I’m going to scratch a big surface here, but let’s see how Azure DevOps can help us to bring more security into our code base. This is first part of three post series about how to add Sec into Azure DevOps.
We are more and more depended of other peoples code. Packaging systems like Nuget and NPM gives us power to fetch huge amount of code in blink of an eye. This also makes us more vulnerable for security issues which are implemented by the people out side of our project. It’s important to be aware of potential security issues and then decide with facts, if they should be fixed immediately, or if the business can carry these security issues.
Automated code analyze with WhiteSource Bolt
WhiteSource Bolt is a free tool which scans code base for open source components and detects license and security problems. To start using WhiteSource Bolt, first install it from Marketplace, then setup basic information from WhiteSource Bolt page and finally add “WhiteSource Bolt” as build step.
Now after every build WhiteSource Bolt gives us a nice report of open security issues and what licenses might be undesirable.
This report is from basic ASP.NET MVC project template, which is created with Visual Studio 2017 and doesn’t have any modifications. It seems to be secure (phew!), but there are few licenses which are bit hazy.
This page displays a list of licenses and how individual licenses work. Combined with the WhiteSource Bolt report, this gives us an effective way to be compatible with the license terms.
Good way to tackle security and license issues is to treat them as any work. Create individual tickets/work items, prioritize them and start fixing problems one by one. With WhiteSource Bolt Report it’s easy to monitor improvement over time and ensure, that our application gets more secure.