Slide 1
Most trusted JOB oriented professional program
DevOps Certified Professional (DCP)

Take your first step into the world of DevOps with this course, which will help you to learn about the methodologies and tools used to develop, deploy, and operate high-quality software.

Slide 2
DevOps to DevSecOps – Learn the evolution
DevSecOps Certified Professional (DSOCP)

Learn to automate security into a fast-paced DevOps environment using various open-source tools and scripts.

Slide 2
Get certified in the new tech skill to rule the industry
Site Reliability Engineering (SRE) Certified Professional

A method of measuring and achieving reliability through engineering and operations work – developed by Google to manage services.

Slide 2
Master the art of DevOps
Master in DevOps Engineering (MDE)

Get enrolled for the most advanced and only course in the WORLD which can make you an expert and proficient Architect in DevOps, DevSecOps and Site Reliability Engineering (SRE) principles together.

Slide 2
Gain expertise and certified yourself
Azure DevOps Solutions Expert

Learn about the DevOps services available on Azure and how you can use them to make your workflow more efficient.

Slide 3
Learn and get certified
AWS Certified DevOps Professional

Learn about the DevOps services offered by AWS and how you can use them to make your workflow more efficient.

previous arrow
next arrow

How can we do the security analysis using SonarQube?

security-analysis-using-sonarqube
Spread the Knowledge

security-analysis-using-sonarqube

How can we do the Security analysis using SonarQube?

For Security analysis purposes, a source code security analyzer
– examines source code to
– detect and report weaknesses that can lead to security vulnerabilities.

 

They are one of the last lines of defense to eliminate software vulnerabilities during development or after deployment. A Source Code Security Analysis Tool Functional Specification is available.

 

The SonarQube Quality Model has three different types of rules: Reliability (bug), Vulnerability (security), and Maintainability (code smell) rules. But divided another way, there are only two types: security rules, and all the rest.

 

To be clear, the standard for most rules implemented in SonarQube language plugins is very strict: no false positives. For normal rules, you should be able to be confident that whatever is reported to you as an issue really is an issue.

 

The vast majority of security-related rules originate from established standards: CWE, SANS Top 25, and OWASP Top 10. To find rules that relate to any of these standards, you can search rules either by tag or by text.

 

CWE – Common Weakness Enumeration (CWE™) is a formal list or dictionary of common software weaknesses that can occur in software’s architecture, design, code or implementation that can lead to exploitable security vulnerabilities.

 

SANS Top 25 – The SANS Top 25 list is a collection of the 25-most dangerous errors listed in the CWE, as compiled by the SANS organization.

 

OWASP Top 10 – OWASP stands for Open Web Application Security Project.The OWASP Top 10 is a list of broad categories of weaknesses, each of which can map to many individual rules.

 

XANITIZER – XANITIZER provides an integration with the code quality management platform SonarQube. It transfers all security relevant XANITIZER findings to SonarQube. It is possible to display this data in the SonarQube dashboard and the corresponding drilldown pages and time machines.

 

Reference
SonarQube Tutorial & OWASP SonarQube Tutorial Securing Code (SAST) Crash Course:- https://bit.ly/3x5ZOmA
Rajesh Kumar