SmartDec Scanner #2: How to Track Vulnerabilities
Enterprise level security scanner is something completely new for the blockchain industry. The developers are not used to such kind of tools and don’t know how to integrate them in the development lifecycle. That’s why we decided to tell you about SmartDec Scanner in the series of articles.
Each article will be about a particular feature of our tool. By describing the feature and how to use it we will not only describe the tool itself but will also provide a kind of tutorial at the same time. This article’s topic will be vulnerability tracking.
Vulnerability tracking — what does it mean?
If you use any other blockchain security tool (including our own SmartCheck, which analysis module is embedded into SmartDec Scanner), you are starting from scratch with every new scan. If you update the project and scan the code again, you will need to figure out:
- which vulnerabilities are new and which were present previously
- which vulnerabilities you have already analyzed and what have you decided (may be they are critical and you need to fix them, may be they are false positives and you should forget about them)
So, if you decide that some vulnerability does not endanger your code you need to reflect this fact in some hand made database, e.g. in Google Spreadsheets. You can do it manually or with a custom script, but you have to do it. Otherwise, anyone who will work with this code after you will need to repeat your work and check this vulnerability again.
Such workflow is possible when analyzing small projects, e.g. simple smart contracts. However, it is unacceptable for enterprise development, because very soon the spreadsheet will become a mess and maintaining it manually will consume a lot of resources. The situation becomes critical in case of code updates and rescanning.
That’s why SmartDec Scanner tracks all the vulnerabilities automatically. When you encounter the vulnerability for the first time, you can write a comment to it or delete it. The other developer will see your comment and will be able to continue your work, not redo it. If you rescan updated code SmartDec Scanner will automatically match the vulnerabilities. So, you will see the old comments. The deleted vulnerabilities will stay deleted. To better understand how it works, see the screenshot below.
Benefits
Vulnerability tracking gives the user three major benefits.
Saving resources. The user won’t need to waste their resources on tracking a vulnerability or trying to remember what it is about. This is what I described above.
Analytics. SmartDec Scanner enables a user to analyze the results of development. The user can see how the security changes with time and varies from team to team. This is an indispensable feature for development management and we’ll describe it in detail in the following articles (subscribe to our SmartDec Scanner’s Twitter). It won’t be possible without vulnerability tracking: you cannot analyze the new scan if you don’t know whether the specific vulnerability is new or one of the old ones.
Developers training and diagnostics. The developer can see what vulnerabilities are common in their code and decide to get additional training on the respective topic. Also, the team lead can see whose code is more secure and trust this person to develop critical parts of the system.
However, I am sure this list is incomplete. What do you find vulnerability tracking useful for? Do you think it lacks something or should be implemented differently? Please feel free to write in comments or even request a free SmartDec Scanner trial via trial@smartdec.com. We will truly appreciate your feedback. Feature by itself is just a feature. When smoothly embedded into your development process, it’s a powerful tool for making your software more secure.
This article was created by SmartDec, a security team specialized in static code analysis, decompilation and secure development.
Feel free to use SmartCheck, our smart contract security tool for Solidity and Vyper, and follow us on Medium, Telegram and Twitter. We are also available for smart contract development and auditing work.
