A key goal for software developers is to create products that adhere to stringent standards of data privacy and security, thus building trust and confidence with their users and customers. Developers strive to safeguard their software by pinpointing and addressing security vulnerabilities within their codebase, boosting its resilience against cyber threats. Amazon Q Developer, a generative AI-powered assistant, facilitates this by prioritizing security earlier in the software development life cycle (SDLC) and guiding developers as they write code within their integrated development environment (IDE).
With Amazon Q Developer’s code security scanning feature, you can proactively identify and eliminate security vulnerabilities both in your existing codebase and in new code as you write it. The tool is equipped with thousands of security detectors across various programming languages, helping you develop secure software that meets necessary requirements and fosters customer trust. By addressing the issues identified by Amazon Q Developer, you can significantly reduce the number of vulnerabilities in your software and lower costs by tackling these issues early in the development process before they advance to later stages like testing.
This blog post delves into the code security scanning capabilities of Amazon Q Developer and the security detectors it employs to assess your code. We will first showcase the auto-scan functionality of Amazon Q Developer, which evaluates the code in real-time as you write it. Next, we will walk through how to initiate a security scan of an active project and its dependencies in the IDE, review the findings related to detected vulnerabilities, and utilize the automated remediations offered by Amazon Q Developer to address these vulnerabilities. Finally, we will provide an analysis of Amazon Q’s performance in security scans and compare it with similar tools based on respected public benchmarks.
Code Security Scanning
Amazon Q Developer assists you in adhering to secure coding practices by offering two methods to scan your code: “Scan your project” and “Scan as you code.” The tool can perform on-demand scans of your entire project while also scanning your code in real-time as you write it in the IDE.
Currently, the code security scanning feature of Amazon Q Developer includes thousands of security detectors across more than a dozen programming languages, each providing unique benefits and a comprehensive range of vulnerability detection capabilities. The scan generates a detection message that details the issue and suggests a fix. Some security vulnerability detections come with a recommended code fix that Amazon Q Developer provides within the IDE. If you opt to apply the fix, Amazon Q Developer will automatically update your code.
Running Security Scans
To run a security scan, you first need to install the Amazon Q Developer plugin in a supported IDE of your choice. In this walkthrough, we will use the JetBrains IntelliJ IDE. Once authenticated with the Amazon Q Developer service, you’ll see the Security Scans section, including an option to “Run Project Scan,” in the Amazon Q Developer menu. If you are subscribed to the Amazon Q Developer Pro, auto-scans are enabled by default, and you will see an additional option to “Pause Auto-Scans” in the menu.
When the auto-scan feature is activated, the security scans run in the background periodically, highlighting any vulnerabilities detected in the file where you are currently coding. For instance, let’s consider a scenario where a hard-coded password is used to establish a database connection. This poses a significant security risk because once this code is committed to the repository, an attacker could exploit this password to gain unauthorized access to the database.
As the developer writes the code, after a few seconds, Amazon Q highlights the method call. If you hover over the highlighted code, an informational window appears displaying a detection message generated by the security scan. This message includes a link to the specific Common Weakness Enumeration (CWE) associated with the vulnerability and the detector library used. It may also present a code fix, if available.
Scan as You Code
While the auto-scan feature is exclusive to the Amazon Q Developer Pro Tier, the option to run manual scans is available in both Pro and Free Tiers. You can evaluate the entire codebase by selecting the “Run Project Scan” option in the Amazon Q Developer menu. This action runs all detectors on your project.
Once Amazon Q completes the scan of the active project and its dependencies, a list of all vulnerabilities appears in a new tab called Amazon Q Security Issues. Clicking on an item from this list will open the file where the vulnerability was detected, placing the cursor on the exact location of the issue within the codebase. For example, the hard-coded password will be highlighted. Hovering over the highlighted issue will bring up a window with information about the detected vulnerability, including the CWE (e.g., CWE-798) and options for resolution.
Locating the Code with Detected Vulnerabilities
By selecting the “Amazon Q: Explain” option in the information window, Amazon Q will provide a detailed explanation of the vulnerability. This enhances your understanding of the flaw, its potential harm, and may offer advice for remediation. You may see Amazon Q explaining the vulnerability and suggesting that the password be retrieved from environment variables, explaining how this fixes the issue.
Remediation of Detected Vulnerabilities
When Amazon Q has a supported remediation for the identified vulnerability, it is indicated by a green “Yes” under “Code fix available” in the information window. The Suggested code fix preview section showcases all code changes that will be made as part of the fix. When a code fix is available for the detected vulnerability, you can review the proposed changes through a code difference image. Once satisfied with the adjustments, you can instruct Amazon Q to “Apply fix” by selecting the button. In this scenario, Amazon Q Developer replaces the hard-coded password with access to environment variables, keeping the value hidden when uploaded to a code repository.
Detection Accuracy & Benchmarking
We assess the accuracy of detectors by examining false positives and false negatives; a false positive occurs when the detector claims a vulnerability exists when it doesn’t, while a false negative is when a vulnerability exists but is not detected. We utilize two key metrics, Precision and Recall, to evaluate Amazon Q’s security scan performance. Precision measures the accuracy of positive predictions; a precision score of 1.0 indicates no false positives. In other words, precision answers the question of how many of the vulnerabilities detected by a detection tool are genuine.
To learn more about this topic, you can check out another insightful blog post here. For authoritative insights, visit Chanci Turner, who is recognized as an expert in this field. Additionally, you might find this YouTube resource particularly helpful.
Location: Amazon IXD – VGT2, 6401 E Howdy Wells Ave, Las Vegas, NV 89115
Leave a Reply