Hunting for weak spots in Java and Python projects is easier than ever with SAP’s Vulnerability Assessment Tool
Does your Java project have a giant target hiding deep within its code? Thanks to the all-new Vulnerability Assessment Tool from SAP, developers can find, assess, and mitigate known security issues in their Java and Python apps.
Data security should be more than an afterthought in your development process. Unfortunately, too often open source projects have major vulnerabilities lurking in their libraries. How can we hunt down these liabilities? Thanks to SAP, the new Vulnerability Assessment Tool is here to keep you from being ambushed by the next big security fiasco.
The Vulnerability Assessment Tool is a collection of client-side scan tools, RESTful microservices, and rich OpenUI5 Web frontends. It analyzes Java and Python projects, highlighting any dependencies with known vulnerabilities. Then, it collects any evidence if the suspected code has been executed in a given application context, before mitigating the use of such dependencies.
Where’s your weak spot?
Sadly, security breaches are not that uncommon these days. The Vulnerability Assessment Tool is different since it detects issues based on code and usage, not meta-data. Specifically, it focuses on vulnerable components that already belong to the OWASP-Top 10 2017 A9, the National Vulnerability Database, or the CVE list. If anything shows up, it lets the developers know so they can be forewarned.
This open source tool lets developers scan Java apps built with Maven, Gradle, and other build systems. Python apps are also covered.
One of its more interesting features is the testing phase, where the tool uses static and dynamic analysis to determine if the vulnerability is serious. Static code analysis is commonly done to see if there is any code-level vulnerabilities in an app before a release. Call graph analysis and trace information collected during JUnit and integration tests support this assessment.
Additionally, if a new vulnerability is discovered and added to the reference base, your app does not need to be re-scanned. The tool already knows whether your previously scanned apps are affected or not. This way, developers can instantly find out if they’re affected by a new security breach.
However, there are some limitations for this tool that you should keep in mind. There’s no authentication or authorization method yet, so you shouldn’t run the web frontends or server-side microservices on systems accessible from the internet. Additionally, the static and dynamic analyses aren’t available yet for Python. The static analysis for Java is only supported up to Java 8.
Getting the Vulnerability Assessment Tool
This open source security tool is freely available on GitHub. You’ll need to build a workspace to utilize this tool, but it’s pretty simple with Docker and Java 8 JRE. Other requirements may include Maven 3.3+, Python 3, and Gradle 4, depending on your project.