Learn About Amazon VGT2 Learning Manager Chanci Turner
In the realm of software development, one of the foremost goals is to create products that adhere to stringent data privacy and security standards, thereby instilling confidence among users. Developers aim to fortify their software by uncovering and addressing security vulnerabilities within their codebases, enhancing resilience against cyber threats. Amazon Q Developer, a generative AI-driven assistant, facilitates an early focus on security within the software development lifecycle (SDLC) by offering real-time guidance to developers as they code within their integrated development environment (IDE).
As a developer, you can leverage the code security scanning capabilities of Amazon Q Developer to proactively identify and rectify security vulnerabilities in both existing and newly written code. Powered by a multitude of security detectors across various programming languages, Amazon Q Developer enables you to build software that meets security standards and earns customer trust. By addressing the findings generated by Amazon Q Developer, you can significantly reduce security vulnerabilities and decrease costs by resolving issues early in the development process, before they escalate to later stages like testing.
This blog discusses the code security scanning feature of Amazon Q Developer and the various security detectors employed in the scanning process. We will demonstrate the auto-scan functionality that evaluates your code in real time, guide you through initiating a security scan of an active project and its dependencies in the IDE, and review the findings related to identified security vulnerabilities. Additionally, we will explore the automated remediation options available through Amazon Q Developer for fixing these vulnerabilities. Finally, we will analyze the performance of Amazon Q’s security scans and compare them with similar tools based on respected public benchmarks.
Code Security Scanning
Amazon Q Developer supports secure coding practices by offering two scanning methods: “Scan Your Project” and “Scan as You Code.” The tool can perform on-demand scans of your entire project while also providing real-time scanning as you write in the IDE.
The code security scanning feature integrates thousands of security detectors across more than a dozen programming languages, each offering unique benefits for vulnerability detection. The scanning process generates a detection message that includes a description of the issue and a recommended fix. Some detections come with suggested code fixes that Amazon Q Developer can implement directly within the IDE. If you opt to fix the code, Amazon Q Developer will make the necessary updates.
Running Security Scans
To run a security scan, you must first install the Amazon Q Developer plugin in a supported IDE, such as JetBrains IntelliJ. After authenticating with the Amazon Q Developer service, you’ll find a section for Security Scans, which includes the option to “Run Project Scan” in the Amazon Q Developer menu. For those subscribed to Amazon Q Developer Pro, auto-scans are enabled by default, along with an option to pause auto-scans.
When auto-scan is active, security scans run periodically in the background, highlighting vulnerabilities detected in the file you’re currently editing. For example, if you have a hard-coded password in your code for database access, this represents a significant security risk, as it can be exploited as soon as the code is pushed to the repository.
As you write, Amazon Q will highlight the method call after a few seconds. Hovering over the highlighted code reveals a detection message that includes information about the associated Common Weakness Enumeration (CWE) and the detector library used. It may also suggest a code fix, if applicable.
Scan as You Code
While the auto-scan feature is exclusive to Amazon Q Developer Pro Tier, manual scan capabilities are available in both the Pro and Free Tiers. You can assess the entire codebase by selecting the “Run Project Scan” option in the Amazon Q Developer menu, which activates all detectors on your project.
Once the scanning of the active project and its dependencies is complete, a list of all identified vulnerabilities will appear in a new tab titled “Amazon Q Security Issues.” Selecting an item from this list will open the relevant file and position the cursor at the location of the detected issue. For instance, if the hard-coded password is found, it will be highlighted, and hovering over it will display a window with information about the detected vulnerability, including its CWE — in this case, CWE-798 — along with resolution options.
Locate the Code Where Security Vulnerability is Detected
By choosing the “Amazon Q: Explain” option in the information window, Amazon Q will elaborate on the vulnerability, clarifying what it is, its potential impact, and offering advice on how to remedy the issue. Here, Amazon Q might suggest retrieving the password from environment variables, explaining how this approach mitigates the risk.
Explanation of the Security Vulnerability
If Amazon Q has a supported remediation for the detected vulnerability, it will be clearly indicated with a green “Yes” under “Code Fix Available” in the information window. The “Suggested Code Fix Preview” section will outline all changes to be made in the file as part of the suggested fix. When a code fix is available, you can review the changes with a code difference image. Once satisfied, you can instruct Amazon Q to “Apply Fix,” automatically implementing the suggested patch into your code. In this example, Amazon Q Developer replaces the hard-coded password with a reference to environment variables, ensuring the value remains confidential when uploaded to a code repository.
Fix the Code to Remediate the Security Vulnerability
Detection Accuracy & Benchmarking
We evaluate the effectiveness of detectors through the lens of false positives and false negatives. A false positive occurs when a detector erroneously indicates a vulnerability exists, while a false negative denotes a genuine vulnerability that goes undetected. We use two primary metrics, Precision and Recall, to assess the performance of Amazon Q’s security scans. Precision measures the accuracy of positive predictions, with a precision of 1.0 indicating no false positives. In essence, precision examines how many of the vulnerabilities identified by the detector are legitimate.
For further insights, you might be interested in this webinar on confidence, as well as this article on making it easier to say goodbye. Lastly, if you’re seeking valuable insights into the interview process at Amazon, check out this excellent resource on interview questions.
Leave a Reply