See for yourself – run a scan on your code right now

Over the past few weeks, we’ve published a series of blogs related to CWEs: we’ve taken a look at the changes in the Top 25 Most Dangerous Software Weaknesses over the past year, as well as some of the vulnerabilities included on the list:

With that information in hand, what can someone in software engineering or application security do about possible security risks in their code?

Finding weaknesses and vulnerabilities

The first step toward determining how secure your application is is to find as many of the vulnerabilities that are present in your application as possible. There are various tools that you can use at different parts of the software development lifecycle (SDLC).

There is a time and place for each type of security tool. Linters are great for near-instantaneous feedback during the development process. SAST is a good option for integrating into your pull request pipeline and is often bundled with SCA for use with open-source packages and libraries. DAST tools are excellent for detecting existing vulnerabilities in production code that can be triggered.

In the end, the best option is to mix-and-match options so that your engineers are getting feedback at all points of the SDLC. Once you’ve gained this information, including whether you have any CWEs present, you can continue by learning the best methods for mitigating these issues.

Mitigating identified weaknesses and vulnerabilities

Once you have a list of the weaknesses and vulnerabilities, including CWEs, that are present in your application, you can begin mitigating them to lessen the risk of your application being compromised:

  • Sanitization of all user-provided input
  • Encryption of data
  • Use of libraries or frameworks to implement features security
  • Updating libraries and frameworks used to leverage security fixes
  • Minimizing the attack surface

The specific technique that applies is dependant on the vulnerability present in your code. Different issues require different fixes, so in some cases, the first step might be to learn about the topic, why it is problematic, and what the best courses of action could be (and from there, narrow down the results that best fit your needs).

SCA and Prioritization

That said, there’s a possibility that the sheer number of vulnerabilities present may be overwhelming. In that case, you may want to leverage the power of an SCA tool. These tools, typically bundled with SAST options, allow you to determine the vulnerabilities introduced via open-source libraries.

More importantly, some will prioritize them based on whether they are attacker-reachable. For example, a vulnerability that cannot ever be reached is a lower priority than one that can be. Just as first responders triage, so too can your AppSec team triage the security threats to your application.

Visit ShiftLeft Learn to continue your application security education today!

About ShiftLeft

ShiftLeft empowers developers and AppSec teams to dramatically reduce risk by quickly finding and fixing the vulnerabilities most likely to reach their applications and ignoring reported vulnerabilities that pose little risk. Industry-leading accuracy allows developers to focus on security fixes that matter and improve code velocity while enabling AppSec engineers to shift security left.

A unified code security platform, ShiftLeft CORE scans for attack context across custom code, APIs, OSS, containers, internal microservices, and first-party business logic by combining results of the company’s and Intelligent Software Composition Analysis (SCA). Using its unique graph database that combines code attributes and analyzes actual attack paths based on real application architecture, ShiftLeft then provides detailed guidance on risk remediation within existing development workflows and tooling. Teams that use ShiftLeft ship more secure code, faster. Backed by SYN Ventures, Bain Capital Ventures, Blackstone, Mayfield, Thomvest Ventures, and SineWave Ventures, ShiftLeft is based in Santa Clara, California. For information, visit:


See for yourself – run a scan on your code right now