The Security checks available:
- To check the quality / security of the SAAS solution I could only do a web search for known vulnerabilities and ask peers (note to the world – don’t ask the vendor “how secure they are”, you will never get a straight answer).
- For the open source solution I could do the same searches but I could also run software called CodeScan by CodeScan Labs which allowed me to check the PHP open source software for security vulnerabilities that have not yet been publicly announced – and even better it allowed me to do it without knowing all the code intimately, or being an expert in the language. The differences between the search results and the CodeScan results were “very illuminating” and have now asked the SAAS vendor to provide assurances from a third party tool (suggesting CodeScan). The brilliant thing about the CodeScan tool is that it told me what was wrong with the code, down to the lines of code, so I can go and fix the open source project. This got me thinking about different ways you could use CodeScan.
Other ways to use CodeScan in your business:
- Improve your business confidence in your developers, by giving the business a way to critique the quality of code from a security stand point without creating friction.
- Check the libraries / modules you download for packages like Drupal – before you integrate them into your production system.
- A learning tool for teaching your developers to write secure code.
- Check your university assignments before you hand them in.
- For larger organisations you could use it as a part of your performance based bonus / pay.
- Checking over the copied/pasted code that developers find.
- Get a level of confidence in the code you get back from your outsourcing partners.
CodeScan Labs is generating new releases all the time so I’m hoping that a new user interface, reporting, more comprehensive website and some new languages, it will almost become default for developers to check the quality of their code before it gets anywhere near a public site. So far I’ve put it under the banner of a great tool that we can use to qualify and measure improvements to applications.
Regards,
Simon Collings
Solutions Manager
http://serendipityit.co.nz
4 comments:
Hey there Simon!
Could you cofirm whether you might be a bit biased?
I just downloaded that product, and I have to say my first impression was "wtf?"
It may be an important area of IT, but this product looks like some graduate built it 10 years ago.
I see the need, but really don't like this product.
- Mike
Hi Michael,
Thanks for your comment.
Like you I got the importance of this area but was underwhelmed by the UI and reporting (see the last paragraph). However, for the price (Free Trial) I got more than I had paid for and could see the potential.
I liked the "check the code" rather than "check the compiled solution" as it didn't have to go anywhere near my production environment.
Simon
I agree with the first comment made on this website, i ran up codescan yesterday and uninstalled it about 10 minutes later.
the user interface is worse than a graduate’s work, its clunky and hard to understand and follow. I found myself getting lost and frankly confused while using it.
I also ran codescan over one of my own developed applications, which caused it to crash horribly!.. I would say there is some more work required on codescan to make it usable
I would also fire your grads..
General plans for the future - hulk - but only as a trend. basically the same article does not give clear concepts for action presents
Post a Comment