June 1st 2012 was the official one-year mark since WhiteHat Security and Infrared Security decided to join forces to create WhiteHat Sentinel Source. After a significant amount of hard work from a lot of great people, WhiteHat Sentinel Source has gone public! I’m going to use this opportunity to write up a bit of a nostalgic blog post… while still keeping my Don Draper game face on of course. Having been an application security consultant for years, I’ve developed a pretty big chip on my shoulder as it relates to existing static analysis tools. I said to myself time and time again… “There has to be a better way to do this!” I put that energy to good use and infused our technology and service offering with the following core static analysis values that truly separate WhiteHat Sentinel Source from the competition:
1. Invest in Performance:
In order to support an Agile-paced development world, performance of both scan time and verification turnaround time are critical to success. We are constantly investing in our core technology and processes to ensure we get the fastest turnaround time possible!
2. Support Modern Programming Paradigms:
Development teams have adopted various modern programming paradigms and technologies that throw existing static analysis tools for a loop. Such paradigms and patterns include: Object-Oriented Programming, Aspect-Oriented Programming, Inversion of Control, Dependency Injection, etc. We are constantly striving to ensure that our technology has the ability to support these paradigms to accurately model modern source code!
3. Strive for Actionable Results:
Reviewing 100+ “findings” is a complete burden and dilutes the value of the technology. We are striving for quality over quantity throughout our core engine and RulePack development processes! “No grep-like rules” is something you’ll hear me say frequently.
4. Provide Feedback Early:
Performing source code scans at the end of a development initiative or even when the project distributable can be built is too late! Teams are constantly requesting feedback during the development phases, not at the end. We are constantly striving to ensure our ability to integrate with source code repositories such that we can provide feedback early in the development phase. This coupled with our core technology performance makes daily scans a possibility!
5. Leave Security to Security:
Putting a large static analysis report in front of a developer expecting them to triage and fix the results is a complete waste of time and energy. We are constantly striving to ensure that we enable developers to more effectively remediate significant vulnerabilities by performing the triage ourselves.
While the success of WhiteHat Sentinel Source is attributable to many individuals, there are a few folks who really stand out:
Jerry is an incredibly well-rounded application security expert and a long-time friend. Jerry played a critical role in disseminating our static analysis strategy to the rest of the team and really bootstrapped our ability to talk about static analysis in a way that actually makes sense to people. I always thought I had a great ability to make application security topics digestible until I met this guy. Very much a forward-thinking person, I refuse to have strategic discussions without his input. Jerry has been helping me push static analysis since day 1 at Infrared Security, and now at WhiteHat. We would have not even gotten half this far without his efforts… thank you Jerry!
Siamak is an incredibly talented developer, architect, and leader. The benevolent development dictator, Siamak (a.k.a. Max) was responsible for spearheading the integration of static analysis into WhiteHat’s existing DAST service model. This large effort involved designing and building a persistency model for evolving codebases optimized for the purpose of verification, scalability design, service delivery architecture, middleware integration, and overall project leadership. He’s already solved challenges with DAST, why not solve SAST too… thank you Max!
John too is an incredibly well-rounded application security expert with serious technical depth in Java. With his astounding work ethic, attention to detail, and everlasting pursuit of perfection, John Melton has become the lead of the Sentinel Source Java engine and RulePack R&D. His abilities and core values around product development provide me with the confidence I need so that I can focus energies on other development initiatives. He is also one of fewer than five people in the world who can very directly and bluntly call me out on my mistakes without me feeling insulted. I think it has to do with his southern accent… thank you John!
With the core technology in place and our integration with the Sentinel interface, WhiteHat Sentinel Source is ready! We fully intend to shake up this market and will continue to push forward with real innovation. We are making the pledge to strive for accuracy, timeliness and usability with our solution. We look forward to other vendors stepping up to our plate… competition will only make us work harder!!