The Rule Security Analyzer can find specific JavaScript or SQL coding patterns that
might indicate a security vulnerability. The most effective way to search for vulnerabilities is
to run the Rule Security Analyzer several times, each time matching against a different regular
expression rule. If the Rule Security Analyzer finds problems, you can fix them to make your
system more secure.
-
In the header of Dev Studio, click .
-
Complete the Search Criteria section.
-
Rulesets – To scan all rulesets, make sure the
All Rulesets check box is selected. To scan specific
rulesets, clear the check box and select one or more rulesets.
- Optional:
Ruleset version – To analyze all versions, leave this field
blank. To limit the analysis, enter the version information in one of the following
ways.
- Major version only (05)
- Major and minor version (05-05)
- Major version, minor version, and patch (05-05-05)
-
Allow highest version only – To scan only the highest
version of each rule, make sure the check box is selected. To scan all versions, clear
the check box.
- Optional:
Updated Since – To scan rules regardless of update date and
time, leave this field blank. To scan only rules updated after a certain date and
time, click the Calendar button and enter the date and time.
-
Rule Types – To scan all ruletypes within the chosen ruleset
or rulesets, make sure the All Ruletypes check box is selected.
To scan specific rule types within the chosen ruleset or rulesets, clear the check box
and select one or more rule types.
-
Allow unauthenticated activities visited in the list – If
you keep this check box selected, the tool analyzes activities that have
Allow direct invocation from the client or service selected
and Require authentication to run unselected on the
Security tab of the Activity rule form.
-
Expression List – Click Add
expression and select the regular expression to use for analyzing
rules.
-
Click Run Analyzer.
The summarized search statistics are displayed in the Search
Statistics section. For each rule type, the number of vulnerable rules and
the number of analyzed rules are shown.
- Optional:
To see the detailed results in an Excel spreadsheet, click Export as
Excel.
An Excel file is downloaded to your browser. For each vulnerability that is found, the
Excel file lists ruleset name and version, rule name, and other information.
What to do next: If you generated a spreadsheet as described above, use it as a
worksheet for analyzing and correcting potential vulnerabilities. The spreadsheet lists
"Unknown risk" in the vulnerability assessment column for all rows. You are responsible for
evaluating the risk for each finding and updating the spreadsheet. If you determine that the
at-risk value cannot be altered by an end-user, update the row's risk level to "False
positive" and provide an explanation. Otherwise, set the risk level to "High risk" or "Low
risk," depending on how easy it is to exploit the finding and the impact of a successful
exploit. Depending on your analysis, fix the at-risk vulnerabilities as described in Rule Security Analyzer.