan with Code Sight.
Next, name your scan configuration, point it to the project location. In this example, I indicate the project on the Polaris server where scan results should be catalogued. Then select the assessment type(s) you’d like to include in the configuration and apply your changes. Optional advanced settings depend on the available scan engine and product capabilities and can, for example, include build, clean, and other commands.
When performing a scan, developers can choose their preferred scan configuration for the changes or the project.
Once you create a scan template, you can check in the configuration file with your code and share it with your team. This supports a critical need for team leads and distributed organizations to maintain a standard for secure coding.
Better risk triage that spans project branches
You can use Code Sight’s local Rapid Scan or Coverity engines in your custom configurations to analyze source code and open source dependencies, but there are far greater capabilities when you connect the plugin to Polaris servers. This is because Black Duck’s hosted, as-a-service Polaris platform maintains project branches and scan results, allowing Code Sight 2024.9.0 (and later versions) to compare results across branches and project versions.
You might consider this a “differential” comparison or a “delta” scan, but whichever monicker you prefer, Code Sight makes it easier to prioritize your secure development efforts as you modify projects. In the screenshot below, I’ve modified my “Test Application” project and I’ve run a manual scan using Polaris.
Currently, all results are displayed, which can be a little overwhelming if you’re trying to see if any new issues were introduced. So let’s compare it against the “Test Project 4” main branch.
Now you can quickly see all the issues currently present in the project, those that have been fixed between the earlier version (main branch, in this case) and the current modified file (noted as Absent and colored green), and those that have been inadvertently added (noted as New and colored red).
Armed with this information, you can help reduce the burden on downstream AppSec tests and issue triage by addressing new issues using Code Sight’s built-in fix guidance.
Stronger alignment between security and development
It’s quite important, as a developer, to do everything possible to write secure code and prevent risks that may manifest in downstream builds and release artifacts. Security teams can only do so much with perimeter defenses to stop an attacker who breached a weakness or an insecure third-party dependency resolved into a project. Running real-time scans in the IDE with Code Sight and Polaris is a great approach because it enables AppSec teams to review the security risk posture of any given project branch, even when the scan was triggered at the developer desktop within the IDE.
Code Sight 2024.9.0 introduces the ability to automatically create a new branch for an existing, connected project in Polaris, so AppSec teams never lose sight of the current risk status of an application—even when a pipeline-based scan hasn’t yet been triggered. As shown in the screenshot below, my activity in VS Code has created a new branch in Polaris, complete with severity-ranked issues and all the information a security team needs to prioritize things to fix.
The AppSec team can dig deeper into the issues, triage them, and accomplish other requirements in support of software security and regulatory compliance.
Developers fix faster with security scans in the IDE
With version 2024.9.0, Code Sight elevates the standard for secure software development in support of DevSecOps. Developers play a crucial role in fixing and avoiding security issues that can put valuable company assets, or sensitive customer data, at risk. Development teams can use Code Sight as a grass-roots initiative to avoid costly, late-stage rework, and AppSec teams using any one of Black Duck’s application security testing solutions can extend the benefits of pipeline scans with Coverity SAST and Polaris to the developer IDE.
- This blog post was reviewed by Shandra Gemmiti.
Continue Reading
Key insights from Black Duck’s 2024 Global State of DevSecOps report
Oct 08, 2024 / 5 min read
The cybersecurity landscape - A discussion of future state and AI with Dr. Lisa Bradley
Feb 21, 2024 / 1 min read
