DEV Community: CodeSec by Contrast Security

Detect vulnerable libraries within your GitHub environments for free

Orlandov14 — Fri, 21 Oct 2022 03:08:27 +0000

Combine the power of GitHub Actions for automated Continuous Integration/Continuous Deployment (CI/CD) pipelines with Contrast Security’s powerful free developer tool, CodeSec, to identify vulnerable dependencies in your Java, .NET, NodeJS, Ruby, Python, Go or PHP projects.

The first step is to install CodeSec locally. CodeSec is at the free tier of Contrast Security’s product suite. It is very easy to install with either Homebrew, npm or straight from binary. You can find CodeSec at Contrast’s Developer Central online portal.

Once CodeSec is installed on your machine, you will need to run the command contrast config. This will give you the CodeSec account keys that you can use in your project’s GitHub Actions configuration file.

CodeSec config keys

Second, you need to set those keys as secrets in your GitHub repository’s settings. This is available in your GitHub project repository on the Settings tab, Security section, Secrets option, Actions sub-option. Add secrets with the names CONTRAST_API_KEY, CONTRAST_ORGANIZATION_ID and CONTRAST_AUTH_HEADER along with their corresponding values from the contrast config command.

Add GitHub repository secrets

With those config keys set as repository secrets, you are now ready to use the Contrast SCA GitHub Action. Contrast SCA is an enterprise-level cybersecurity tool that identifies vulnerabilities in the third-party components that your project uses.

The Contrast SCA GitHub Action page gives examples of GitHub Action configuration files for use with several different languages. In this article we will walk through an example of using the NodeJS config file.

Create a new Git branch in your project with git checkout -b your-branch-name.

Create a new Git branch

Next, create a new GitHub Actions build file at ./.github/workflows/build.yml, if your project does not have one yet. If it does, you may want to just edit your existing file.

New GitHub Actions build configuration file

Then, in the build.yml file, add the job to run the Contrast SCA action. Use the Node template from the Contrast SCA GitHub Action page. Be sure that it uses the CodeSec config secrets that you made at the beginning of the article! Note: One difference from the template is that we won’t specify the apiUrl setting and will let Contrast SCA default to the free Community Edition of the Contrast tool suite server. You will also need to customize the path to your project’s config files and make sure that you target branch “main”, which is the default name of the repository’s primary branch on GitHub.

Example build.yml for a NodeJS project

Back on the command line, add the new file to your local Git repository, commit the changes and then push it up to your remote GitHub repository.

Git add, commit and push your new build file

The output of git push gives you a URL to use to create the pull request for your changes. In this example, it was https://github.com/JacobMagesHaskinsContrast/resource-mon/pull/new/add-sca-check.

Pull request on the GitHub repository

After merging the changes, you can look at the Actions tab and see that “SCA Node” is now an available workflow that runs in your repository.

SCA Node workflow in the repository actions

If your project has a vulnerability, like the deliberate example vulnerability in this project, you can click on the workflow’s run to see its details. In the details, you can find the specific vulnerabilities in libraries that your project uses, along with advice on fixing them.

Contrast SCA GitHub Action results

Conclusion

GitHub Actions are a powerful tool. Much could be written on all the various options available for using them to power your project’s CI/CD pipelines. The Contrast SCA GitHub Action, when paired with CodeSec, is a strong new tool for securing your project from cybersecurity threats.

Test out Contrast SCA’s newest GitHub Action feature for yourself with CodeSec!

To learn more about Contrast's new GitHub Action:

Click here for our video tutorial.
Click here to check us out on GitHub Marketplace.

Find JavaScript cyber-vulnerabilities for free

Orlandov14 — Tue, 11 Oct 2022 03:36:54 +0000

According to a 2022 Stack Overflow survey of more than 50K professional developers, JavaScript is the top programming language of choice. Finding cybersecurity risks in JavaScript code is critical for developers working with modern web technologies. CodeSec by Contrast can help developers find and fix risks in their code, like cross-site scripting (XSS) or broken access control vulnerabilities.

CodeSec is Contrast Security's free developer security motion that is very easy to install with either Homebrew, npm or straight from binary. You can find CodeSec at Contrast’s Developer Central online portal.

