By raising OWASP Top 10-related issues to developers early in the process,
SonarQube helps you protect your systems, your data and your users.
Accurate results keep developers engaged
The key to developer-led security is keeping developers engaged by
providing accurate results. We have a two-pronged approach.
Security Hotspots are uses of security sensitive code. They might be okay, but human
review is required to know for sure.
As developers code and interact with Security Hotspots, they learn to evaluate
security risks while learning more about secure coding practices.
Developer engagement strategy: If every call in sports were obvious,
you wouldn't need referees. Similarly, there is a class of security issues - Security
Hotspots - that requires human wisdom to make the call. By segregating Security
Hotspots from true Vulnerabilities, we set developers' expectations going in, and
maintain their confidence in the analysis.
The tailored Security Hotspot Review interface helps remind developers that they're
looking at "close call" situations and guides them in making informed decisions.
Security Vulnerabilities require immediate action. SonarQube provides detailed issue
descriptions and code highlights that explain why your code is at risk.
Just follow the guidance, check in a fix and secure your application.
Developer engagement strategy: We actively monitor for false
positives and respond vigorously, fixing them in the next release. When we raise a
Vulnerability issue on your code, you know for sure there's something to fix.
We believe in empowering developers to
own Code Security
Application security starts in the code; SonarQube helps you own it.
Get early SAST feedback and a guided
SAST analysis of Pull Requests helps empower developers by shifting security left and
presenting Security Vulnerabilities as early as possible in your process - when the code
is fresh in mind and the fix is still easy.
The issue visualizer is crafted for clarity so developers easily understand the problem
flow across methods and from file to file.
In-app guidance helps developers really understand the problem so they can craft the
most secure fix.
Use taint analysis to chase down the bad actors
Application security comes from making sure that data is sanitized before hitting
critical system parts (Database, File System, OS, etc.)
Taint analysis - it's the ability to track untrusted user input throughout the execution
flow from the vulnerability source to the code location (‘sink’) where the compromise
Configure your taint analysis by declaring the custom frameworks you use to capture user
input and/or to persist it.
Track compliance across security standards
Dedicated reports track project security against the OWASP Top 10 and SANS Top 25
The SonarSource Security Report facilitates communication by categorizing
vulnerabilities in terms developers understand.
Track compliance at Project or Portfolio level and differentiate Vulnerability fixes
from Security Hotspot Review.