DEV Community: Spyros The latest articles on DEV Community by Spyros (@__spyros). https://dev.to/__spyros https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F238059%2Fe230d427-684a-4aaf-b3e5-348a5c4487d3.jpeg DEV Community: Spyros https://dev.to/__spyros en Revolutionizing Code Security: How Amazon Q Developer Safeguards Modern Applications Spyros Mon, 23 Dec 2024 09:32:22 +0000 https://dev.to/__spyros/revolutionizing-code-security-how-amazon-q-developer-safeguards-modern-applications-19f7 https://dev.to/__spyros/revolutionizing-code-security-how-amazon-q-developer-safeguards-modern-applications-19f7 <p>In today’s fast-paced digital landscape, where applications power everything from banking to healthcare, the security of your codebase isn’t just an IT issue—it’s a business imperative. For developers and business leaders alike, addressing vulnerabilities in code early and efficiently is crucial. Enter Amazon Q Developer, a generative AI-powered assistant designed to identify and fix vulnerabilities, streamline code quality checks, and enable secure software development at scale.</p> <p>This article explores how Amazon Q Developer can revolutionize vulnerability management and ensure your applications are secure, reliable, and enterprise-ready.</p> <h2> Vulnerability Detection with Amazon Q Developer </h2> <p>Amazon Q Developer employs advanced static analysis techniques, leveraging the comprehensive <a href="https://docs.aws.amazon.com/codeguru/detector-library" rel="noopener noreferrer">Amazon Q Detector Library</a> to identify a wide range of vulnerabilities. Some key categories include:</p> <ul> <li><p><strong>SQL Injection:</strong> Scans for unsafe SQL queries that could allow attackers to access sensitive data.</p></li> <li><p><strong>Cross-Site Scripting (XSS):</strong> Detects unsafe handling of user inputs in web applications.</p></li> <li><p><strong>Secrets Exposure:</strong> Identifies hardcoded sensitive information like API keys and passwords, recommending secure alternatives like AWS Secrets Manager.</p></li> <li><p><strong>Insecure Dependencies:</strong> Flags outdated or insecure third-party libraries and frameworks.</p></li> <li><p><strong>Configuration Flaws:</strong> Examines Infrastructure as Code (IaC) for misconfigurations in cloud environments.</p></li> <li><p><strong>Sensitive Data Leak Detection:</strong> Highlights potential exposures of PII (Personally Identifiable Information) in logs and error messages.</p></li> <li><p><strong>Thread Safety Analysis:</strong> Detects concurrency issues, such as race conditions, that could compromise application integrity.</p></li> </ul> <p>By proactively addressing these risks, Amazon Q Developer not only protects your applications from potential breaches but also minimizes technical debt and accelerates compliance with industry standards.</p> <h2> How to Use Amazon Q Developer to Fix Vulnerabilities </h2> <p>Amazon Q Developer offers two primary ways to integrate into the development process: directly within an Integrated Development Environment (IDE) or as part of a Continuous Integration/Continuous Deployment (CI/CD) pipeline. These options ensure flexibility and cater to teams of all sizes and workflows.</p> <h3> Integrate with the IDE </h3> <p>Amazon Q Developer integrates seamlessly with popular integrated development environments (IDEs) such as VS Code, JetBrains, and IntelliJ IDEA. To use Amazon Q Developer within your IDE:</p> <ul> <li><p><strong>Step 1:</strong> Install the Amazon Q Developer plugin for your chosen IDE.</p></li> <li><p><strong>Step 2:</strong> Authenticate your Amazon Q Developer account and link it to your project repository.</p></li> <li><p><strong>Step 3:</strong> Select the codebase or specific files you want to analyze (or the whole project).</p></li> <li><p><strong>Step 4:</strong> Run the analysis directly from the IDE to scan your codebase for vulnerabilities.</p></li> <li><p><strong>Step 5:</strong> Review detailed reports generated within the IDE, which highlight vulnerabilities, their severity, and their exact location in the code.</p></li> <li><p><strong>Step 6:</strong> Apply the AI-driven fix suggestions provided by Amazon Q Developer. These suggestions include clear explanations to help developers understand the root cause of the issues.</p></li> <li><p><strong>Step 7:</strong> Execute unit tests automatically generated by Amazon Q Developer to validate the applied fixes, ensuring that no new issues are introduced.