Once CodeSec is installed on your machine and you have authenticated with either your GitHub or Google account, you can start scanning your JavaScript project for vulnerabilities with the command contrast scan. Scan will look up to three folders deep in your project for either a single *.js file to scan or a *.zip file of JavaScript files to scan. At first glance, this might seem strange, but ZIP format is just a more compact way to upload the code files that need to be examined.

In this article, we will assume that you have a modern JavaScript project with multiple code files, such as the “browser-test-bench” project in the below screenshots.

First, let’s zip the project’s JavaScript files. The zip command-line utility tool provides arguments for recursively searching through your project’s folders to find JavaScript files while also excluding certain folders, such as node_modules.

Run Command (from within your project folder):
zip -R to-be-scanned “*.js” -x “node_modules”

There are, of course, plenty of variations of this command that you could do to make the ZIP file:

You could name it something other than “to-be-scanned.zip,” such as the day’s date or a company-specific format.
Your project may not have a node_modules folder full of third-party libraries but may have a lib folder instead.
Additionally, you may not want to do a recursive search through the project’s folders for JavaScript files. Instead, you might want to specify zipping only certain files instead.

Whatever your needs, the ZIP command’s man page (accessible in your terminal with the command man zip), and searching Stack Overflow are both great resources for learning about the ZIP tool’s options.

_Creating to-be-scanned.zip of project JavaScript files
_
Once the ZIP file of the project’s JavaScript files is created, you are ready to run the command to scan for vulnerabilities.

Run Command (from within your project folder): contrast scan

Contrast Security’s Scan product is a Static Analysis Security Testing (SAST) cybersecurity tool. This means that Scan examines static code files, as opposed to Contrast’s more dynamic analysis tools like Assess (an Interactive Application Security Testing [IAST] tool) and Protect (a Runtime Application Protection tool).

When the scan command starts, it looks for the ZIP file that we made earlier. Next, CodeSec uploads the ZIP file in order to analyze its JavaScript code files for vulnerabilities.

_In-progress cybersecurity analysis for JavaScript files
_
Once the Scan analysis is complete, CodeSec lists the vulnerabilities found. The vulnerabilities are sorted with the most critical-to-fix ones at the top and then descending in severity. Each vulnerability is described, has the file and line number of its occurrence listed, and provides resources for learning more about that cybersecurity risk. All of the information in the Scan analysis results can help you find and fix cybersecurity vulnerabilities before they become production-level incidents that your project’s support team needs to triage.

CodeSec’s Scan analysis results

Pro tip #1: Many modern front-end JavaScript projects minify their code for deployment in production. Minified JavaScript is not human-readable and, often, all on a single line, which means that the file and line number listing for a vulnerability in the analysis results won’t be very useful for you. Instead, try running contrast scan against your preminified code.

Pro tip #2: Because CodeSec is a command-line tool, you can incorporate Scan into your automated software processes, like we showed in our earlier article on using CodeSec with Git hooks.

Conclusion

CodeSec’s free vulnerability scanning support can help you find cybersecurity risks in your JavaScript project. CodeSec is a free way for developers to provide high-value software for this popular web technology choice.

Get started today for free.

How to create SBOMs for free

Orlandov14 — Mon, 03 Oct 2022 17:07:38 +0000

A recent Executive Order from the Biden Whitehouse instructs various government agencies to take action to improve our nation’s cybersecurity. One of those actions is to provide guidance and standards on Software Bills of Materials (SBOMs). In this article, we will explore what SBOMs are and how to easily create them with Contrast Security’s free developer toolset — CodeSec.

An SBOM is a standardized format for recording all the constituent parts of a software product. It lists all the open-source libraries used, other third-party proprietary libraries and some metadata about the custom code in the product. The hope is that software purchasers, such as the Federal Government, will be able to use SBOMs in a searchable way for early detection and resolution of vulnerabilities hidden within the various parts of the products they use.

Compiling and authoring an SBOM by hand can be a maintenance nightmare. No one in their right mind would want to have the chore of combing through all the libraries used in a project and recording their information in a very rigorous JavaScript Object Notation (JSON) format. Imagine making a mistake only a few hours into such a project as your mind starts to daydream about something more interesting.

