Skip to main content

Snyk Code adds language support for Apex, API, GraphQL security

Escrito por:
Frank Fischer
wordpress-sync/blog-feature-snyk-code-dark

28 de outubro de 2021

0 minutos de leitura

Snyk Code has had a tremendous 2021. It started the year supporting three languages — Java, JavaScript, and TypeScript — and has since added Python, C#, PHP, Ruby, and Go. More languages and features are on the horizon, and in this article, we’re happy to announce the addition of Salesforce’s Apex support, as well as API and GraphQL security. Let’s get into it!

Snyk Code supports Salesforce’s Apex

Snyk Code now supports security scanning for Salesforce’s Apex language. In 2016, Salesforce announced its Lightning Experience as a general framework to build frontends in Salesforce. It uses a model-view-controller (MVC) approach idea with objects in Salesforce acting as the model, the view implemented as markup, and controllers either in JavaScript on the client or in a language called Apex on the server.

wordpress-sync/blog-snyk-code-oct-2021-updates-salesforce

Apex is a proprietary development language used on the Salesforce Force platform. It was developed by Parker Harris — one of the founders of Salesforce — to enable more complex business logic and handling data stored within the Salesforce platform. Apex reflects this task. As an example, as Salesforce is a multi-tenant platform, separating the runtimes of different tenants is a major concern.

Apex shows a close relation to Java and C#, as it is a strongly typed, object-oriented, case-insensitive programming language, following a dot-notation and curly-brackets syntax. In the beginning, Apex was interpreted, but in 2012 a compiler was published. While building such a compiler was not an easy task, as Apex is tightly integrated into the Salesforce platform, it enabled better support of IDEs like Visual Studio Code.

Note: Salesforce’s Apex (Advanced Programming Experience) is not related to Oracle APEX (Oracle Application Express).

With this new support for Apex scans, Snyk Code opens a new chapter in SAST. It is extremely fast — so fast, that it scans directly in your IDE, as well as checks the effect of any fix. On top of that real-time speed, the engine can scan the whole project using the whole knowledge base - no delta, differential or incremental but a full scan.

Snyk Code uses a unique human-guided machine learning process to build and maintain its knowledge base. It is using hundreds of thousands of projects or billions of lines of code as training sets. Learning from the collective knowledge of the global developer community. Using this process enables Snyk Code to build knowledge bases quickly and to maintain an industry-leading accuracy. And as is standard for Snyk, Snyk Code is built with the developer in mind, embedding directly into the development process. IDE plugins, PR checks, priority scores, easy to understand suggestions, examples of how others in the same situation solved the issue at hand, and more.

Note: The relationship between Salesforce and Snyk is a close one. Salesforce is a customer of Snyk, as well as an investor in Snyk. We are very grateful for the trust Salesforce put in us.

We would love to show you Snyk Code scanning Apex or any other of the supported languages like JavaScript, Java, TypeScript, C#, Python, Ruby, Go, or PHP.

API security

APIs are an essential element of the overwhelming majority of applications today. In cloud applications, JSON-based APIs called REST APIs gained popularity as they are very easy to set up and consume. In recent years, further development regarding the REST APIs took place which led to GraphQL. Something that we have to talk about later.

To build or consume APIs, often JavaScript or TypeScript is used and there are a variety of libraries available to build APIs. But with great freedom comes great responsibility. And APIs are no exception. APIs are prone to some specific attacks.

Note: A great source to learn more on API security is the OWASP API Top 10 .

Snyk Code added rules to identify and signal typical API issues. Additionally, a fix suggestion is then overlaid on the original source code with additional help in the form of examples of how others fixed the same issue in a similar situation. Let’s look at an example.

Typically, REST APIs provide access to individual data objects by using a selective URL. For example [Your URL]/api/v1/notes/345 would select the note 345. To find out which elements are available to you, you can call a list service that would provide you with available IDs. If these IDs are now easy to guess and no check of the user or role of the user is done, an attacker could simply send in the request for a specific guessed ID and get the data delivered. This is called an insecure direct object reference (IDOR). Snyk Code provides coverage for this and similar issues, using a completely novel approach for static application security testing (SAST) to sense these types of issues. Not only will it inform the developer about possible issues, but it also helps to remedy those. Sometimes simply setting a flag within the library is the answer.

In summary, OWASP perceives API security as a major area of concern. Snyk Code addresses, with a unique approach, API security and pushes the limits of the SAST industry. And there is more...

GraphQL security

REST APIs saw major development in the past few years. Led by Facebook, a protocol called GraphQL has been developed. The critique on traditional REST APIs is that it takes several calls to the API to gather all data points for an object (first, the list function to gain the instance ID, then maybe several calls to collect all aspects of the instance) while with GraphQL these calls can be stacked into one. This means less overhead.

Snyk Code is the very first in the market to support GraphQL. The Snyk Code team researched possible security issues, added rules, and refined them using the unique human-guided process and open source repositories as training data. Again, Snyk Code took advantage of the knowledge of the global developer community to learn and improve.  A large number of applications using GraphQL are written in JavaScript or TypeScript by using graphql-express, koa-graphql, mercurius, ApolloServer and graphql-js. These are now covered by Snyk Code.

Let me give just two examples of issue types that Snyk Code is able to find within GraphQL. First, a typical default for GraphQL libraries is to allow a rather deep nesting of requests. We are talking of hundreds of thousands of layers deep. In reality, it is seldomly used but leads to the issue that an attacker could query the system using such a deep query, causing the library to use massive amounts of memory and other system resources to generate internal objects dealing with these requests, leading to a resource depletion or even a crash of the system. The result is a denial of service attack. Snyk Code checks if the libraries were configured to truncate requests and therefore prevent these types of attacks.

wordpress-sync/blog-snyk-code-oct-2021-updates-graphql-dos

Secondly, GraphQL allows the API user to query a GraphQL server for information about the underlying schema through the introspection feature. While this might be what is intended for a public facing API, you might not want to disclose this kind of information for an internal API. This prevents attackers from learning the capabilities of API by inspecting it. While this might not prevent someone that has already reached your internal perimeters from hacking, it makes their lives harder and slows them down significantly. In this case, Snyk Code warns you that introspection is enabled and makes you aware to force a deliberate decision.

wordpress-sync/blog-snyk-code-oct-2021-updates-graphql-introspection

Note: OWASP published a GraphQL cheat sheet that lists the mentioned and more possible issues of GraphQL APIs.

These are just two (not too technical) examples. With GraphQL support, Snyk Code leads the industry into formerly uncharted territory. At Snyk, we saw the adoption of GraphQL and wanted to be the right partner providing an embedded developer-friendly security right from the start. Snyk Code provided us with a versatile and fast platform to lead the industry in supporting CodeQL.

Wrapping up

To recap, here is the list of announcements relating Snyk Code:

  • Support for Salesforce’s Apex

  • Support for REST API security

  • Support for GraphQL security

These are major additions to the Snyk Code engine and as we are working closely with our customers to build a solution that fits your needs, we would love to show what Snyk Code and the other elements of the Snyk platform can do for you. Take half an hour of your busy schedule and book a demo to experience the live product and get all your question answered.