Mobilis in Mobili
This one and a half year has been packed with security centric static program analysis for the CodeThreat team. After all this time, we have come to know that designing and implementing a scalable, flexible and soundish code analysis solution is a highly challenging task. This is Bedirhan, and in this post I’ll try to bring in some perspective on how the project and the team progress and what expects us in the near future for which a historical view of the project annotated with experience is a meaningful route to follow.
Bootstrapping with Passion
First of all the core team is in love with software security and static code analysis. It’s intriguing to find security bugs in software and hacking into the applications as well as figuring out the root causes and correctly mitigating these vulnerabilities. The latter is equally compelling to us. So, for some time a security focused program analysis solution was a magnum opus that we all craved for.
While being familiar with programming languages concepts, core compiler notions, code review and application security knowledge is necessary, we quickly understood that these are not enough. Because, sure, it’s easy to find solid open source libraries to start with. However, the long history of program analysis shows us that a reliable design and flexible implementation is much more demanding than using a few libraries.
So, the first six months of the CodeThreat journey was full of research, reading and experimenting. During this period we formed our own fundamental algorithms and approximations on topics such as taint propagation, points-to analysis and genuine designs on how to achieve a configurable and scalable security analysis across various platforms.
This is a good point to honor all the scientific research on static code analysis and software security experiences previously done by such academics and enthusiasts. We hope in the future our work provide a somewhat addition to this cumulative knowledge.
If I have seen further it is by standing on the shoulders of Giants. Isaac Newton
All and all, an MVP was born in less than a year including a static code analysis engine, an IDE plugin and an accumulating knowledge base with details of over 300 security weaknesses for all languages we support.
The Fuel of Investment
First nine months was a self-invested, that is to say pre-seed funding period, where the team kept the expenses at bare minimum. The seed funding, on the other hand, came in good time.
Fueled with steady resources, we manage to produce a desktop client, HTML/JSON reporting, a standalone executable and an API for CI/CD or other 3rd party integrations at the end of 8 months.
During this period, performance and security issue benchmarking against both existing software projects and the ones we developed was also carried out.
At this point, we were fully aware that we should have been moving at a faster pace, however, we had to take important decisions that would otherwise affect the future of the project negatively, such as the scalability or extensibility.
The team then started to delve more into research and experiment with different algorithms and designs. Two major design and implementation changes happened during this period;
- A Deno-based microservices structure for scalability and interoperability for scan engine runtime logistics, interfaces and infrastructure.
- An expressive definition-based source, sink, validation, semantic, configuration, custom knowledge base and filtering model.
Apart from these we improved the way and the volume we work by employing a scrum model, integrated test cases to our development cycle and hiring a kick ass fellow senior developer.
And never the least, we produced a steady stream of blog posts. :)
The best way to predict your future is to create it. Abraham Lincoln.
As we progress, we come across with many possible interesting feature ideas. Though tempting we make choices which will not stray us from our main objectives of creating a scalable and flexible code scanning engines for security.
Sure, it’s the early bird which catches the worm. But there’s also good opportunities for the second mouse. Software is everywhere and static security code analysis is and will be an integral part of any software shops prioritizing security.
It’s important to provide easy to use and quality security code analysis engines that can fit any development cycle.
The CodeThreat team will continue to move steadily towards that end.