Luckily, CodeSec by Contrast provides a very simple command for creating SBOMs. After installing CodeSec, navigate to the top level of your project in your terminal and run the following command:

Run Command: contrast audit --save

*SBOM file saved at the end of the contrast audit output
*
Near the end of the output of the audit command, CodeSec lists the name of the saved SBOM file. Viewing that file reveals it is a very extensive JSON record of the example project and the many libraries it uses. Some other highlights to note are that it lists the SBOM format used, the software vendor and the project name.

Once this file is created, it can be provided to customers or other security professionals related to your organization as needed.

Because CodeSec is a command-line tool, it is also possible to build software automation around creating SBOMs. For example, it is possible to add the following line to your project’s pre-commit Git Hook to create the SBOM and then add it to the commit, automatically and free for every commit:

git add ‘$(contrast audit --save | grep -e “(SBOM)” | cut -d “ ” -f 10)’

This command, if placed in pre-commit hook, would run CodeSec’s audit, tell it to create an SBOM, use grep to find the line in the audit output where the SBOM file name is at, then cut that line into pieces at every whitespace and grab the tenth piece — which is the full SBOM file name. After that, it would run Git’s “add” command to add the SBOM file to the commit in progress.

An SBOM provides greater transparency into the components that a software product uses, and that knowledge can help decrease cybersecurity risks for the purchasers of that product. CodeSec provides a super simple mechanism for automatically creating SBOMs that then enables even more opportunities for automating the SBOM creation process. Get started today!

How to scan for cybersecurity risks on every commit with CodeSec and Git Hooks for free

Orlandov14 — Thu, 18 Aug 2022 22:05:27 +0000

Good programmers are lazy.

It’s a common euphemism in the software development world: a humorous, counterintuitive statement that describes a real phenomenon. Good programmers look for simple, efficient solutions to hard problems. Often, that means making our machines do the work for us in new ways. Today, we will be exploring how to make your computer automatically check code for cybersecurity risks on every commit to a Git repository so that us devs will not need to remember to do that on our own.

1. Git Hooks

Git is a modern and popular code repository. Through its Git Hooks feature, you can extend its built-in capabilities with custom scripts that are run when certain repository events occur, such as commits.

Examples of common custom scripts that a developer might want to run when a commit action occurs are running tests, code formatting or even commit message reformatting to include the ticket number. The beauty of this pre-commit hook is that the developer doesn’t have to remember (and potentially forget) to run these commands on their code prior to each time they commit a change.

If a project is set up to use a Git repository, it will have a “.git” folder at the top level of the project’s directory structure. Within that folder is a “hooks” folder, which contains sample scripts for the different repository events, such as “pre-commit.sample.” It may also contain script files for any hooks that you’ve previously created.

We’re interested in making a pre-commit hook to scan our code for cybersecurity vulnerabilities every time we commit changes. To create a new git hook script file, simply copy the “pre-commit.sample” file, rename it to remove the “.sample” file extension, open the file in a text editor and delete the sample script contents.

Pro tip: Alternatively, we could make a new file named “pre-commit,” but on Unix-like machines, we’ll need to give it permission to be executed. An easy way to do that is by running the following command:
chmod +x .git/hooks/pre-commit

2. CodeSec pre-commit shell script

Git runs the pre-commit script before actually creating the commit for our code changes. As such, the requirements for our script to find cybersecurity vulnerabilities are:

1. Run both contrast scan and contrast audit commands to scan for vulnerabilities in the project code and in any third-party libraries;

2. Examine the output of each of those commands to see if any critical or high-risk vulnerabilities are found; and

3. Stop the commit process if risks are found, but continue with the commit if none are found.

To accomplish the first requirement, we need to have CodeSec by Contrast installed on our local development machine. Installation instructions are available on Contrast Security’s Developer Central hub. We also illustrated, step-by-step, how easy it is to install CodeSec in a previous article about finding Log4j vulnerabilities.

Once CodeSec is installed, we can pipe the output of the CodeSec commands to the Grep tool to search for the keywords “CRITICAL” and “HIGH,” which will be present if CodeSec lists out any critical or high-risk vulnerabilities. Finally, if Grep finds a vulnerability in the output, we can exit the commit process early without actually committing any of your code changes.

This is an example output for contrast audit when a high-risk vulnerability is found.

