The Cure For Security Alert Fatigue Syndrome
willem-delbare
Posted on February 23, 2024
Most security tools waste developers’ time. We’re on a mission to fix this.
Application Developers aren't paid to care about security. Their performance is measured by the speed at which they can add value to the business through new features or enhancements.
This makes traditional security tools a hindrance as they're not built for developers — plus, they're not designed to be helpful. Their job is simply to show a massive list of security alerts, leaving it to the developer to figure out the rest.
At Aikido, our mission is to make securing applications as quick and painless as possible, and one of the most important ways we do this is by reducing the noise and false positives that waste developers' time and cause delays in shipping security fixes.
This post will show you what Aikido does to offer a cure for Developers suffering from Alert Fatigue Syndrome.
Reducing the Noise
In his famous song, "The Gambler," Kenny Rogers captured it pretty well:
“the secret to survivin', Is knowin' what to throw away and knowin’ what to keep.”
The most significant impact you can have on the signal-to-noise ratio is only showing developers the CVEs and security alerts they should take action on and ignoring the rest.
Here’s how Aikido intelligently ignores irrelevant security alerts and CVEs:
Development-Only Dependencies
By default, Aikido will not report vulnerabilities for dependencies marked only for installation in development environments, as they should not be present in staging or production environments.
Invalid CVEs or CVEs Without a Fix
Showing a CVE without a fix is just a distraction. Hence, Aikido temporarily moves these to a list of ignored issues until a fix becomes available before surfacing in the dashboard.
Unreachable Code
Aikido's code intelligence and reachability engine will ignore a CVE if a vulnerable function is not called in the code base.
This decreases the noise, especially for large libraries with many dependencies, such as TensorFlow.
Expired or Revoked Secrets
Aikido will ignore secrets that have been verified as expired or revoked, or appear to be variables. Aikido safely verifies the validity of known secret types by sending a request to an API endpoint requiring authorization that doesn't produce sensitive data.
Manual Ignore Rules
You can configure Aikido to ignore vulnerabilities under certain conditions, e.g. ignore reporting for specific paths in a repository.
Deduplication
Because most companies piece together their security infrastructure from several different sources, it's common for multiple systems to surface the same alert or CVE — plus, it’s common for traditional tools to surface the same CVE multiple times within a single repository. Talk about noise!
Because Aikido is an all-in-one platform offering you a single pane of glass across all security issues, you'll only see a single CVE alert for each repository with sub-issues listing the location of each vulnerability.
Boosting the Signal with Contextual Sensitivity Tuning
A security issue discovered in a repository handling sensitive data should be scored differently from an internal-only repository that doesn’t persist data at all.
Aikido provides various contextual indicators for every repository, helping uncover more security risks and appropriately weighting an issue's final severity score.
For example, by adding a domain name, Aikido can perform targeted scans for issues such as SSL vulnerabilities, cookie misconfigurations, if a CSP has been applied, and cross-site scripting (XSS) attacks.
Additional contextual examples include whether the application has internet access and which environments the application is deployed in.
Boosting the Signal for Exploitation Risk
Aikido uses real-time indicators to track the probability of a CVE being exploited in the wild, such as confirmed cases of exploitation, public code documenting how to perform the exploit, and any customer-specific cloud infrastructure concerns which may make them particularly vulnerable.
And because Aikido monitors both your code and cloud infrastructure, it can boost the severity of "toxic combination" issues arising from specific conditions under which your application is hosted, e.g. AWS instances using IMDS API version 1 are more vulnerable to SSRF exploits which can expose AWS Credentials.
Summary
Traditional security tools don't care about developer productivity. They're more than happy to bury a repository in a pile of false positives, wasting developers time that could've been better spent actually resolving security issues.
What makes Aikido different, is that we see the link between developer productivity and security. By removing irrelevant alerts and CVEs, genuine threats get more attention, and as a result, fixes get applied faster.
This win-win for developers and security is what we're all about and is how we're curing Security Alert Fatigue Syndrome for our customers.
Want to see it in action? Sign up to scan your first repos & get your first results in less than 2 minutes.
Posted on February 23, 2024
Join Our Newsletter. No Spam, Only the good stuff.
Sign up to receive the latest update from our blog.
Related
November 29, 2024