</p></li> </ul> <h3> Integrate in the CI/CD Pipeline </h3> <p>For enterprises aiming to automate security at scale, Amazon Q Developer can be integrated directly into the CI/CD pipelines. To set this up:</p> <ul> <li><p><strong>Step 1:</strong> Add Amazon Q Developer as a step in your CI/CD pipeline. This can be done by updating your CI/CD configuration files (e.g., Jenkinsfile, GitHub Actions YAML, or AWS CodePipeline configuration).</p></li> <li><p><strong>Step 2:</strong> Authenticate your Amazon Q Developer account and configure the tool to scan your codebase during every code commit, pull request, or deployment.</p></li> <li><p><strong>Step 3:</strong> Define organization-specific security and quality policies to customize the scan process.</p></li> <li><p><strong>Step 4:</strong> Trigger automated scans during each pipeline run. Amazon Q Developer will analyze the code and generate reports indicating any vulnerabilities or code quality issues.</p></li> <li><p><strong>Step 5:</strong> Use the pipeline's reporting mechanisms to flag critical issues and halt the deployment process if necessary.</p></li> <li><p><strong>Step 6:</strong> Incorporate Amazon Q Developer’s automated fix suggestions into the pipeline or assign them to relevant developers for immediate remediation.</p></li> <li><p><strong>Step 7:</strong> Monitor scan results across all projects using centralized dashboards available in the Amazon Q Developer Console. These dashboards provide an enterprise-wide view of vulnerabilities and their resolution status.</p></li> </ul> <p>By integrating Amazon Q Developer in both IDEs and CI/CD pipelines, organizations can ensure that vulnerabilities are detected and fixed at every stage of the software development lifecycle.</p> <h2> Demonstrating SQL Injection Detection and Remediation </h2> <p>Consider the following vulnerable TypeScript code for a financial asset management platform:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="c1">// File: getUserPortfolio.js</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">Request</span><span class="p">,</span> <span class="nx">Response</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">express</span><span class="dl">'</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">Database</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">some-database-lib</span><span class="dl">'</span><span class="p">;</span> <span class="kd">const</span> <span class="nx">db</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">Database</span><span class="p">();</span> <span class="k">export</span> <span class="kd">const</span> <span class="nx">getUserPortfolio</span> <span class="o">=</span> <span class="k">async </span><span class="p">(</span><span class="nx">req</span><span class="p">:</span> <span class="nx">Request</span><span class="p">,</span> <span class="nx">res</span><span class="p">:</span> <span class="nx">Response</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">userId</span> <span class="o">=</span> <span class="nx">req</span><span class="p">.</span><span class="nx">query</span><span class="p">.</span><span class="nx">userId</span><span class="p">;</span> <span class="c1">// User input directly used</span> <span class="kd">const</span> <span class="nx">query</span> <span class="o">=</span> <span class="s2">`SELECT * FROM portfolios WHERE userId = '</span><span class="p">${</span><span class="nx">userId</span><span class="p">}</span><span class="s2">';`</span><span class="p">;</span> <span class="kd">const</span> <span class="nx">result</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">db</span><span class="p">.</span><span class="nf">query</span><span class="p">(</span><span class="nx">query</span><span class="p">);</span> <span class="nx">res</span><span class="p">.</span><span class="nf">json</span><span class="p">(</span><span class="nx">result</span><span class="p">);</span> <span class="p">};</span> </code></pre> </div> <p>This code is vulnerable to SQL injection because it directly concatenates user input (userId) into the SQL query. An attacker could exploit this to execute arbitrary SQL commands.</p> <h2> How Amazon Q Developer Detects and Fixes the Vulnerability </h2> <p>In this case, I'm using Amazon Q Developer via the extension in VS Code IDE, which provides a chat interface to interact with it like below.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fvx1w3wxf14ykr5bu7a9y.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fvx1w3wxf14ykr5bu7a9y.png" alt="Amazon Q Developer - Chat Intefrace" width="800" height="832"></a></p> <ul> <li> <strong>Step 1:</strong> The Amazon Q Developer scan identifies the concatenation of user input into the SQL query. </li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Scan the code of getUserPortfolio.js for security vulnerabilities </code></pre> </div> <ul> <li> <strong>Step 2:</strong> It highlights the vulnerability, providing a detailed explanation of the risk and a suggestion to use parameterized queries.