OWASP Top 10 - We’ve got you covered!
See issues in the 10 most critical security risk categories in your web
applications.
Developer-led OWASP compliance
By raising OWASP Top 10-related issues to developers early in the process,
SonarQube helps you protect your systems, your data and your users.
Accurate results keep developers engaged
The key to developer-led security is keeping developers engaged by
providing accurate results. We have a two-pronged approach.
Security Hotspots
Security Hotspots are uses of security sensitive code. They might be okay, but human
review is required to know for sure.
As developers code and interact with Security Hotspots, they learn to evaluate
security risks while learning more about secure coding practices.
Developer engagement strategy: If every call in sports were obvious,
you wouldn't need referees. Similarly, there is a class of security issues - Security
Hotspots - that requires human wisdom to make the call. By segregating Security
Hotspots from true Vulnerabilities, we set developers' expectations going in, and
maintain their confidence in the analysis.
The tailored Security Hotspot Review interface helps remind developers that they're
looking at "close call" situations and guides them in making informed decisions.
Available for:
Reviewing a Security Hotspot with
Bitbucket. See the video
Security Vulnerabilities
Security Vulnerabilities require immediate action. SonarQube provides detailed issue
descriptions and code highlights that explain why your code is at risk.
Just follow the guidance, check in a fix and secure your application.
Developer engagement strategy: We actively monitor for false positives and respond vigorously, fixing them in the next release. When we raise a Vulnerability issue on your code, you know for sure there's something to fix.
Available for:
We believe in empowering developers to
own Code Security
Application security starts in the code; SonarQube helps you own it.
Get early SAST feedback and a guided
developer experience
SAST analysis of Pull Requests helps empower developers by shifting security left and presenting Security Vulnerabilities as early as possible in your process - when the code is fresh in mind and the fix is still easy.
The issue visualizer is crafted for clarity so developers easily understand the problem flow across methods and from file to file.
In-app guidance helps developers really understand the problem so they can craft the most secure fix.
Use taint analysis to chase down the bad actors
Application security comes from making sure that data is sanitized before hitting critical system parts (Database, File System, OS, etc.)
Taint analysis - it's the ability to track untrusted user input throughout the execution flow from the vulnerability source to the code location (‘sink’) where the compromise occurs.
Configure your taint analysis by declaring the custom frameworks you use to capture user input and/or to persist it.
Track compliance across security standards
Dedicated reports track project security against the OWASP Top 10 and CWE Top 25 standards.
The SonarSource Security Report facilitates communication by categorizing vulnerabilities in terms developers understand.
Track compliance at Project or Portfolio level and differentiate Vulnerability fixes from Security Hotspot Review.
PDF download
The security reports' PDF export includes the project security overview and the top security reports.
