Static Analysis

By using static analysis we plan to eliminate most of the vulnerabilities in our code as they arise. We plan to use tools that integrate with our development environment and support the technologies we use.

SpotBugs

SpotBugs is a tool for the static analysis of Java programs. We plan to use SpotBugs to analyze the server side code to detect vulnerabilities. The range of bugs the tool can find vary, and can be found here. The tool uses various methods including taint analysis or pattern matching to find problematic code snippets.

Some of the checks that are useful to have are:

• Predictable pseudorandom number generator
• Untrusted servlet parameter
• Untrusted query string
• Potential SQL/HQL Injection (Hibernate)
• and so on...

SonarCloud

SonarCloud is a free tool for open-source projects that analyses code written in various languages, including our target languages: Java, C, Kotlin. SonarCloud analysis the software in question using various methods, and reports issues regarding maintainability, reliability, and security. We also plan to use this tool to verify our compliance to the secure coding standards (see). SonacCloud integrates with SpotBugs, so the issues can be summarized and dealt with on a single user interface.

An extensive list of rules is available, targeting our technologies:

• Server side
  • Java
  • Spring
  • Hibernate
• Native component
  • C
  • DoS
  • Overflow
  • Leak
• Client side
  • Java
  • Kotlin
  • Android

SonarCloud issues a severity to each rule violation based on factoring in "Murphy's Law without predicting Armageddon", thereby the development team can focus on the more pressing issues. See more about the general guidelines here