Skip to content

New feature request for the betterment of the code quality driven by static analyzer and security tools.

Bringing in Static analyzers and Security tools for quality and secure code

Proposer

Ramesh Ramanathan B (Tata Elxsi)

Type

Feature (do not modify)

Target MDG/TF

NBI, LCM, RO, MON, POL, DevOp

Supported VIMs

Can be tested against any VIM

Description

The realm of software engineering and quality attributes is necessary to develop and maintain world class software. This includes parameters like Security, Maintainability, Reliability, Performance efficiency and usability. With the help of static analyzer tools we can give a lot of focus and improve these parameters, especially security and maintainability.

Key is to use the right set of tools to get the result as well as a constructive rule set that continues to give the creative freedom to the developer.

Maintainability at a high level can include:

  1. Analyzability – Ease of navigation to gauge impact of a proposed change
  2. Modifiability – Easy of making changes without introducing defects or regression
  3. Modularity – Component level coupling and cohesion to minimize impact of change in one component on other components
  4. Reusability – Degree to which components can be reused in more than one place in the code base Security

A combination of Static Application Security Testing (SAST) tools and Application security and vulnerability scanner tools can help to identify issues like:

  1. Injection - Sending un-trusted data to the system
  2. Broken Authentication - Brute force attacks, dictionary attacks, token based attacks
  3. Sensitive Data Exposure - Man in the middle attack, stealing clear text from browser
  4. Access Control - Unauthorized access to resources
  5. Security (mis)configuration - Exploiting un-patched flaws, accessing default accounts
  6. XSS - Cross Site Scripting attacks
  7. Session Management - Allowing only authorized access during a session

OWAP / NIST / SANS security guidelines will be considered overall and the associated tools will be executed.

Demo or definition of done

NOTE: We ran first level pylint and found around 300+ errors, 1000+ warnings and overall around 5000+ issues

  1. Execute and fix issue for reactive readiness
  2. Include the tools in the Devops pipelines for proactive correctness

Tools:

  1. Kali OS for application security testing like Burp suite and ZAP Proxy
  2. Bandit (formerly a Openstack Community project)
  3. py-find-injection (SQL Injection Attacks, contributed by Uber)
  4. Pyt (Detect command injection, SSRF, SQL injection, XSS, directory traversal)
  5. Radon (Maintainability)
  6. Pylint (Maintainalbility)
  7. Safety - Safety checks installed dependencies for known security vulnerabilities

Future Work

Next step can be to drill down further into a static code analysis phase. This can potentially include:

  1. Vulture - Dead Code
  2. Pyroma – packaging efficiency
  3. Cohesion – check the cohesion efficiency of the code