This is a guest blog post from Brian Vermeer, Developer Advocate at Snyk
Developers practically live in their integrated development environment (IDE). An IDE like IntelliJ IDEA is in most cases an essential tool for developers to help make development more productive and creative.
A recent survey run by Snyk revealed that 81% of respondents believe developers should own the security responsibility of their applications. However, many developers are unsure of where to start with security.
In reality, most companies still work with a dedicated security team, which performs company-wide audits rather than integrating security responsibilities as part of the core development team.
DevSecOps: A modern approach to security
The DevSecOps approach helps development teams create code and be responsible for its behavior in production. In addition, development teams also treat security as part of their day-to-day work. Ideally, all team members should have security expertise and share responsibility for security.
To test for security during the development process, there are basic tools and tasks that developers should add to their ongoing responsibilities. During application development, developers are always looking for libraries and frameworks that can help achieve their goal. If a library can handle certain boilerplate aspects, a developer can focus on the custom business logic.
The only problem is—what happens if a dependency is included in the pom file? In many major enterprise applications, once a dependency is included in a pom file, it stays in the file forever, even if the dependency is not used anymore in the code. These unused dependencies are still available in your program and might contain exploitable vulnerabilities. Overall, whether a dependency is used or not, developers should verify whether it is safe to include in their system.
Shifting security left
It’s important that we shift security testing for vulnerable dependencies from right to left. In so doing, our testing would occur before we even commit our code to our project repository. Developers should check whether a dependency version is safe to include when it is first introduced, in addition to the checks that developers run prior to production. By scanning dependencies when first added to the codebase, we eliminate the unnecessary code reworking that otherwise might be necessary when upgrading to a newer version. Upgrading a dependency, as we all know, may require code alterations. So the fastest and most efficient approach is to avoid adding vulnerable dependencies in your projects by scanning your dependencies at the very moment you add them.
Testing your dependencies with Snyk
At Snyk we can provide you with tools to scan your project for vulnerable dependencies. We match your dependencies against our own proprietary vulnerability database, which includes all the “Common Vulnerabilities and Exposures” (CVE) list, and much more. Our security team enriches the Snyk vulnerability database with many more vulnerable dependencies that do not have associated CVE entries, but can cause just as much harm to your system.
If you like command line tools, install the Snyk CLI locally to run snyk_test from your terminal window. Use the CLI from within IntelliJ IDEA or from a separate terminal. This provides you with all the information you need about security vulnerabilities in your dependencies. But if you’d prefer a fully integrated solution into your IDE, we’ve got you covered.
The Snyk IntelliJ IDEA plugin
According to the 2018 JVM Ecosystem survey, IntelliJ IDEA is the most-used IDE in the Java community, with 45% of respondents stating that they use IntelliJ IDEA.
Snyk offers an integrated plugin that works on both the IntelliJ IDEA community and paid offerings. This plugin scans your Maven dependencies for vulnerabilities while you code. No need to use the terminal anymore.
Installing the plugin is easy. Go to Preferences > Plugins and search for “Snyk”. The Snyk Vulnerability Scanning plugin pops up from that view. Follow the instructions and you are good to go.
The Snyk plugin is located as a tab in the bottom right-hand corner of your screen. Refresh your Maven dependencies to run the scan and see if you have vulnerable dependencies.
If there are vulnerabilities, click details to view the Snyk vulnerability page. This page provides more insight into the nature of the issue and displays the severity score.
Even more impressive is when you have a transitive dependency with a vulnerability. The plugin displays the full dependency tree step by step, including the direct dependency and the vulnerable transitive dependency.
Click the vulnerability to automatically jump to the pom file dependency declaration. This can be extremely useful when your pom file has a lot of dependencies. Now you can either choose to upgrade the direct dependency or exclude the vulnerable transitive dependency.
The Snyk plugin also provides a suggested upgrade if one is available. This is shown in green. The version is not necessarily the newest version of that dependency but is the first available version that solves the specific vulnerability. When clicking on the green remediation advice, the recommended dependency tree up to the specific fixed transitive dependency is displayed.
Plugins for PMD, checkstyle and findbugs help you write better code. Use the Snyk plugin to instantly see if a dependency you introduced has one or more vulnerabilities.
The Snyk plugin for IntelliJ IDEA is a powerful addition that helps you to avoid using vulnerable dependencies. With Snyk, you can write better, more secure software, without leaving your favorite IDE.