Secure Coding with Amazon CodeGuru Security Detector

As we leave 2020 behind, we had the chance to virtually attend and hear much about new service features and announcements in the re:invent. In this blog post, we’ll take a look at and try the newly announced Amazon CodeGuru Reviewer Security Detector. For those who haven't heard about this tool or new to these security detection capabilities, keep reading as we summarize how Amazon CodeGuru improves the code quality and performance in software development processes. Then follow us to onboard with the Amazon CodeGuru Reviewer Security Detector with an open source repository and see the results.

Amazon CodeGuru Overview

To put it simply, Amazon CodeGuru is a developer tool that helps developers maintain high quality standards in their source code and improve their application performance through machine learning and intelligent recommendations. The service has two main elements, called Amazon CodeGuru Reviewer and Amazon CodeGuru Profiler. Before we jump to review the new Security Detector feature, let’s look at how Amazon CodeGuru overall improves the code quality and application performance.

Amazon CodeGuru Reviewer

Amazon CodeGuru Reviewer automatically reviews your code and identifies any defects and issues within your source code. With Amazon CodeGuru reviewer, you can easily scan thousands of lines of source code and get intelligent recommendations on how to take proper actions, resolve these issues and follow the best practices. These recommendations emerge from years of experience of AWS.

You can automate these source code reviews for every push request to make sure every incremental change in your code meets the quality standards. You can also perform full repository code analyses to ensure high quality across time and get recommendations to improve if needed. You can integrate Amazon CodeGuru Reviewer to your existing code review workflows on your preferred source control systems (supporting Github, Github Enterprise, Bitbucket, AWS CodeCommit)

Amazon CodeGuru Profiler

Alongside the source code review, you can also use Amazon CodeGuru to improve your application performance and increase your operational efficiency with Amazon CodeGuru Profiler. It basically analyzes runtime behaviour of your application and provides visualized recommendations for increased performance.

You can start to use Amazon CodeGuru at no cost with the free tier for 90 days. Following usage is priced on a pay-as-you-use basis for full repository and pull request analyses. Check the official service page for detailed pricing information.

It is important to note that the service currently supports Java and Python (Python is in preview, which is also a new announcement from re:invent 2020).

What is New: Amazon CodeGuru Reviewer Security Detector

What is new with the Amazon CodeGuru is the Security Detector feature that helps developers to review their code and identify security vulnerabilities with ease. This way, you can easily detect and remediate potential security issues in the extensive and often complicated code through intelligent recommendations before they become actual issues. Security Detector helps you improve your security posture and eliminates the time and effort spent on dealing with such security issues in the source code.

Improve Your Code Security with Security Detector

Security Detector utilizes machine learning to analyse your code and simplify your security management within development processes. Through comprehensive analysis, you can easily identify security vulnerabilities that would be otherwise hard to find or often overlooked and get recommendations on how to remediate them. The security categories found in Amazon CodeGuru Reviewer Security Detector can be given as:

• Best Practices for Security

Security Detector analyses your code and helps you ensure best practices in AWS API usage for Amazon EC2, AWS KMS, common Java Crypto libraries and TLS/SSL libraries are followed across your source code. For example, the service helps you discover any hard coded credentials in your code.

• Web Application Security

You can also secure your source code against web application security vulnerabilities and protect your application against scripting and injection attacks, including SQL injection, LDAP injection and many more caused by unvalidated, malicious user-input. Security Detector is capable of detecting security risks described in Top 10 Web Application Security Risks described by OWASP.

• Data Security

Last but not least, Amazon CodeGuru Reviewer helps you find out whether any sensitive information is leaked and take proper action to stay compliant with regulatory requirements.

Continuous Code Security: Example Java Application

Now it is time to take a look at how the new feature works.

Note that Security Detector currently supports Java.

Our example will be an example code that uses the popular Java framework, Spring Boot. You can check out the spring-petclinic by spring-examples here. Let’s clone the git repository and go to CodeGuru in AWS console.

In the AWS CodeGuru console, click Code Reviews from the left menu and Repository analysis tab. After that, click Create repository analysis and select Code and security recommendations (Java).

For security scan, your source code and build artifact needs to be in a S3 bucket. So, go ahead to the S3 console to create a new bucket to upload your local code. Your source code needs to be zipped, so create a zip package from the local repository and upload it to that bucket. For the artifacts, we’ve used CodeBuild to build and put the artifacts to the same S3 bucket. You can build in your local machine, then zip and upload them to the bucket, too. After uploading, head back to CodeGuru wizard, pick Browse S3 bucket for existing artifacts, pick your zip files from selector and Create Repository Analysis.

Your code’s review starts, and it is in pending status, CodeGuru Reviewer is reviewing the source code. After a bit of waiting, the result arrives and you can see issues listed in the Recommendations part. Since Spring is an active open source project with a lot of contributors, we only received one recommendation.

It is stating that an auto generated Id field should not be an integer field, it should be a long field. Even though there are no severe issues, recommendations help you gain a new perspective on how to make your application better.