Code security¶
Code security refers to the practices, tools, and processes used to protect software code from unauthorized access, modification, or exploitation. It is a key aspect of application security and essential for preventing vulnerabilities that could lead to cyberattacks.
DHI uses code analysis as a recommended tool for detecting vulnerabilities.
Some of the tools that various parts of DHI organization are using or evaluating for code security analysis include:
- Microsoft Code Analysis (Roslyn analysers)
- Snyk
- SonarQube
- Coverity
- WhiteSource (Mend)
- Veracode
- Checkmarx
When doing looking for security vulnerabilities. It is often required to focus on the following types of analysis rules.
- Input Validation & Injection Prevention
- Authentication & Authorization
- Cryptography Best Practices
Audience¶
This document serves two primary audiences:
Product Owners and Project Managers: Responsible for understanding security requirements, policy compliance, and resource allocation for security initiatives.
Software Developers: Required to implement code analysis tools, interpret security findings, and remediate identified vulnerabilities.
DHI Code Security¶
Currently, only DHI Digital Solutions are required to use code security analysis in order to meet ISO27001 certification.
ISO/IEC 27001 does not explicitly require that all vulnerabilities are fixed, but it does require organizations to have a structured approach to managing vulnerabilities and risks.
Digital Solutions are currently using Snyk for code security scanning, but other vulnerability scanning tools are allowed.
At DHI, the following tools are recommended:
- Snyk (C/C++, .NET)\
- Microsoft .NET Code Analysis (Roslyn analyzers)
Snyk¶
Snyk is a platform that allows you to scan, prioritize, and fix security vulnerabilities in your code, open-source dependencies, container images, and infrastructure as code configurations. The Snyk platform uses a risk-based approach, focusing security efforts on issues that matter, and eliminating the noise of vulnerabilities that have no meaningful impact.
Snyk supports a long range of programming language.
DHI has a Snyk Code Security License until 2027.
To get a Snyk login and organization, contact Morten Bentzen.
Snyk Security levels¶
Snyk errors are divided into security levels:
| Level | Description | DHI Policy |
|---|---|---|
| Critical | May allow attackers to access sensitive data and run code on your application | Fix Required |
| High | May allow attackers to access sensitive data in your application | Fix highly recommended |
| Medium | Under some conditions, may allow attackers to access sensitive data on your application | Fix recommended |
| Low | Application may expose some data that allows vulnerability mapping, which can be used with other vulnerabilities to attack the application |
.NET Source Code Code Analysis (Roslyn)¶
Visual Studio support code analysis as part building the code.
It is recommanded to use the Visual StudioCode Analysis Tools.
A range of code analysis security rules should be enabled to detect vulnerabilities (CA2100 - CA5405).
Note that all security should be fixed.
If you disable any of these rules, you should clearly mark the reason in code and also inform the designated security officer for your development project.