Searching for security vulnerabilities in rules

The Rule Security Analyzer can find specific JavaScript or SQL coding patterns that might indicate a security vulnerability. The most effective way to search for vulnerabilities is to run the Rule Security Analyzer several times, each time matching against a different regular expression rule. If the Rule Security Analyzer finds problems, you can fix them to make your system more secure.

  1. In the header of Dev Studio, click Configure > Org & Security > Tools > Security > Rule Security Analyzer.
  2. Complete the Search Criteria section.
    1. Rulesets – To scan all rulesets, make sure the All Rulesets check box is selected. To scan specific rulesets, clear the check box and select one or more rulesets.
    2. Optional: Ruleset version – To analyze all versions, leave this field blank. To limit the analysis, enter the version information in one of the following ways.
      • Major version only (05)
      • Major and minor version (05-05)
      • Major version, minor version, and patch (05-05-05)
    3. Allow highest version only – To scan only the highest version of each rule, make sure the check box is selected. To scan all versions, clear the check box.
    4. Optional: Updated Since – To scan rules regardless of update date and time, leave this field blank. To scan only rules updated after a certain date and time, click the Calendar button and enter the date and time.
    5. Rule Types – To scan all ruletypes within the chosen ruleset or rulesets, make sure the All Ruletypes check box is selected. To scan specific rule types within the chosen ruleset or rulesets, clear the check box and select one or more rule types.
    6. Allow unauthenticated activities visited in the list – If you keep this check box selected, the tool analyzes activities that have Allow direct invocation from the client or service selected and Require authentication to run unselected on the Security tab of the Activity rule form.
    7. Expression List – Click Add expression and select the regular expression to use for analyzing rules.
  3. Click Run Analyzer.
    The summarized search statistics are displayed in the Search Statistics section. For each rule type, the number of vulnerable rules and the number of analyzed rules are shown.
  4. Optional: To see the detailed results in an Excel spreadsheet, click Export as Excel.
    An Excel file is downloaded to your browser. For each vulnerability that is found, the Excel file lists ruleset name and version, rule name, and other information.
What to do next: If you generated a spreadsheet as described above, use it as a worksheet for analyzing and correcting potential vulnerabilities. The spreadsheet lists "Unknown risk" in the vulnerability assessment column for all rows. You are responsible for evaluating the risk for each finding and updating the spreadsheet. If you determine that the at-risk value cannot be altered by an end-user, update the row's risk level to "False positive" and provide an explanation. Otherwise, set the risk level to "High risk" or "Low risk," depending on how easy it is to exploit the finding and the impact of a successful exploit. Depending on your analysis, fix the at-risk vulnerabilities as described in Analyzing security vulnerability search results.