</li> </ul> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Flacty2dmr5q8d77xv48d.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Flacty2dmr5q8d77xv48d.png" alt="Amazon Q - Vulnerability Explanation" width="800" height="720"></a></p> <ul> <li> <strong>Step 3:</strong> The suggested fix replaces the unsafe query with a parameterized one: </li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="c1">// File: getUserPortfolio.js</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">Request</span><span class="p">,</span> <span class="nx">Response</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">express</span><span class="dl">'</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">Database</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">some-database-lib</span><span class="dl">'</span><span class="p">;</span> <span class="kd">const</span> <span class="nx">db</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">Database</span><span class="p">();</span> <span class="k">export</span> <span class="kd">const</span> <span class="nx">getUserPortfolio</span> <span class="o">=</span> <span class="k">async </span><span class="p">(</span><span class="nx">req</span><span class="p">:</span> <span class="nx">Request</span><span class="p">,</span> <span class="nx">res</span><span class="p">:</span> <span class="nx">Response</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="k">try</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">userId</span> <span class="o">=</span> <span class="nx">req</span><span class="p">.</span><span class="nx">query</span><span class="p">.</span><span class="nx">userId</span><span class="p">;</span> <span class="c1">// Input validation</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="nx">userId</span> <span class="o">||</span> <span class="k">typeof</span> <span class="nx">userId</span> <span class="o">!==</span> <span class="dl">'</span><span class="s1">string</span><span class="dl">'</span><span class="p">)</span> <span class="p">{</span> <span class="k">return</span> <span class="nx">res</span><span class="p">.</span><span class="nf">status</span><span class="p">(</span><span class="mi">400</span><span class="p">).</span><span class="nf">json</span><span class="p">({</span> <span class="na">error</span><span class="p">:</span> <span class="dl">'</span><span class="s1">Invalid user ID</span><span class="dl">'</span> <span class="p">});</span> <span class="p">}</span> <span class="c1">// Use parameterized query to prevent SQL injection</span> <span class="kd">const</span> <span class="nx">query</span> <span class="o">=</span> <span class="dl">'</span><span class="s1">SELECT * FROM portfolios WHERE userId = ?</span><span class="dl">'</span><span class="p">;</span> <span class="kd">const</span> <span class="nx">result</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">db</span><span class="p">.</span><span class="nf">query</span><span class="p">(</span><span class="nx">query</span><span class="p">,</span> <span class="p">[</span><span class="nx">userId</span><span class="p">]);</span> <span class="nx">res</span><span class="p">.</span><span class="nf">json</span><span class="p">(</span><span class="nx">result</span><span class="p">);</span> <span class="p">}</span> <span class="k">catch </span><span class="p">(</span><span class="nx">error</span><span class="p">)</span> <span class="p">{</span> <span class="c1">// Generic error message to avoid leaking implementation details</span> <span class="nx">console</span><span class="p">.</span><span class="nf">error</span><span class="p">(</span><span class="dl">'</span><span class="s1">Portfolio fetch error:</span><span class="dl">'</span><span class="p">,</span> <span class="nx">error</span><span class="p">);</span> <span class="nx">res</span><span class="p">.</span><span class="nf">status</span><span class="p">(</span><span class="mi">500</span><span class="p">).