By raising OWASP Top 10-related issues to developers early in the process, SonarQube helps you protect your systems, your data and your users.
Accurate results keep developers engaged
The key to developer-led security is keeping developers engaged by providing accurate results. We have a two-pronged approach.
Security Hotspots are uses of security sensitive code. They might be okay, but human review is required to know for sure.
As developers code and interact with Security Hotspots, they learn to evaluate security risks while learning more about secure coding practices.
Developer engagement strategy: If every call in sports were obvious, you wouldn't need referees. Similarly, there is a class of security issues - Security Hotspots - that requires human wisdom to make the call. By segregating Security Hotspots from true Vulnerabilities, we set developers' expectations going in, and maintain their confidence in the analysis.
The tailored Security Hotspot Review interface helps remind developers that they're looking at "close call" situations and guides them in making informed decisions.
Security Vulnerabilities require immediate action. SonarQube provides detailed issue descriptions and code highlights that explain why your code is at risk.
Just follow the guidance, check in a fix and secure your application.
Developer engagement strategy: We actively monitor for false positives and respond vigorously, fixing them in the next release. When we raise a Vulnerability issue on your code, you know for sure there's something to fix.
We believe in empowering developers to own Code Security
Application security starts in the code; SonarQube helps you own it.
Get early SAST feedback and a guided developer experience
SAST analysis of Pull Requests helps empower developers by shifting security left and presenting Security Vulnerabilities as early as possible in your process - when the code is fresh in mind and the fix is still easy.
The issue visualizer is crafted for clarity so developers easily understand the problem flow across methods and from file to file.
In-app guidance helps developers really understand the problem so they can craft the most secure fix.
Use taint analysis to chase down the bad actors
Application security comes from making sure that data is sanitized before hitting critical system parts (Database, File System, OS, etc.)
Taint analysis - it's the ability to track untrusted user input throughout the execution flow from the vulnerability source to the code location (‘sink’) where the compromise occurs.
Configure your taint analysis by declaring the custom frameworks you use to capture user input and/or to persist it.
Track compliance across security standards
Dedicated reports track project security against the OWASP Top 10 and SANS Top 25 standards.
The SonarSource Security Report facilitates communication by categorizing vulnerabilities in terms developers understand.
Track compliance at Project or Portfolio level and differentiate Vulnerability fixes from Security Hotspot Review.