Learn more about GeneXus
Wina Arambule |
2 Min.

Security Scanner: a static analysis tool

In this post we will delve into Security Scanner
, the static code analysis tool included in the GeneXus Integrated Development Environment (IDE), with the aim of improving the security of applications developed with our Low-Code platform.

Static code analysis are the inspections performed on the source code or in the generated binaries to detect errors and vulnerabilities that may compromise an application. They are static because they do not execute the application.


Silvia Grampone

, software engineer, defines static analysis tools as a “white box”, since they allow analysts to access all the code.

In the case of Security Scanner, it specifically reviews GeneXus code, not code generated in native code.

“This tool looks for functions that are already known a priori that can introduce vulnerabilities in applications if they are not correctly used by developers. Like any static analysis tool, it requires an a posteriori analysis to eliminate false positives.”

Silvia, who also works as a Security Analyst at GeneXus, explains that the Security Scanner can be executed in two ways: directly in the IDE or by MSBuild, which can be included in a development pipeline.

Running from the IDE 

“It is recommended for developers, for example, before committing to
GeneXus Server

to analyze the code they just developed and go step by step.”

Execution by MSBuild

It is recommended to add in a development pipeline to do a later analysis that can be included to run measurements or to do checks.”

The MSBuild rules and task documentation are on the wiki and is very easy to use. For the developer to run the Security Scanner from the IDE they only need to follow this path:

Tools > Security > Security Scanner. 

The MSBuild task is easy to use, just copy it as it is in the wiki.

Find out more about this topic in the talk
DevSecOps: Redefining the foundations of security with Static Code Analysis

, given by Silvia Grampone as part of
GeneXus Live 2021

.

You may also be interested in reading:

How to start a DevOps culture?

Security in Mission Critical Applications: Case ‘Uruguay gets vaccinated’’

2022 in Low-Code key: What’s coming in GeneXus!

Leave a Reply

Your email address will not be published.

Back to top