Kiuwan Code Security allows you to perform a security-focused analysis of your source code.
This analysis will be based on detection of security issues and vulnerabilities through an in-deep inspection of your source code.
Kiuwan Code Security provides a full report on security vulnerabilities, from a top view (Security Rating) to a fine-grain detailed view of vulnerabilities (and how to solve them).
Kiuwan Code Security arranges security aspects in three dashboards:
- A comprehensive top view of your application security (overall security rating, vulnerabilities quadrant, effort to reach upper levels of security, top-10 security vulnerabilities, top-10 worst files and timeline evolution of security indicators)
- A file-based top-down view of security issues, i.e. a view that is organized on how secure are the source files of your application, letting you indentify which ones are less safe
- A security analysis page where you can inspect and manage all the vulnerabilities found in your source code, allowing you to search for specific defects, filter by vulnerability type, priority (and other criteria), and find remediation tips for all the security issued found in the analyzed source code.
Let’s go through them in detail.
The Summary provides a comprehensive high level overview of your application security, allowing you to have a complete security dashboard of your application at your fingertips.
- Overall security rating,
- Vulnerabilities quadrant,
- Effort to reach upper levels of security,
- Top-10 security vulnerabilities,
- Top-10 worst files, and
- Timeline evolution of security indicators
Kiuwan Security Rating is a discrete 5-star grade that tells you how secure your application is in terms of the likelihood and impact of the found vulnerabilities.
This rating concentrates all the security evidences found in the source.
Applications with 5 stars are considered to be secure, whereas those with 1 star are considered to be very insecure.
Security vulnerabilities are grouped in a quadrant according to two major axes:
- Impact of the vulnerability, according to the severity of the associated security risk
- Likelihood of the event that could cause the associated security breach
These two axes produce 4 quadrants. Kiuwan summarizes found vulnerabilities for each quadrant.
In this image, you can see that Kiuwan found 271 vulnerabilities and how kiuwan distributes them in the 4 quadrants:
- Low : likelihood and impact are both low
- Normal: likelihood is high and impact is low
- High: likelihood is low but impact is high
- Very High: both likelihood and impact are high
Security rating is based on following:
- Security Rating starts from 1 (i.e. 0 is not considered) when there is at least 1 Very-High (high impact, high likelihood) vulnerability
- 2-star rating when there is at least 1 High (high impact, low likelihood) vulnerability and none of higher priority
- 3-star rating when there is at least 1 Normal (high likelihood, low impact) vulnerability and none of higher priority
- 4-star when there is at least 1 Low (low likelihood, low impact) vulnerability and none of higher priority
- 5-star when there are no vulnerabilities in terms of likelihood and impact for your application security
Based on analysis results, Kiuwan also calculates the Effort you need to invest to reach the different rating levels according to the remediation effort associated to fix each vulnerability.
Top 10 Vulnerabilities and Worst Files
Code Security Summary also provides a Top-10 ranking of vulnerability types and worst files. This way, you can easily concentrate on major contributors to current security rating.
Any Kiuwan vulnerability is categorized according to its type.
- Buffer handling
- Control flow management
- Design error
- Encryption and randomness
- Error handling and fault isolation
- File handling
- Information leaks
- Initialization and shutdown
- Number handling
- Permissions, privileges and access controls
- Pointer and reference handling
- System element isolation
The Top-10 Vulnerabilities By Type graphic lets you to view which ones are the most frequent in your application showing the total number of vulnerabilities for every type.
Clicking on the vulnerability type you will be able to see associated defects (that link will forward you to Vulnerabilities page with the defects filtered by the selected type).
If you want to see which vulnerabilities are checked by Kiuwan for every type, you should go to Model Management, select your model and click on Security Rules.
The Top-10 Worst Files graphic displays a ranking of worst (low-rated) files of your application, showing the security rating and the number of vulnerabilities found.
The Timeline section displays a historical evolution of your Security Rating and Total Effort (to reach 5-star rating) as well as the total LOC size of your application.
This section also displays information on:
- When a baseline analysis was performed (only applicable if you are using Life Cycle). If you are not using Life Cycle, that date will be current date of the analysis.
- Model used for the current analysis
- Portfolios this analysis belongs to
- Graphical distribution of LOCs in different languages
Files provides a detailed view of your application files according to security issues.
It provides some summary data as well as detailed info on every file of your application.
Security Rating is the overall rating as described in Code Security Summary.
The Distribution By Rating displays a histogram where you can see the distribution of files according to their security rating (1-5 stars).
Distribution By Number of Vulnerabilities displays a histogram where you can see the distribution of app files according to the number of vulnerabilities. Quantities are grouped in 5 ranges calculated based on the maximum and minimum number of vulnerabilities in the application.
Files table lists application files with the following information:
- Security rating (individually calculated for every file)
- Lines of Code in the file
- Number of Vulnerabilities found in the file
- Distribution of vulnerabilities by priority in the file
- Effort to reach 5-star security rating for the file
You can order results (in ascending or descending order) by clicking on each column name.
Vulnerabilities provide a detailed view of all the application’s vulnerabilities, allowing to:
- Search vulnerabilities according to multiple search criteria
- Order and group vulnerabilities by different characteristics
- Inspect details of every single vulnerabilities
- Access to vulnerability description and remediation tips
Clicking on the sandwich menu on the top-left you can:
- Compare analysis results with any other analysis
- Mute vulnerabilities
- Export vulnerabilities to CSV format
Please visit Kiuwan Code Analysis site for info on the above functionalities.
General section displays group information on vulnerabilities:
- By Vulnerability Type: number of vulnerabilities for every type (please see XXXXXXX)
- By Language: number of vulnerabilities found for every programming language
- By Priority: number of vulnerabilities found by priority (according to security rules priorities as defined in the model used for the analysis)
Figures are also displayed for
- Violated Rules: number of security rules (checks) with associated vulnerabilities
- Vulnerabilities: total number of vulnerabilities found in app source code
- Very High: number of Very High vulnerabilities
- Security Rating: overall application security rating
Along with these metrics, Vulnerability page displays a full listing of defects that you can browse, filter and order by following criteria:
- Files: Number of files that are not conformant to the selected security rule
- Defects: Number of vulnerabilities found for the selected security rule
- Rule: Name (desc) of the security rule
- Priority of the rule (from Low to Very High)
- CWE weakness reference(s) mapping for the selected security rule
- Characteristic : main software analytics categorization of the selected rule
- Vulnerability Type: security topic addressed by the selected security rule
- Programming Language
- Effort to invest to fix all the vulnerabilities of the selected security rule
Clicking on a vulnerability row will let you drill down to detail on security rule (from general description to the specific line of the vulnerability in a source file).