Although Blue Cedar's development flow includes test phases and quality assurance to analyze Blue Cedar code for errors, bugs, etc., any app may have a variety of vulnerabilities. Veracode's static vulnerability scanning tool can take an app and scan all its files and source code to detect all the security flaws that may make the app vulnerable.
We use Veracode as one tool to help analyze vulnerabilities in Blue Cedar-integrated apps. We integrate test apps with our accelerators and scan them to look for vulnerabilities that may have been introduced during the integration process. We also offer guidance to customers for addressing vulnerabilities in their app code.
Introduction to static scanning
When developing any app or code, it is important to pay attention to structures and behaviors. To ensure security and solidity, we apply coding best practices and include static analysis. Static analysis includes a set of tools that look for common programming errors. For example, lint analyzes source code to find errors, bugs, suspicious constructions, and so on. But even using lint does not assure that the app is secure.
Each app may have a variety of vulnerabilities. And even with test phases and quality assurance in our development flow, we cannot avoid all the vulnerabilities that an app can present. Thus we use Veracode to provide focused static analysis to find those flaws. Veracode is a static vulnerability scanning tool that takes an app and scans all the files to detect common security flaws that may make the app vulnerable. Some of the limitations of static analysis include the inability to understand what network servers are used by the app or which files are accessed at runtime.
When we submit an app to Veracode's Static Scan, the scanning process produces a score and a Veracode Level. These scores are based on an equation that takes the flaws described by CWE (Common Weakness Enumeration) and CVSS (Common Vulnerability Scoring System) and checks which of them may be present in our code.
Each flaw described by CWE and CVSS sources has a gravity level from one to five. Each of these levels refers to the severity of potential consequences if the app is attacked. To compute the scores, Veracode calculates an equation that weighs the severity based on potential impact of each flaw if exploited. For example, according to Veracode, one level 5 flaw is more critical than five level 1 flaws.
After checking all the possible flaws that an app can have, Veracode calculates a score between 0 and 100 related to all the flaws that it found, where 0 is the most insecure app and 100 is an app with no detectable security flaws.
This table shows the apps we have scanned and addressed, integrated with the indicated accelerator.
|App||Accelerator||OS||Score achieved by our analysis|
For Android, this flaw is partially mitigated. Customers may see this when scanning apps:
How we could handle
|CWE-926: Improper Export of Android Application Components||Medium||The software exports some components of our app but does not properly restrict which apps could access it.|
In our test app, this flaw was related to MainActivity intents in the test app (not in the code added by Blue Cedar integration), and resolving it would require new permissions for MainActivity. That change would affect the app performance in a negative way.
Thus we partially mitigated this flaw with "Potential False Positive" per Veracode research team recommendations.
Veracode Research confirmed that they currently do not automatically exempt activities with the Launcher category from being reported on for this category, although there is no need to restrict this activity.
(See https://community.veracode.com/s/topic/0TO2T000000cP0TWAU/cwe-926 for forum discussion.)