</span><span class="nf">json</span><span class="p">({</span> <span class="na">error</span><span class="p">:</span> <span class="dl">'</span><span class="s1">Internal server error</span><span class="dl">'</span> <span class="p">});</span> <span class="p">}</span> <span class="p">};</span> </code></pre> </div> <ul> <li> <strong>Step 4:</strong> Amazon Q Developer generates a unit test to ensure the fix works as intended and prevents regressions, using the user input below: </li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Create unit tests for the suggested code, and ensure to cover the changes related to the vulnerability fix </code></pre> </div> <p>Unit tests generated:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="c1">// File: getUserPortfolio.test.js</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">Request</span><span class="p">,</span> <span class="nx">Response</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">express</span><span class="dl">'</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">Database</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">some-database-lib</span><span class="dl">'</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">getUserPortfolio</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">./getUserPortfolio</span><span class="dl">'</span><span class="p">;</span> <span class="c1">// Mock the database</span> <span class="nx">jest</span><span class="p">.</span><span class="nf">mock</span><span class="p">(</span><span class="dl">'</span><span class="s1">some-database-lib</span><span class="dl">'</span><span class="p">);</span> <span class="nf">describe</span><span class="p">(</span><span class="dl">'</span><span class="s1">getUserPortfolio</span><span class="dl">'</span><span class="p">,</span> <span class="p">()</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="kd">let</span> <span class="na">mockRequest</span><span class="p">:</span> <span class="nx">Partial</span><span class="o">&lt;</span><span class="nx">Request</span><span class="o">&gt;</span><span class="p">;</span> <span class="kd">let</span> <span class="na">mockResponse</span><span class="p">:</span> <span class="nx">Partial</span><span class="o">&lt;</span><span class="nx">Response</span><span class="o">&gt;</span><span class="p">;</span> <span class="kd">let</span> <span class="na">mockDb</span><span class="p">:</span> <span class="nx">jest</span><span class="p">.</span><span class="nx">Mocked</span><span class="o">&lt;</span><span class="nx">Database</span><span class="o">&gt;</span><span class="p">;</span> <span class="nf">beforeEach</span><span class="p">(()</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="c1">// Reset mocks before each test</span> <span class="nx">mockRequest</span> <span class="o">=</span> <span class="p">{</span> <span class="na">query</span><span class="p">:</span> <span class="p">{}</span> <span class="p">};</span> <span class="nx">mockResponse</span> <span class="o">=</span> <span class="p">{</span> <span class="na">status</span><span class="p">:</span> <span class="nx">jest</span><span class="p">.</span><span class="nf">fn</span><span class="p">().</span><span class="nf">mockReturnThis</span><span class="p">(),</span> <span class="na">json</span><span class="p">:</span> <span class="nx">jest</span><span class="p">.</span><span class="nf">fn</span><span class="p">()</span> <span class="p">};</span> <span class="nx">mockDb</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">Database</span><span class="p">()</span> <span class="k">as</span> <span class="nx">jest</span><span class="p">.</span><span class="nx">Mocked</span><span class="o">&lt;</span><span class="nx">Database</span><span class="o">&gt;</span><span class="p">;</span> <span class="nx">mockDb</span><span class="p">.</span><span class="nx">query</span> <span class="o">=</span> <span class="nx">jest</span><span class="p">.</span><span class="nf">fn</span><span class="p">();</span> <span class="p">});</span> <span class="c1">// Test valid input scenario</span> <span class="nf">it</span><span class="p">(</span><span class="dl">'</span><span class="s1">should return portfolio data for valid userId</span><span class="dl">'</span><span class="p">,</span> <span class="k">async </span><span class="p">()</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">mockPortfolioData</span> <span class="o">=</span> <span class="p">[{</span> <span class="na">id</span><span class="p">:</span> <span class="mi">1</span><span class="p">,</span> <span class="na">userId</span><span class="p">:</span> <span class="dl">'</span><span class="s1">user123</span><span class="dl">'</span><span class="p">,</span> <span class="na">assets</span><span class="p">:</span> <span class="p">[]</span> <span class="p">}];</span> <span class="nx">mockRequest</span><span class="p">.</span><span class="nx">query</span> <span class="o">=</span> <span class="p">{</span> <span class="na">userId</span><span class="p">:</span> <span class="dl">'</span><span class="s1">user123</span><span class="dl">'</span> <span class="p">};</span> <span class="nx">mockDb</span><span class="p">.</span><span class="nx">query</span><span class="p">.