Large Applications, Monoliths — Struggling with code analysis? Read on!
ShiftLeft Ocular makes code analysis of large applications fast, automated and very very efficient. It can analyze an entire linux kernel with in 40–50 minutes.
Our customers recently challenged us with a unique use case — The problem of analyzing code of monolithic and very large applications. In the age of microservices, monoliths seems to have arrived with a vengeance.
Monoliths never went away. They are the “present” of applications that drive bulk of internet and modern digital economy. The microservice movement while strong is not expected to replace monoliths for some of the foreseeable future. Monoliths are everywhere and incidentally occupy a lot of time and concerns of app-sec professionals. Why? what are the issues?
Analyzing large applications — How about 5 millions line of code or the Linux Kernel itself? What about large composed apps?
We have got three kind of requests.
First one is of large size applications — 3, 5 or 8 million lines of code. In equivalent disk size terms they will be 300 to 500 MB of Java JARs. Any legacy code analysis tool takes around 8 hours at minimum to days/weeks. The problem compounds itself with thousands of false positive infested results.
Second request is more complex. How to analyze multiple large applications that interact with each other in numerous combinations to deliver an end service? A specific case is of 100s of JARs — few of them are middleware services that are used by multiple endpoint JARs in combinations. How do you create a fast+efficient automation system that can do code analysis of these mega composed apps?
Third request is straight-forward. I have a large OS kernel (linux equivalent size) and I want to analyze in no more than 40–50 minutes. Possible?
Why analysis of these apps matters?
First argument is pervasiveness of such apps followed by a fear that such apps might represent biggest security holes for an organisation. Most of these apps predate the age of secure CI/CD movement. A bulk of this code was written before the concerns around sensitive data leaks, software component analysis, CVE variant analysis became mainstream. Many of such applications are either in high maturity state or in maintenance mode.
However, in the age of increased cybersecurity mandates, app-sec teams have been tasked to gain a measure of control over these apps.
How does ShiftLeft Ocular solves this problem?
ShiftLeft Ocular solves this problem in four ways
Speed through code property graph
As ShiftLeft Ocular relies on code property graph as its core data structure, it is able to generate fast and easily analyzable format. This format allows it to reduce the analysis times by factor of 1/10th to 1/20th to any legacy code analysis tools. For e.g. a customer was able to analyze 5 million lines of code application in less than 50 minutes.
Performance through Memory-disk overflow
ShiftLeft Ocular automatically overflows large code graphs from memory to disk automatically in case of memory contention. This relieves performance concerns while maintaining speed of analysis.
Efficiency through composing of whole through part analysis
Multi apps/components can be analyzed for complex flows by fusing previously generated individual graph representations into a composite whole. Specifically in the world of Java, a multiple combination of JAR of Jars (from the same pool) could be constructed and with Ocular it is possible to re-use graph of previously analyzed JARs into the new analysis. As a result, one can gain major time and money efficiencies.
CI-Automation that works for large apps
ShiftLeft Ocular can be easily integrated into any CI system. Furthermore, ShiftLeft Ocular can perform pre-testing of apps to help select machine configuration that can help optimize performance during code analysis.
To understand how ShiftLeft Ocular can help you with your large apps , you can get started by downloading a trial of ShiftLeft Ocular here.
Large Applications, Monoliths — Struggling with code analysis? Read on! was originally published in ShiftLeft Blog on Medium, where people are continuing the conversation by highlighting and responding to this story.
*** This is a Security Bloggers Network syndicated blog from ShiftLeft Blog – Medium authored by Alok Shukla. Read the original post at: https://blog.shiftleft.io/large-applications-monoliths-struggling-with-code-analysis-read-on-e5349e562de4?source=rss—-86a4f941c7da—4