DEV Community

Cover image for The Cure For Security Alert Fatigue Syndrome
willem-delbare for Aikido Security

Posted on • Edited on • Originally published at aikido.dev

The Cure For Security Alert Fatigue Syndrome

Most security tools waste developers’ time. We’re on a mission to fix this.

Application Developers aren't paid to care about security. Their performance is measured by the speed at which they can add value to the business through new features or enhancements.

This makes traditional security tools a hindrance as they're not built for developers — plus, they're not designed to be helpful. Their job is simply to show a massive list of security alerts, leaving it to the developer to figure out the rest.

Example of NPM Audit
npm audit provides no guidance or contextual risk assessment

At Aikido, our mission is to make securing applications as quick and painless as possible, and one of the most important ways we do this is by reducing the noise and false positives that waste developers' time and cause delays in shipping security fixes.

This post will show you what Aikido does to offer a cure for Developers suffering from Alert Fatigue Syndrome.

Reducing the Noise

In his famous song, "The Gambler," Kenny Rogers captured it pretty well:

the secret to survivin', Is knowin' what to throw away and knowin’ what to keep.

The most significant impact you can have on the signal-to-noise ratio is only showing developers the CVEs and security alerts they should take action on and ignoring the rest.

Here’s how Aikido intelligently ignores irrelevant security alerts and CVEs:

Development-Only Dependencies

By default, Aikido will not report vulnerabilities for dependencies marked only for installation in development environments, as they should not be present in staging or production environments.

Invalid CVEs or CVEs Without a Fix

Showing a CVE without a fix is just a distraction. Hence, Aikido temporarily moves these to a list of ignored issues until a fix becomes available before surfacing in the dashboard.

Invalid CVEs in Aikido Security
Example of invalid CVEs

Unreachable Code

Aikido's code intelligence and reachability engine will ignore a CVE if a vulnerable function is not called in the code base.

Reachability Analysis inside of Aikido Security
Example of Reachability Analysis

This decreases the noise, especially for large libraries with many dependencies, such as TensorFlow.

Expired or Revoked Secrets

Aikido will ignore secrets that have been verified as expired or revoked, or appear to be variables. Aikido safely verifies the validity of known secret types by sending a request to an API endpoint requiring authorization that doesn't produce sensitive data.

Ignored Secret inside of Aikido Security
Example of an expired secret that has been downgraded & ignored

Manual Ignore Rules

You can configure Aikido to ignore vulnerabilities under certain conditions, e.g. ignore reporting for specific paths in a repository.

Manual Ignore Rules inside of Aikido Security
Example of how you can set manual ignore rules

Deduplication

Because most companies piece together their security infrastructure from several different sources, it's common for multiple systems to surface the same alert or CVE — plus, it’s common for traditional tools to surface the same CVE multiple times within a single repository. Talk about noise!

Because Aikido is an all-in-one platform offering you a single pane of glass across all security issues, you'll only see a single CVE alert for each repository with sub-issues listing the location of each vulnerability.

Grouped CVEs inside of Aikido
Example of how Aikido groups CVEs for you

Boosting the Signal with Contextual Sensitivity Tuning

A security issue discovered in a repository handling sensitive data should be scored differently from an internal-only repository that doesn’t persist data at all.

Set Data Sensitivity in Aikido Security
Example of how you can configure the sensitivity of data managed in a repo

Aikido provides various contextual indicators for every repository, helping uncover more security risks and appropriately weighting an issue's final severity score.

For example, by adding a domain name, Aikido can perform targeted scans for issues such as SSL vulnerabilities, cookie misconfigurations, if a CSP has been applied, and cross-site scripting (XSS) attacks.

Additional contextual examples include whether the application has internet access and which environments the application is deployed in.

Boosting the Signal for Exploitation Risk

Aikido uses real-time indicators to track the probability of a CVE being exploited in the wild, such as confirmed cases of exploitation, public code documenting how to perform the exploit, and any customer-specific cloud infrastructure concerns which may make them particularly vulnerable.

And because Aikido monitors both your code and cloud infrastructure, it can boost the severity of "toxic combination" issues arising from specific conditions under which your application is hosted, e.g. AWS instances using IMDS API version 1 are more vulnerable to SSRF exploits which can expose AWS Credentials.

Summary

Traditional security tools don't care about developer productivity. They're more than happy to bury a repository in a pile of false positives, wasting developers time that could've been better spent actually resolving security issues.

What makes Aikido different, is that we see the link between developer productivity and security. By removing irrelevant alerts and CVEs, genuine threats get more attention, and as a result, fixes get applied faster.

This win-win for developers and security is what we're all about and is how we're curing Security Alert Fatigue Syndrome for our customers.

Want to see it in action? Sign up to scan your first repos & get your first results in less than 2 minutes.

Top comments (0)