</span><span class="nf">mockResolvedValueOnce</span><span class="p">(</span><span class="nx">mockPortfolioData</span><span class="p">);</span> <span class="k">await</span> <span class="nf">getUserPortfolio</span><span class="p">(</span><span class="nx">mockRequest</span> <span class="k">as</span> <span class="nx">Request</span><span class="p">,</span> <span class="nx">mockResponse</span> <span class="k">as</span> <span class="nx">Response</span><span class="p">);</span> <span class="c1">// Verify parameterized query was used correctly</span> <span class="nf">expect</span><span class="p">(</span><span class="nx">mockDb</span><span class="p">.</span><span class="nx">query</span><span class="p">).</span><span class="nf">toHaveBeenCalledWith</span><span class="p">(</span> <span class="dl">'</span><span class="s1">SELECT * FROM portfolios WHERE userId = ?</span><span class="dl">'</span><span class="p">,</span> <span class="p">[</span><span class="dl">'</span><span class="s1">user123</span><span class="dl">'</span><span class="p">]</span> <span class="p">);</span> <span class="nf">expect</span><span class="p">(</span><span class="nx">mockResponse</span><span class="p">.</span><span class="nx">json</span><span class="p">).</span><span class="nf">toHaveBeenCalledWith</span><span class="p">(</span><span class="nx">mockPortfolioData</span><span class="p">);</span> <span class="p">});</span> <span class="c1">// Test SQL injection prevention</span> <span class="nf">it</span><span class="p">(</span><span class="dl">'</span><span class="s1">should safely handle potentially malicious userId input</span><span class="dl">'</span><span class="p">,</span> <span class="k">async </span><span class="p">()</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">suspiciousUserId</span> <span class="o">=</span> <span class="dl">"</span><span class="s2">' OR '1'='1</span><span class="dl">"</span><span class="p">;</span> <span class="nx">mockRequest</span><span class="p">.</span><span class="nx">query</span> <span class="o">=</span> <span class="p">{</span> <span class="na">userId</span><span class="p">:</span> <span class="nx">suspiciousUserId</span> <span class="p">};</span> <span class="k">await</span> <span class="nf">getUserPortfolio</span><span class="p">(</span><span class="nx">mockRequest</span> <span class="k">as</span> <span class="nx">Request</span><span class="p">,</span> <span class="nx">mockResponse</span> <span class="k">as</span> <span class="nx">Response</span><span class="p">);</span> <span class="c1">// Verify the suspicious input is passed as a parameter, not concatenated</span> <span class="nf">expect</span><span class="p">(</span><span class="nx">mockDb</span><span class="p">.</span><span class="nx">query</span><span class="p">).</span><span class="nf">toHaveBeenCalledWith</span><span class="p">(</span> <span class="dl">'</span><span class="s1">SELECT * FROM portfolios WHERE userId = ?</span><span class="dl">'</span><span class="p">,</span> <span class="p">[</span><span class="nx">suspiciousUserId</span><span class="p">]</span> <span class="p">);</span> <span class="p">});</span> <span class="c1">// Test input validation</span> <span class="nf">it</span><span class="p">(</span><span class="dl">'</span><span class="s1">should return 400 when userId is missing</span><span class="dl">'</span><span class="p">,</span> <span class="k">async </span><span class="p">()</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="nx">mockRequest</span><span class="p">.</span><span class="nx">query</span> <span class="o">=</span> <span class="p">{};</span> <span class="k">await</span> <span class="nf">getUserPortfolio</span><span class="p">(</span><span class="nx">mockRequest</span> <span class="k">as</span> <span class="nx">Request</span><span class="p">,</span> <span class="nx">mockResponse</span> <span class="k">as</span> <span class="nx">Response</span><span class="p">);</span> <span class="nf">expect</span><span class="p">(</span><span class="nx">mockResponse</span><span class="p">.</span><span class="nx">status</span><span class="p">).</span><span class="nf">toHaveBeenCalledWith</span><span class="p">(</span><span class="mi">400</span><span class="p">);</span> <span class="nf">expect</span><span class="p">(</span><span class="nx">mockResponse</span><span class="p">.</span><span class="nx">json</span><span class="p">).</span><span class="nf">toHaveBeenCalledWith</span><span class="p">({</span> <span class="na">error</span><span class="p">:</span> <span class="dl">'</span><span class="s1">Invalid user ID</span><span class="dl">'</span> <span class="p">});</span> <span class="p">});</span> <span class="nf">it</span><span class="p">(</span><span class="dl">'</span><span class="s1">should return 400 when userId is not a string</span><span class="dl">'</span><span class="p">,</span> <span class="k">async </span><span class="p">()</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="nx">mockRequest</span><span class="p">.