We can see in the screenshot that CodeSec found a high-risk vulnerability, indicated by the “HIGH” keyword.

Below is the full code of the pre-commit script where Grep searches the CodeSec output for the “CRITICAL” and “HIGH” keywords and exits the commit process early if found:

#!/bin/sh

#Existing pre-commit scripts could go here....

if contrast scan | grep -e CRITICAL -e HIGH; then
  echo "\n💩 One or more vulnerabilities found in code. Please run 'contrast scan' for more details."
  exit 1
fi

if contrast audit | grep -e CRITICAL -e HIGH; then
  echo "\n💩 One or more vulnerabilities found in libraries. Please run 'contrast audit' for more details."
  exit 1
fi

The script functions just as described above. It’s a shell script with two “if” blocks. The conditional expressions of each “if” calls the CodeSec commands, pipes the output to Grep so that it can search for critical or high-risk vulnerability listings, and exits early from the commit process if any are found. To use this script, just add it to the pre-commit file in the .git/hooks directory that we made in the first part of this article.

This is what it looks like in action for a Git commit:

Conclusion

The key feature in this example is that CodeSec can find cybersecurity vulnerabilities in our code, and Grep can search the output of CodeSec. Together, these two tools are a springboard for software process automation. In our example, it prevents risky code from being committed to the project repository every time a developer tries to commit code. This is like having an in-house cybersecurity expert code review every change without forgetting to check something or making a mistake, and doing it every day, for free. This is what it means to be a lazy programmer who works smart instead of hard: A good programmer makes the machine do the work instead.

Start securing your code today for free with CodeSec

How to detect Log4j vulnerabilities in Java projects for free with CodeSec

Orlandov14 — Mon, 08 Aug 2022 04:44:00 +0000

Log4j is a popular Java logging tool with a critical cybersecurity vulnerability that gained global attention in December 2021. The U.S. Dept. of Homeland Security’s Cyber Safety Review Board stated in a recent report that it is one of the most serious vulnerabilities seen in years. Because of the popularity of the Log4j tool with Java developers, the problem is an “endemic vulnerability” for the software industry, according to the board. Luckily, we can identify this security vulnerability in Java projects at no cost with the fastest and most accurate free scanner in the market, CodeSec by Contrast!

1. Get started with CodeSec

For this walkthrough, we will use both CodeSec and a demo of the Log4j exploit. The first step is to get CodeSec onto your machine. Contrast Security has great instructions on our Developer Central hub for getting started with CodeSec, but we will review the process here as well.

a. Install CodeSec

As of August 2022 Contrast Security offers three options for installing CodeSec: Homebrew for MacOS, NPM for any operating system running newer NodeJS versions and binaries through Artifactory.

For this example we will be using NPM:
Run Command: npm install -g @contrast/contrast

Pro tip: Running the command contrast help will show you the usage guide if the install has gone successfully.

b. Authenticate

Authentication is needed to access Contrast Security’s enterprise-class cybersecurity services through CodeSec. You can use your existing Github or Google account to authenticate.

To authenticate, run the command contrast auth

A tab will then open in your browser, asking you to finalize your authentication by connecting with your existing Google or GitHub account.

*Note: * When completing the authentication steps for the first time, your command line may disconnect and output a message stating that the authentication session has timed-out. But do not worry! By re-running the command contrast auth, a new browser window will open, and this time when the initial path chosen to authenticate (GitHub or Google) is clicked, the window will immediately redirect to the Success page, and your terminal will output an “Authentication successful” line.

Now that CodeSec is set up to use locally, the next step is to get a demo of the Log4j vulnerability.

2. Log4j vulnerability

The NIST National Vulnerability Database’s page on the Log4j vulnerability has a wealth of resources about this security concern, including links to demo projects with example code implementing the vulnerability.

One linked project is the “Apache Log4j2 2.14.1 Remote Code Execution” project from Packet Storm (available here). It is a very minimalist proof of concept project that includes vulnerable versions (in this case, 2.14.1) of the Log4j libraries as Maven dependencies in the project’s pom.xml file.

Once you have the project downloaded and unzipped locally, you can check it for vulnerable third-party dependencies. In our case, we are concerned with using vulnerable versions of Log4j.

