Code security problems occur frequently , Prevention and control is imminent

2010 year , Big social networking sites rockyou.com Be exposed to SQL Inject holes , Hackers use this vulnerability to obtain 3200 Million user records ;2015 year , UK telephone and broadband providers TalkTalk By a 15 Year old hackers use SQL Inject vulnerabilities to attack , Near leakage 400 Million customer information ;2018 year , Marriott leak 3.39 Personal information of 100 million guests , Be punished with 1840 Thousands of pounds （ renminbi 1.6 One hundred million yuan ） fine .

according to WhiteHat Security A study of , Applications used in various industries , There are at least 50％ Contains one or more serious exploitable vulnerabilities , These emerging security vulnerabilities will pose a major threat to the production and operation of enterprises . But traditional static application security testing （SAST） It often takes a long time to scan and analyze , Larger projects often take hours to scan , Poor real-time performance , Iteration in version is fast Web Application development seriously slows down the whole pipeline ; At the same time, the false positive rate is also high , Multiple alarms for the same vulnerability often occur , The development team needs to spend a lot of resources to identify and eliminate these false positives , As a result, the team can not integrate into DevSecOps in .

DevSecOps yes Gartner stay 2012 The concept put forward in . Its goal is to embed security into DevOps In every process of （ demand , framework , Development , Testing, etc ）, So as to achieve safe left shift , Make everyone responsible for safety , Turn security from passive to active , Finally, the team can develop safer products more quickly .

Faced with potential product safety hazards and implementation DevSecOps The challenges , How to promote “ Move left safely ”、 How to pass through in DevOps On the basis of stable construction DevSecOps To ensure development safety , It has become a topic that the enterprise R & D team needs to focus on .

CODING x Xcheck, Comprehensively strengthen the code security capability

CODING Code scanning since the open trial , It has accumulated to 5000+ The team provides scanning services , By analyzing the source code in the code warehouse , Help the development team find the hidden code defects in time 、 Security vulnerabilities and nonstandard code ; And automatically generate a problem list , With suggestions for amendment , Make it easy for team members to quickly fix problems , Improve code stability ; Also by measuring the code , Count out the method and repeated code with extremely complex structure for developers to adjust , , in turn, Improve code maintainability .

While helping the construction of enterprises DevSecOps On the road ,CODING Code scanning is also deepening , This update is based on the reliability of the original code 、 Code specification scanning capability based on , Comprehensively strengthen the code security , Integrated Tencent CSIG Self developed static application security testing tool - Xcheck, Open up Tencent's strong internal R & D capability , Help the R & D team Accurately detect the business code , Discover and avoid safety risks in time .

Xcheck Based on mature stain analysis technology , And the precise dissection of the abstract syntax tree , Realize the transmission and tracking of stains in a clever and elegant way . After testing , stay 4 nucleus 16G Of Linux On the virtual machine ,Xcheck The inspection speed of the project is in 1w+ That's ok /s, Some projects can achieve 2w+ That's ok /s, At the same time, through the Xcheck Feed a large number of projects for false positive optimization , at present Xcheck The false positive rate of each language is lower than 10%, As a lightweight plug-in ,Xcheck With less interruption to users , It can find the hidden security risks in the code more quickly and accurately , Help the R & D team to produce code safely , Code security .

One click enable , Escort the digital assets of enterprises

Now based on CODING Code scanning , You can enjoy Xcheck Experienced code security analysis ability . Go to CODING, stay 「 Code scanning - Scanning plan 」 The middle button enables Xcheck The rule package can start code security detection , No need for additional settings , Easy to operate , Currently supported Java Language ,Python、PHP、Go、JS And other languages will be 4 Month after month, it supports .

With the help of CODING Code scanning and Xcheck The power of , Developers are able to detect and quickly take action to resolve security vulnerabilities in advance , Move the security risk to the left to the development stage to solve , Greatly reduce the repair cost , Shorten the lead time , Help the team develop products with higher safety factor more efficiently , At the same time, it also avoids the loss of reputation and assets caused by application security events , Escort the digital assets of enterprises .

at present CODING The code scanning function is still open for trial , Click on Read the original You can experience it immediately . Focus on CODING official account , Later, I will share more actual cases of code security vulnerabilities , Help your team better practice DevSecOps, Coming soon ！

Recommended reading ：

1、CODING Help document - Code scanning function introduction ：https://help.coding.net/docs/host/code-scan/introduce.html

2、CODING Help document - Xcheck Tools ：https://help.coding.net/docs/host/code-scan/xcheck.html

3、 understand Xcheck More information and code security audit related technologies , Focus on Xcheck official account ：

Tencent code security check Xcheck