</span><span class="nx">query</span> <span class="o">=</span> <span class="p">{</span> <span class="na">userId</span><span class="p">:</span> <span class="p">[</span><span class="dl">'</span><span class="s1">multiple</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">ids</span><span class="dl">'</span><span class="p">]</span> <span class="p">};</span> <span class="k">await</span> <span class="nf">getUserPortfolio</span><span class="p">(</span><span class="nx">mockRequest</span> <span class="k">as</span> <span class="nx">Request</span><span class="p">,</span> <span class="nx">mockResponse</span> <span class="k">as</span> <span class="nx">Response</span><span class="p">);</span> <span class="nf">expect</span><span class="p">(</span><span class="nx">mockResponse</span><span class="p">.</span><span class="nx">status</span><span class="p">).</span><span class="nf">toHaveBeenCalledWith</span><span class="p">(</span><span class="mi">400</span><span class="p">);</span> <span class="nf">expect</span><span class="p">(</span><span class="nx">mockResponse</span><span class="p">.</span><span class="nx">json</span><span class="p">).</span><span class="nf">toHaveBeenCalledWith</span><span class="p">({</span> <span class="na">error</span><span class="p">:</span> <span class="dl">'</span><span class="s1">Invalid user ID</span><span class="dl">'</span> <span class="p">});</span> <span class="p">});</span> <span class="c1">// Test error handling</span> <span class="nf">it</span><span class="p">(</span><span class="dl">'</span><span class="s1">should return 500 and not leak error details on database error</span><span class="dl">'</span><span class="p">,</span> <span class="k">async </span><span class="p">()</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="nx">mockRequest</span><span class="p">.</span><span class="nx">query</span> <span class="o">=</span> <span class="p">{</span> <span class="na">userId</span><span class="p">:</span> <span class="dl">'</span><span class="s1">user123</span><span class="dl">'</span> <span class="p">};</span> <span class="kd">const</span> <span class="nx">dbError</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">Error</span><span class="p">(</span><span class="dl">'</span><span class="s1">Database connection failed</span><span class="dl">'</span><span class="p">);</span> <span class="nx">mockDb</span><span class="p">.</span><span class="nx">query</span><span class="p">.</span><span class="nf">mockRejectedValueOnce</span><span class="p">(</span><span class="nx">dbError</span><span class="p">);</span> <span class="k">await</span> <span class="nf">getUserPortfolio</span><span class="p">(</span><span class="nx">mockRequest</span> <span class="k">as</span> <span class="nx">Request</span><span class="p">,</span> <span class="nx">mockResponse</span> <span class="k">as</span> <span class="nx">Response</span><span class="p">);</span> <span class="nf">expect</span><span class="p">(</span><span class="nx">mockResponse</span><span class="p">.</span><span class="nx">status</span><span class="p">).</span><span class="nf">toHaveBeenCalledWith</span><span class="p">(</span><span class="mi">500</span><span class="p">);</span> <span class="nf">expect</span><span class="p">(</span><span class="nx">mockResponse</span><span class="p">.</span><span class="nx">json</span><span class="p">).</span><span class="nf">toHaveBeenCalledWith</span><span class="p">({</span> <span class="na">error</span><span class="p">:</span> <span class="dl">'</span><span class="s1">Internal server error</span><span class="dl">'</span> <span class="p">});</span> <span class="p">});</span> <span class="c1">// Test logging of errors</span> <span class="nf">it</span><span class="p">(</span><span class="dl">'</span><span class="s1">should log database errors without exposing them to client</span><span class="dl">'</span><span class="p">,</span> <span class="k">async </span><span class="p">()</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">consoleSpy</span> <span class="o">=</span> <span class="nx">jest</span><span class="p">.</span><span class="nf">spyOn</span><span class="p">(</span><span class="nx">console</span><span class="p">,</span> <span class="dl">'</span><span class="s1">error</span><span class="dl">'</span><span class="p">).</span><span class="nf">mockImplementation</span><span class="p">();</span> <span class="nx">mockRequest</span><span class="p">.