Code Scanning That Works With Your Code - Scott Norberg - ASW #317
Feb 11, 2025
auto_awesome
Scott Norberg, a web security specialist with nearly 20 years of experience using Microsoft technologies, shares his journey of developing a custom code scanner to tackle .NET vulnerabilities. He discusses the shortcomings of existing code scanning tools and the complexity of maintaining secure code. The conversation highlights the importance of accurate vulnerability detection, training developers, and fostering a positive security culture. Norberg also explores challenges in cloud security and the need for transparency in data privacy practices.
Effective code scanning is critical for identifying vulnerabilities, but many existing tools fail to detect issues, necessitating customized solutions.
Building a culture of security awareness within development teams dramatically improves the consistent application of secure coding practices across various projects.
The integration of AI in code scanning can enhance vulnerability detection, but expert guidance remains essential for effective implementation and oversight.
Deep dives
The Importance of Secure Coding Practices
Secure coding practices are essential for preventing vulnerabilities in applications. Developers are encouraged to prioritize security by using secure defaults, supporting passkeys, and targeting specific vulnerability classes. Building a culture of security awareness within development teams is vital to ensuring that secure coding principles are understood and applied consistently. Encouraging developers to write secure code and integrate security measures into their workflows can significantly reduce the risk of exposing applications to attacks.
The Role of Code Scanning Tools
Code scanning tools play a critical role in identifying potential vulnerabilities within an application’s codebase. These tools can help developers detect common security flaws, such as SQL injection or cross-site scripting, before the code is deployed. The discussion highlights the limitations of existing tools, suggesting that many fail to detect vulnerabilities effectively, often producing false positives or missing critical issues altogether. As a result, the development of customized scanners tailored to specific programming languages, like C#, can enhance detection and improve overall application security.
Challenges in Application Security Scaling
Scaling application security practices presents notable challenges for organizations, particularly as software development grows in complexity. Developers may struggle to implement secure coding practices consistently across numerous applications, leading to gaps in security preparedness. The conversation emphasizes the importance of providing effective training and tools for developers to improve their understanding of security practices. Building automated security mechanisms into the CI/CD pipeline can help maintain security standards without significantly hindering development progress.
Adopting a Developer-Centric Approach
Implementing a developer-centric approach to application security can significantly enhance the effectiveness of security measures. By fostering collaboration between security experts and development teams, organizations can better integrate security into the software development lifecycle. This approach encourages developers to view security as an integral aspect of their work, rather than an additional burden. Providing easily understandable guidelines, tools, and resources empowers developers to take ownership of security practices in their coding.
Artificial Intelligence and Applications Security
Artificial Intelligence, particularly machine learning, is influencing various aspects of application security, including code scanning and vulnerability detection. Utilizing AI in this context can improve the accuracy and efficiency of security scans, enabling developers to identify vulnerabilities swiftly. However, it’s critical to understand the limitations AI may have, as it still requires the guidance and expertise of security professionals to ensure effective implementation. Developers should remain vigilant in evaluating AI tools to ensure they align with their organization's security goals and compliance requirements.
Code scanning is one of the oldest appsec practices. In many cases, simple grep patterns and some fancy regular expressions are enough to find many of the obvious software mistakes. Scott Norberg shares his experience with encountering code scanners that didn't find the .NET vuln classes he needed to find and why that led him to creating a scanner from scratch. We talk about some challenges in testing tools, making smart investments in engineering time, and why working with .NET's compiler made his decisions easier.
Identifying and eradicating unforgivable vulns, an unforgivable flaw (and a few others) in DeepSeek's iOS app, academics and industry looking to standardize principles and practices for memory safety, and more!