We would like to share with you a new and exciting CxSAST capability: Security Content Packs.
...
CP.8.9.0.60123 | 8.9.0 | 17 April 2020 | This Content Pack (CP) includes improvements for reducing the amount of false positive results. The following improvements were made for C# queries: - Improve sinks on Code Injection with script and async APIs
- Improve Connection String Injection sanitizers to remove static strings
- Improve Deserialization of untrusted data sinks to include binary formatters and serialization binders
- Improve Resource Injection sanitizers to consider string sanitization methods, encodings and white list validation
- Improve Stored XSS sanitizers
- Improve XPath Injection and Stored XPath Injection sanitizers
- Improve Stored Code Injection sanitizers with Compiler Options Output Assembly
- Improve DB Parameter Tampering sanitizers with authorization validations
- Improve DOS By Sleep sanitizers when using properly configured SpinWait and ThreadSleep APIs
- Improve Hardcoded Password in connection string inputs when using variables containing static strings
- Improve Heap Inspection to avoid bad results on page views controls
- Improve SQL Injection Evasion Attack sanitizers extending with more decoding APIs
- Improve Trust Boundary Violation sanitizers with numeric types and sinks with session saves
- Improve Use of Hardcoded Cryptographic Key sanitizers to avoid OUID and consider decrypted values as safe
- Improve Missing HSTS Header to support further time span APIs when using bad configuration
- Improve ASP MVC controller support
- Improve ASP MVC/Razor XSRF token support
- Improve general sanitization when using whitelist mappings and numeric APIs
- Improve Entity Framework APIs support
- Improve Database support for async APIs
- Improve Database LINQ supported APIs
- Improve Salesforce Database supported APIs
- Improve support for Safe hashing algorithms
- Improve Deserialization of untrusted data
- Rewrite Unsafe Object Binding with improved sources and sinks
It is also included an expanded version of the Checkmarx Express containing 38 C# queries:
List of queries included in the Checkmarx Express Preset This content pack includes all the improvements made for C# High Risk queries and some C# Medium threat queries. The content pack uses a new numbering convention which will ease the readability of the version.
Looking into accuracy improvement, there are some queries that can have differences in the results after the installation of the content pack. Click here to see the list of queries improved by the content pack The changes were done over several queries to provide the improvements. Click here to see the list of queries changed by the content pack In this Ruleset Content Pack the following improvements were done for the C# language: - At High Risk queries the accuracy on Checkmarx Express Preset is improved by 39%
- At Medium Threat queries the accuracy on Checkmarx Express preset is improved by 2%
|
...