Fix Version/s: None
As a Security Auditor (and even as a developer interested in making my code more secure), SQ/SC is already very helpful to help me track and fix vulnerabilities. But I don't have any way to quickly get the big picture and particularly to quickly see how vulnerable the application is against the main security standards: OWASP Top 10 and CWE/SANS TOP 25 Most Dangerous Software Errors.
The OWASP Top 10 corresponds to the 10 most critical web application security risks as defined by the OWASP community (Open Web Application Security Project).
When looking at the OWASP or SANS categories and the number of security issues attached to each, I would like to know the CWE weaknesses I'm exposed to with the detected security issues.
MMF-1249 provided a new Security Hotspot issue type, which will significantly help me drive my manual code review process by highlighting the pieces of code that should be reviewed in priority.
I also need a dedicated space to quickly get the big picture on all existing Security issues: Vulnerabilities, Hotspots, and manual Vulnerabilities to perform my next manual code review. But, I'm not likely to be embedded in the development team (it's more likely I'm a once-a-quarter, hired-gun auditor) so things like who an issue is assigned to or how long it will take to fix it are just distractions for me. Instead, I need issues presented in a trimmed-down, security-focused interface that classifies security issues based on the CWE weaknesses/OWASP risks they can lead to.
Further I know that reviewing all those Security Hotspots can be time consuming and doing so requires some specific skills. So I don't want to bother developers with those hotspots.
This new Security Reports space will be part of the Community Edition, and is part of our strategy to entice community users to upgrade to Developer Edition to get access to SonarSecurity.
The 10 OWASP categories are defined by:
- an identifier: A1, A2, ..., A10
- a description: Injection, Broken Authentication, ..., Insufficient Logging & Monitoring
CWE stands for Common Weakness Enumeration and it is a list of common software security weaknesses: https://cwe.mitre.org/
The SANS Top 25 is a list of 25 top-priority CWE items divided into 3 categories: Insecure Interaction between Components, Risky Resource Management, Porous Defenses.
In a new menu called "Security Reports", at project (and application, and portfolio) level, I want to get access to two reports. One for OWASP Top 10 and one for SANS Top 25.
These reports deal with security issues only and so I don't expect to see other types of issues here. Each report should reflect the Vulnerability (manual + automatic) Rating, and (manual + automatic) Vulnerability issue counts for Open, Won't Fix, and False Positive issues, and the counts of Open and Won't Fix issues for Security Hotspots.
By default, in each report I only want to see the top-level categories, with a toggle to see the CWE details.
When I click on a count of security issues, I will land on the Issues page with the appropriate filters applied.
In the Hotspot issue block I don't want:
- to see the Assignee or be able to change it.
- to see the Effort.
- Severity should be visible for Vulnerabilities but hidden for Hotspots
As part of this initiative, the Language filter will be moved up the list of filters to just above Rule. Additionally, filtering will be added just after the Rule facet for Security Standards:
- OWASP Top 10 - 10 categories
- SANS Top 25 - 3 categories
- CWE - top 15 by issue count
I want to see the numbers of security issues (Vulnerabilities - manual + automatic - and Security Hotspots) associated with each OWASP category. If a security issue has no OWASP category, the issue will be presented in a "Not OWASP" category. If there is no CWE identifier associated with an issue, the issue is counted into a default "Unknown CWE" group.
Finally, I have a matrix combining:
- the OWASP category (with a link to the online description of this OWASP category)
- the CWE identifiers (with a link to the online description of this CWE weakness)
- the issue types (Vulnerability and Security Hotspot)
SANS defines 3 categories: Insecure Interaction Between Components, Risky Resource Management, Porous Defenses
Then each category is composed of CWE identifiers, with a total of 25 CWEs in all.
As part of
MMF-1249, Hotspot-specific measures were created. In retrospect, we realize that they aren't actionable and that we wouldn't want anyone adding them to a Quality Gate. So those metrics will be dropped in this sprint.
It should be possible to associate a rule, and therefore its issues, with a list of CWE identifiers outside of rule/issue tagging in order to be able to group issues by CWE identifier. This metadata is attached to the rule and inherited by its issues, and is not editable on either.
It should be possible to associate a rule, and therefore its issues, with a list of OWASP identifiers outside of rule/issue tagging in order to be able to group issues by OWASP Top 10 categories. This metadata is attached to the rule and inherited by its issues, and is not editable on either.
This CWE and OWASP identifiers are already available in RSPEC in the "Standards" tab and also in the "See" section in the description of the rule. RuleAPI should be modified to provide the "Standards" identifiers on the JSON files representing the rules's metadata and so Analyzers should also be impacted to take that information into account.
A new "Security Reports" menu entry is available in the Project context. It has two options: "OWASP Top 10" and "SANS Top 25".
The OWASP Top 10 page shows a list of all OWASP categories. For each category, we display:
- the count of "open" Vulnerabilities (manual and automatic)
- the vulnerability rating (= worst severity)
- the count of "open" Security Hotspots
- the count of "to review" Security Hotspots
- the count of "won't fix" Security Hotspots
The Issue boxes for Security Hotspots provide less data and fewer actions. The EffortToFix is not present for Hotspots. Therefore, the "Effort" Display Mode won't be available if Security Hotspots are shown in the list. Hotspots on the Issues page are only visible to users having permission to browse them. For others, the "Security Hotspot" item in the "Type" facet won't appear. This means users having permission to browse Hotspots will be able to see them mixed with other types of issues inside the Issues page.
A new facet "Standard" is present. It opens to 3 nested facets for each standard "OWASP Top 10", "CWE" and "SANS Top 25". The OWASP Top 10 and SANS Top 25 facets will list all items for which there are issues in the current search. The CWE facet will list up to the top 15 items for which there are issues, with a search box at the bottom when there are more than 15 items with issues.