Updates to Ocular include support for four new programming languages, C#, C, C++ and Scala, which improve development efforts with coverage for the top cloud, Internet of Things (IoT) and embedded applications. The updates also include blazing fast automated security regression testing in CI/CD, which ensures previously fixed business logic flaws are never reintroduced. Ocular can analyze two million lines of code in under eight minutes, which is 40 times faster than typical code analysis tools.
With Ocular, one of our Fortune 500 customers is finding vulnerabilities 10 times faster than their manual code review process. In less than the time it took to typically find one vulnerability, the company quickly found eight zero-day vulnerabilities in its custom code and open source libraries, including an insecure direct object reference, which would allow attackers to manipulate direct object references by merely changing the predictable sequence in order to access other objects without authorization. To learn more about this customer’s experience, please register for our webinar next week.
The pace and complexity of modern applications has grown beyond human scale. Even the best security reviewers cannot comprehend the logic of tens or hundreds of thousands of lines of code to find flaws. Yet, to date, the only way for organizations to detect business logic flaws in development is through manual code reviews, which are error prone and take weeks to complete. The result is the majority of releases have little or no checks for business logic flaws and the overwhelming majority go unnoticed in development.
Unlike technical vulnerabilities — such as SQL injection, cross-site scripting and deserialization — business logic flaws often require little or no technical expertise to exploit. For example, in the recent First American Financial Corp. data breach, a control flow reachability business logic flaw was exploited by simply changing values in a URL.
Matias Blanco, manager of application security at Okta, said of Ocular: “Millions of daily users rely on the Okta Identity Cloud to access the technologies they need. For an agile software development team, every minute is valuable, and the time spent on in-depth code audits can be especially challenging. ShiftLeft Ocular promises to turn weeks into hours when it comes to code security reviews.”
Ocular is an interactive shell to query ShiftLeft’s Code Property Graph (CPG). The CPG is a graph of graphs that connects the functions of source code together into a fabric of information flows that can be traversed from source to sink. With Ocular, security researchers, code auditors and developers can iteratively interrogate the validity of business logic flows to identify flaws and demonstrate reachability. Ocular queries can then be automated as security policy checks and regression testing through CI/CD pipelines.
ShiftLeft Ocular Identifies Business Logic Flaws 10x Faster than Manual Code Reviews was originally published in ShiftLeft Blog on Medium, where people are continuing the conversation by highlighting and responding to this story.
*** This is a Security Bloggers Network syndicated blog from ShiftLeft Blog – Medium authored by Andrew Fife. Read the original post at: https://blog.shiftleft.io/shiftleft-ocular-identifies-business-logic-flaws-10x-faster-than-manual-code-reviews-a2c67ec0a013?source=rss—-86a4f941c7da—4