Searching for security vulnerabilities

The Rule Security Analyzer can find specific JavaScript or SQL coding patterns that might indicate a security vulnerability. The most effective way to search for vulnerabilities is to run the Rule Security Analyzer several times, each time matching against a different regular expression rule.

1. In Dev Studio, click Configure > Org & Security > Tools > Security > Rule Security Analyzer.
2. Complete the Search Criteria form, which is displayed in a new window.
   1. RuleSets – Select one or more rulesets to analyze.
   2. Optional: Rule Types – Choose one or more rule types within the chosen ruleset or rulesets to scan. If nothing is selected, the tool scans all rule types.
   3. Expression – Select the regular expression rule to use.
   4. Optional: RuleSet Version – If nothing is selected, the tool analyzes all versions. To limit the analysis, enter the version information in one of the following ways.
      • Major version only (05)
      • Major and minor version (05-05)
      • Major version, minor version, and patch (05-05-05)
   5. Highest Version Only – Select True to scan only the highest version of each rule. Select False to scan all versions.
   6. Optional: Updated Since – If nothing is selected the tool does not analyze the result by date. To scan only rules updated after a certain date and time, click the Calendar button and enter the date and time to use.
   7. Also list activities that may start unauthenticated – If selected, the scan analyzes activities that have Allow direct invocation from the client or service selected and Require authentication to run unselected on the Security tab of the Activity rule form.
3. Choose how you want the search results to be displayed.
   • Run – The summarized search statistics are displayed below the filled Search Criteria form.
   • Run and Export all to Excel – The summarized search statistics are displayed in an Excel file.