The specter of security vulnerabilities is a constant concern in today's digital landscape. They're the hidden pitfalls that can undermine even the most meticulously crafted code. But what if we told you there's a way to turn the tables on these threats? A way to harden your code so that it stands tall against these attacks? Welcome to the world of Moderne.
In this post, we provide an overview of the four ways that Moderne bolsters your code to solve your toughest application security problems—even the OWASP Top 10.
The platform takes a multi-pronged approach to delivering comprehensive security results in your codebase, as shown in Figure 1.
Read on to learn more about the four ways Moderne protects your codebase from security vulnerabilities and weaknesses.
#1: Code analysis to find exposed secrets and API insecurities
Too often an organization’s codebase is a black box. (Not something a security pro wants to hear!) It’s hard to visualize and understand all the intricate dependent relationships of code managed through a growing assortment of application programming interfaces (APIs).
Moderne provides a detailed view into all direct and transitive dependencies across a codebase, enabling users to extract rich, meaningful insights that help improve application security. Here are a few examples of the useful data you can retrieve:
- Find API endpoints — Identifies all the API endpoints that an application exposes to more readily analyze impact and risk.
- Find sensitive API endpoints — Find data models exposed by REST APIs that contain sensitive information like PII and secrets. We have a great blog that provides more details about this action.
- Find secrets — Locate secrets that are stored in plain text in code for a large assortment of tools and tech. This includes data used to authenticate, authorize, or encrypt communication between various components of an application or between the application and external services.
Because of Moderne’s visibility into the enterprise codebase, you can construct any number of queries about your code, saving the manual, expert effort often required to peer inside the black box.
#2: Static Application Security Testing (SAST) with automated source code fixes
Static code analysis is critical to a comprehensive application security practice. It enables you to build more secure source code by identifying security weaknesses and compliance issues early in the development process, as well as to continually improve your security posture.
Moderne provides robust static code analysis and takes SAST to another level by also fixing security weaknesses in source code your team develops. It’s like having a security expert for developers that not only discovers issues and shares security knowledge, but also automates the manual work of fixing the issues. Developers only have to review and accept the changes.
Moderne SAST involves both control flow and data flow analysis, where we’re assessing code for both insecure operational order performance, as well as looking for issues by understanding how data values propagate through a program (great for finding injection and encoding problems).
Let’s explore a handful of auto-remediation examples that you can apply with Moderne:
- Common static analysis issues — Find and resolve the common static analysis issues that are typically reported by traditional SAST tools. The automated fixes that Moderne’s rules-based engine makes are 100% accurate, style-preserving changes. The consistent code style that Moderne produces makes code easier for everyone on the team to read. Engineers naturally pick up and internalize best practices when they’re followed ubiquitously, making good code easier for everyone on the team to write. Your teams benefit from fewer operational disruptions from bugs and increases in performance.
- Remediate vulnerabilities from the OWASP Top 10 — Identify and remediate vulnerabilities found in the OWASP Top Ten list, such as broken access control, cryptographic failures, and security misconfigurations.
- Partial path traversal vulnerability — Fix the code to prevent a common directory traversal attack.
- Zip slip — Find and fix the Zip Slip vulnerabilities in your codebase, which is a specific form of directory traversal whereby an attacker is able to overwrite executable files, invoke them remotely (or wait for the system or user to call them), and achieve remote command execution on the victim’s machine.
- Enable CSRF attack prevention — Guard against Cross-Site Request Forgery (CSRF) attacks, a type of attack that occurs when a malicious web site, email, blog, instant message, or program causes a user’s web browser to perform an unwanted action on a trusted site when the user is authenticated.
#3: Software composition analysis with automated dependency upgrades
Third-party and open-source dependencies, which change and evolve at their own pace, create a larger attack surface for teams to manage. Software vulnerabilities can be introduced by anyone at any time, and vulnerabilities can be lying dormant until they are exploited. That’s why software composition analysis (SCA) is vital to managing the security of today’s complex, assembled codebases—to more proactively manage security concerns from open-source and third-party components.
