It has been decades since application development evolved to include the creation of software for local installation as well as hosted, cloud-based delivery and software as a service (SaaS). This evolution was the first shift in development workflows—and it established a new potential attack vector for software assets in production. Next came the proliferation of open source, accelerating software development and innovation, and engendering the realization that security risks can scale as quickly as the community can adopt popular—and vulnerable—open source components.
Now we find ourselves in a new phase of evolution for the software development life cycle, characterized by rapid DevOps workflows, CI/CD pipelines, and myriad application security testing tools with disparate control points and fragmented results. Simultaneously, security responsibilities are falling on developers without a corresponding shift in the scope of their role. Tight shipping deadlines and accelerating sprints means there is less time for software developers and engineers to create more-secure software.
Secure coding is essential to avoid putting the organization, and the sensitive data it accesses, transmits, and stores, at risk. Late-stage security testing complicates secure development practices, forces software artifacts that are noncompliant with security policies back to earlier stages of development, and steals focus from developers who have moved on to the next sprint. To address this challenge, in early 2022, Black Duck launched a standalone version of its Code Sight™ IDE security plugin for VS Code. It allows developers to scan software artifacts and identify quality and security risks in code they wrote, and known vulnerabilities in open source components and dependencies.
Now, the standalone Code Sight security plugin is available for IntelliJ, making IDE-based application security testing attainable without breaking established development workflows.
Code Sight is designed to do one thing really well: give developers access to security risk information that helps them find and fix issues in their projects before they push vulnerable software downstream. Under the hood, Code Sight lets developers trigger scans that assess their projects for potential security risks, rapidly performing static application security testing (SAST) and software composition analysis (SCA).
Results are informed by the security risk insight generated by industry-leading Black Duck Coverity® SAST and Black Duck® SCA, delivered directly to the developer in their IDE so they can immediately fix issues and move on to the next project sprint. With this latest release, Black Duck makes it possible for developers to use the standalone Code Sight IDE plugin in IntelliJ IDEA. Moreover, it is available to development teams without full licenses to Coverity and Black Duck, helping developers ship more-secure software quickly, without waiting for security teams to take action. You can get started with Code Sight right away with a free trial, accessible directly in IntelliJ when you install the Code Sight plugin.
This overview video provides a quick rundown of how developers can use Code Sight to find and fix issues in code written in-house and open source.
Developers, this part’s for you. We want to make secure software development in IntelliJ an achievable activity for you, not just a goal. The two ways you can do this are by performing either an automated or a manual code analysis and open source analysis on your project files. I’ll break down some user pro tips for Code Sight in a future blog, but I’ll get you started with two essential views.
Secure coding practices develop over time, and it’s possible to inadvertently introduce insecure code into a project. The Code Analysis view gives developers insight into code quality and security issues through static analysis, and it includes CWEs (standardized security risks tracked by MITRE). The Code Analysis view also provides insight into the severity and location of risks.
The Issues view provides specific information about a particular risk, including a description of the risk, the events leading up to it within the code, and remediation guidance to help developers of any security skill to fix the issue quickly.
Figure 1: Code Analysis view in Code Sight performs static analysis on the code you write, finding quality and security risks.
The open source community can lack secure coding practices or security risk awareness, so including potentially vulnerable open source components and libraries in your project can limit your security risk posture. The Open Source Analysis view provides insight into known vulnerabilities found in third-party libraries, open source components, and dependencies within the project. This is done via SCA, and it includes CVEs (publicly disclosed vulnerabilities tracked by MITRE).
The Open Source Analysis view lists all the vulnerable open source components detected within a project, including those detected in declared and transitive dependencies. It also includes the severity and location of the vulnerability.
Like in the analysis view for code written in-house, the Issues view provides specific information about a particular vulnerability, including a description and remediation guidance (accessible from the Fix It button) to help developers fix the issue quickly.
Figure 2: The Open Source Analysis view in Code Sight finds vulnerabilities in third-party libraries, open source components, and dependencies.
Black Duck Code Sight is the best way for developers and software engineers to inject application security testing and security risk awareness directly into their IDEs. You can access Code Sight's standalone security testing plugin for VS Code from Visual Studio Marketplace and for IntelliJ IDEA from the JetBrains Marketplace. You can start scanning within minutes with the Code Sight standalone plugin free trial, and you can get your development teams up and running with simple license options. Of course, Code Sight is available as a plugin for even more IDEs, languages, and frameworks with a Coverity or Black Duck license.