Utilize CodeSec by Contrast to secure those vulnerable libraries by running the command: contrast audit

As described, this simple command from CodeSec found the vulnerable versions of Log4j defined in our project. Additionally, it lists the specific vulnerability codes (which we could look up in the NIST NVD database for more details), and it gives advice on how to make the project more secure by upgrading the versions of Log4j used.

Contrast Security also has an entire online portal dedicated to the Log4j problem. There you can find more resources, whitepapers and information about all the other tools Contrast Security offers for handling and remediating your Log4j risks.

Conclusion

CodeSec gives developers an expert tool that handles the chores of searching Java projects for vulnerabilities while staying up to date on the latest developments in cybersecurity research. It is a highly valuable and free utility that can improve a team’s software development practices.

Start securing your code today for free with CodeSec

Secure Open Source Code in minutes for free with CodeSec

Orlandov14 — Wed, 03 Aug 2022 20:53:00 +0000

Contrast Security is expanding its free developer tool, CodeSec, to include Open Source Security (OSS) and Software Bill of Material (SBOM) creation with its new SCA capability. Empowering developers to Identify vulnerable libraries in OSS and receive actionable remediation guidance, allowing them to ship code faster. The new feature will also enable users to manage software supply chain risk by allowing them to create SBOMs with ease.

What is CodeSec?
Contrast’s new free developer tool brings the fastest and most accurate scanner on the market right to developers for free. By packaging the same scanning engine used in our Contrast Security platform into a simple command-line interface (CLI), CodeSec empowers developers to scan, secure, and ship their code in minutes.

Getting Started with CodeSec - SCA in just 3 steps

1. Open a command-prompt or terminal, then install with NPM, Homebrew or by downloading binaries from Artifactory:

For this example will be using NPM. For other install options click here.

npm install -g @contrast/contrast

2. Authenticate using your existing GitHub or Google account.

contrast auth

3. Time to Scan your Open Source!

Navigate to your chosen directory.
Then run a SCA scan on your Java, Javascript, Python, Ruby, GO, PHP, .NET code with the following command.

contrast audit

In minutes CodeSec by Contrast will report all vulnerabilities found with actionable remediation guidance.

Happy Scanning!

Test out CodeSec for yourself with our evaluator guide!

Orlandov14 — Thu, 16 Jun 2022 14:54:51 +0000

CodeSec by Contrast brings the fastest and most accurate scanner in the market right to your development workflow for free!

Make code and serverless security simple and efficient with quick scan times, market-leading accuracy, actionable results and seamless integration. Up and running in less than 5 minutes.

We here at Contrast, have created this guide to not only show developers what CodeSec can offer, but also give them the tools to test it and see for themselves just how fast, accurate and seamless CodeSec can be!

See For Yourself: https://www.contrastsecurity.com/security-influencers/codesec-by-contrast-security-evaluator-guide

New Free Developer Security Tool of 2022!

Orlandov14 — Tue, 14 Jun 2022 19:01:15 +0000

Meet CodeSec by Contrast
Secure Code with the fastest and most accurate scanner in the market. Get Immediate & actionable result. Up and running in less than 5 minutes for free!

CodeSec makes developer security efficient and accurate by delivering the following capabilities right to the developer’s laptop, through a simple command line interface (CLI):

CodeSec – SCA: Secure vulnerable libraries in your open-source software (OSS) with lighting speed, accuracy, and actionable remediation guidance to ship code faster and create a standardized Software Bill of Materials (SBOM) to manage supply chain risk with ease. Additionally, you can secure your Github pipeline with Contrast GitHub Actions for free. Click Here to learn more. Supports: Java, JavaScript, Python, Ruby, GO, PHP, and .NET
CodeSec – Scan: Optimize code security for applications with fast, industry-leading (SAST) scans and actionable remediation guidance, in a simple command line interface. Additionally, you can secure your Github pipeline with Contrast GitHub Actions for free. Click Here to learn more. Supports: Java, JavaScript, Angular, React, JQuery, and .NET
CodeSec – Serverless: Take advantage of a new ground-breaking application security tool for serverless environments in AWS Lambda functions that detects cloud-native vulnerabilities quickly and accurately while providing actionable remediation guidance. Supports: Java, and Python

Start Now For Free