« WASC-Articles: 'The Importance of Application Classification in Secure Application Development' | Main | US State Department gets Pwned with 0day »

A Software Call To Arms: Where are source control repository security scanning tools?

We've heard of source code analysis tools, and blackbox scanning tools and they have value to help secure your application. Unfortunately they have a major downside, they require the discipline of using them. If your developers don't run them they can still check in vulnerable code to your source code repository. For the past two years or so I've been wondering why doesn't someone make a product to perform the security scanning on the source code repository level? Its an obvious idea and takes the 'choice' of scanning out of the hands of the developers. Lets run through the good and bad of such a product.


* You could use such a tool to profile your developers to identify which ones are checking in the most vulnerable code. This can allow you to focus training towards those who need it instead of either A. not providing training because training everyone is to expensive, or B. providing training to large groups of people who may not need it (and at a great expense).

* If you utilize a particular security framework or library, you can audit its usage. If you create a mandate to use a specific API you can audit your development team on a per developer basis to see if they are in fact using it.

* Instead of installing a product on dozens or hundreds of workstations, you install it on the repisitory once.

* Review checking in of configuration files such as web.config, and web.xml. You accidentially check in a configuration file allowing remote debug error messages which is included in the build.


* Signature tweaking: Just like an IDS it will need to be tweaked. The first versions of such a product will make mistakes similar to those IDS and scanning products have.

Such a tool could disallow the developer from checking in vulnerable code if they meet a certain threshold as defined by your policy, or simply flag upon it and provide the results in a regular report to the development manager. I'd like to ask the people in the industry why doesn't this exist yet?


Link to this Story: 04/17/07 A Software Call To Arms: Where are source control repository security scanning tools?


Feed You can follow this conversation by subscribing to the comment feed for this post.

All Comments are Moderated and will be delayed!