</span><span class="nx">query</span> <span class="o">=</span> <span class="p">{</span> <span class="na">userId</span><span class="p">:</span> <span class="dl">'</span><span class="s1">user123</span><span class="dl">'</span> <span class="p">};</span> <span class="kd">const</span> <span class="nx">dbError</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">Error</span><span class="p">(</span><span class="dl">'</span><span class="s1">Database connection failed</span><span class="dl">'</span><span class="p">);</span> <span class="nx">mockDb</span><span class="p">.</span><span class="nx">query</span><span class="p">.</span><span class="nf">mockRejectedValueOnce</span><span class="p">(</span><span class="nx">dbError</span><span class="p">);</span> <span class="k">await</span> <span class="nf">getUserPortfolio</span><span class="p">(</span><span class="nx">mockRequest</span> <span class="k">as</span> <span class="nx">Request</span><span class="p">,</span> <span class="nx">mockResponse</span> <span class="k">as</span> <span class="nx">Response</span><span class="p">);</span> <span class="nf">expect</span><span class="p">(</span><span class="nx">consoleSpy</span><span class="p">).</span><span class="nf">toHaveBeenCalledWith</span><span class="p">(</span><span class="dl">'</span><span class="s1">Portfolio fetch error:</span><span class="dl">'</span><span class="p">,</span> <span class="nx">dbError</span><span class="p">);</span> <span class="nf">expect</span><span class="p">(</span><span class="nx">mockResponse</span><span class="p">.</span><span class="nx">json</span><span class="p">).</span><span class="nx">not</span><span class="p">.</span><span class="nf">toHaveBeenCalledWith</span><span class="p">(</span><span class="nx">expect</span><span class="p">.</span><span class="nf">objectContaining</span><span class="p">({</span> <span class="na">error</span><span class="p">:</span> <span class="nx">expect</span><span class="p">.</span><span class="nf">stringContaining</span><span class="p">(</span><span class="dl">'</span><span class="s1">Database connection failed</span><span class="dl">'</span><span class="p">)</span> <span class="p">}));</span> <span class="nx">consoleSpy</span><span class="p">.</span><span class="nf">mockRestore</span><span class="p">();</span> <span class="p">});</span> <span class="p">});</span> </code></pre> </div> <h2> Scaling Vulnerability Management Across the Enterprise </h2> <p>For large organizations with multiple teams and sprawling codebases, addressing vulnerabilities at scale can be daunting. Amazon Q Developer simplifies this through:</p> <ul> <li><p><strong>Centralized Management</strong><br> Use the Amazon Q Developer Console to manage code reviews across teams and projects. Dashboards provide an enterprise-wide view of vulnerabilities, their severity, and their resolution status.</p></li> <li><p><strong>Custom Policies and Standards</strong><br> Define organization-specific rules for code quality, security, and compliance. Amazon Q enforces these policies during code scans, ensuring consistent practices across teams.</p></li> <li><p><strong>Automated CI/CD Integration</strong><br> Integrate Amazon Q into your CI/CD pipelines to automate vulnerability detection and remediation during code commits and deployments. This allows enterprises to catch issues early in the software development lifecycle.</p></li> <li><p><strong>Continuous Monitoring and Updates</strong><br> Amazon Q continuously updates its vulnerability database, ensuring your codebase is protected against emerging threats and new attack vectors.</p></li> <li><p><strong>Training and Knowledge Sharing</strong><br> With its detailed explanations and contextual fixes, Amazon Q serves as a training tool, upskilling teams on secure coding practices while they work.</p></li> </ul> <h2> Conclusion </h2> <p>Amazon Q Developer bridges the gap between security and productivity, enabling developers to focus on innovation while ensuring their codebases are secure. For business leaders, it offers a tangible way to mitigate risks, meet compliance requirements, and protect the organization’s reputation.</p> <p>By adopting Amazon Q Developer, businesses can embed security into their software development processes—from code creation to deployment—and scale these practices across the enterprise. The result? A resilient software portfolio and peace of mind in an increasingly threat-prone digital world.</p> <p><strong>Get started with Amazon Q Developer today and make secure software development a standard, not an afterthought.</strong></p> codesecurity awsqdeveloper securesoftwaredevelopment devsecops