Avoiding breaches of confidentiality and the misuse of sensitive information is essential for any software system. Semmle engineering analytics and repo mining are a must-have for any security-conscious software development team.
Benefits of using Semmle for security
Here are just some of the benefits of using Semmle for application security:
- Comprehensive – includes rules for finding a host of known vulnerabilities in your software
- Responsive – create new rules in Semmle QL that find new vulnerabilities as they are publicized
- Accurate – minimal false negatives and false positives reported
- Actionable – display inline details on vulnerabilities along with suggestions for how to address them
- Auditable – Semmle can report on vulnerabilities by project, team and individual developer
Addressing known vulnerabilities
Semmle includes predefined rules for discovering known vulnerabilities in your software change history fast and at a low cost (as compared with manual penetration testing). It can search for all occurrences across multiple code bases and direct developers to the source with recommendations on correcting the issue.
Semmle security rules are organized according to the Common Weakness Enumeration (CWE). Other standards for which we have considerable coverage include MISRA and OWASP. We also support the Power of Ten rules.
Responding to new vulnerabilities
Semmle is uniquely positioned to do this because all of its security rules are written in QL, Semmle’s flexible code query language. Rules for discovering new vulnerabilities can be created by you or by Semmle within minutes or hours.
Moreover, we recommend that our clients use QL to codify vulnerabilities identified during manual penetration tests. This way they can avoid making the same mistake twice and make sure all instances are found across all code bases.
Organizational learning – create more secure code
Creating awareness about typical mistakes made is essential for enabling individual as well as organizational learning.
Semmle supports this by keeping track of all vulnerabilities, who introduced them, and when. Interactive dashboards allow you to examine the information by focusing on dimensions such as individual, CWE type, code base, date range, etc. This insight makes it easier for team leaders to deliver training on secure coding practices where it is needed most.
Another interesting question is whether vulnerabilities could have been introduced on purpose. Tracking vulnerabilities per individual makes it possible to spot such undesired behavior.