Moderne takes traditional SCA a step further by speeding third-party code security with:
- Comprehensive visibility into dependencies–direct and transitive–across your entire codebase. The Moderne platform automatically generates data tables within minutes that provide detailed SBOMs showing actionable fixes that your security and development teams can use.
- Full remediation of vulnerable dependencies—whether that means bumping library versions or actually updating source code (which we’ve found is needed more than 50% of the time).
Armed with SCA capability from Moderne, teams can take steps to mitigate risks, whether that’s updating vulnerable components, replacing components with more secure alternatives, or ensuring that licensing requirements are met. Here are a few examples of what Moderne can do:
- Find and fix vulnerable dependencies — Analyzes and upgrades dependencies with publicly disclosed vulnerabilities, leveraging the GitHub Security Advisory Database.
- Exclude unused dependencies — Excludes a specified dependency from any dependency that transitively includes it, which is useful if a dependency is known to have security vulnerabilities that cannot be easily patched or mitigated.
- Find licenses in use in third-party dependencies — Locates and reports on all licenses in use to ensure your existing codebase (or even a codebase involved in a merger or acquisition) is compliant.
#4: Automated migration of third-party software to eliminate known vulnerabilities
While some vulnerabilities can be closed by upgrading dependency versions with available patches, all too often resolving a security vulnerability requires changes to the application source code. Some fixes are straightforward, like making changes to an API signature. Others are more complex, involving multiple, major lifts and requiring the expertise of migration engineers.
Code migration work is labor-intensive, chaotic, and clerical. It typically involves migrating not just one framework, but a collection of cascading dependency updates. For example, take this large financial institution that was amid a major, multiyear Spring Boot 1.5 to 2.7 migration, that required 12 minor version upgrades that would amass up to 1,200 changes. During the Spring Boot migration work, a newly discovered vulnerability in Spring Boot 2.3 made the team switch gears to prioritize upgrading the apps at risk first. Chaos and spreadsheets!
Moderne is the only company that offers automation for major framework migrations. Here are examples of some of the migrations you can automate:
- Migrate to Spring Boot 3.0 — Upgrade to Spring Boot 3 by modifying an application's build files, making changes to deprecated/preferred APIs, and migrating configuration settings that have changed between versions (plus additional framework migrations).
- Migrate to Java 17 — Upgrade to Java 17 by updating and/or adding dependencies, replacing deprecated APIs, updating build files and plugins, etc.
- Migrate from Log4j to SLF4J — Migrates usage of Apache Log4j to using Simple Logging Facade for Java (SLF4J) directly to eliminate the potential for exposure.
- Marshaling (e.g., SnakeYAML constructor, Jackson default typing) — Configure common serialization libraries against deserializing maliciously crafted data, preventing the execution of hidden malicious code.
Keeping your code safe is the Moderne way
The Moderne platform enables rich insights into your security issues and can auto-remediate code weaknesses and vulnerabilities using a marketplace of existing recipes or ones you customize for your organization. Recipes are expert, rules-based programs that enable accurate, automated search, analysis, and remediation actions. They are curated, created, and maintained by the open-source OpenRewrite community, making it easier for enterprise organizations to secure and maintain their codebases.
It's also worth noting that with Moderne your code stays safe and secure when running within our platform.
Your code is never exposed or seen by anyone outside of your organization. Moderne has SOC 2 Type 2 compliance certification and provides a single-tenant, enterprise-ready SaaS deployment. We also offer a robust command line interface that you can use to keep all your activities local.
Operations are secured using your company’s security controls. Authentication is managed through SSO (single sign on), and authorization is aligned to the access developers have in your organization’s SCM tool. Data encryption is managed with your own encryption keys (also known as bring your own encryption or enterprise key management). The permanent store of your source code, your intellectual property, remains in your environment. An on-premise, egress-only agent tunnels all communication to your single-tenant SaaS.
Schedule a demo with us to see how Moderne can enhance your overall application security strategy.