UltraEdit (UE) employs stringent security measures to keep you and your data safe because your chain of software security is only as strong as its weakest link. Even as a native application with relatively fewer risks and vectors of attack, we will always ensure that your text and code editor have been fortified and vetted properly.
We’ve discussed in a previous blog why a tool as unassuming as a text editor also needs to be security-hardened in this day and age. In this blog, you can read on further to find out what tools UltraEdit uses to protect you and your data and what measures it employs to ensure its source code’s integrity.
Our Latest Additions to the UE Development Pipeline
UltraEdit is proud to announce that the source code and third-party components used in its underlying architecture are secured by state-of- the-art static application security testing tools (SAST) and source code analysis (SCA) tools.
UltraEdit recognizes that many individuals and businesses expect to be able to trust our tools with their most important and, often, confidential data. These security integrations represent a significant investment in meeting and exceeding those expectations. Hardening the security of our products to this level exemplifies our unwavering commitment to the integrity and protection of our users’ data and systems.
UltraEdit is primarily secured in three ways:
Why are these tools necessary?
UltraEdit stands alone in a crowded market of IDEs and editing tools when it comes to security. Our commitment to providing tools that not only exceed expectations in terms of functionality but also in terms of safety and security is unparalleled. One of UltraEdit’s priorities and edge over the competition lies in its ability to secure your digital assets by building a robust text editor built with security in mind—not as an afterthought.
The industry-leading third-party tools we use provide ongoing comprehensive analysis and hardening of our codebase and serve as credible verification of the security of our applications. These tools help us identify critical issues and vulnerabilities before they ever ship.
Static application security testing (SAST) via Kiuwan
Kiuwan’s Static Application Security Testing (SAST) tool provides UltraEdit developers with several benefits: detecting security vulnerabilities in source code as they are written, enforcing the team’s coding guidelines, and flagging potential bug-prone elements in the source code.
Software composition analysis (SCA) via Black Duck
Blackduck by Synopsys is a software composition analysis (SCA) tool that UltraEdit uses to detect, manage, and secure its third-party source code components. This is an essential tool especially now that UltraEdit is adding its own plugin ecosystem.
UltraEdit’s Approach to Security: A Blend of Tools and Techniques
UltraEdit follows a three-pronged approach when it comes to security. This process involves internal checks, industry standard practices, and the utilization of software security tools. Each aspect of this approach filters out more surface areas and possible points of vulnerability in the software’s source code.
Read on further to see how UltraEdit uses the latest additions to its toolset to help improve security.
- Manual and Peer Review
The first check comes in the form of manual peer review inside our development and engineering teams. Every edit or source code commit for any of our tools is inspected by a colleague before it is checked into source. Sharing written code also promotes transparency, early error detection, and collaboration, which are all essential for efficient software maintenance.
It’s also the most accessible form of code protection; there’s no reason for a team or a company to not have a standard protocol involving manual peer review.
Keep in mind: Manual code review does have limitations, including the possibility of missing vulnerabilities due to human error or oversight. It’s also not easily scalable—something that might be of concern if you have multiple components or you’re dealing with multi-faceted source code applications.
In essence, though, this two-step manual process detects the most obvious errors and provides an avenue to ensure consistent coding standards. It’s also one of the easiest and most inexpensive options for securing source code; however, it must be augmented with other techniques such as automated testing.
- Static Application Security Testing (SAST) tools.
To address the limitations of manual review, software developers employ automated tools and techniques. Static Application Security Testing (SAST) tools are automatic quality control tools that complement manual code review. By combining manual review with suggestions from SAST tools, the overall security of source code is improved, helping to reduce the number of flaws that may slip into production.
These tools are used to evaluate source code without running or executing it—thus the term static. They examine the program’s structure and syntax to identify potential issues and errors, such as coding mistakes, security vulnerabilities, and performance bottlenecks.
UltraEdit uses a dedicated source code analysis tool (more on this later) to scan source code for possible vulnerabilities. These help detect issues that are laborious to check manually. This filters out common software errors such as obsolete programming techniques, memory leaks, buffer overflows, race conditions – things that can cause crashes or data corruption – and the like. It can even be fine-tuned according to UltraEdit’s own coding guidelines and conventions, which ensures better and faster development.
Keep in mind: While SAST tools cover a lot of ground in terms of curbing software vulnerabilities, it is not a catch-all solution. Because it lacks the ability to recognize context in the runtime environment, it may produce false positives, identifying issues that are not actual vulnerabilities, and false negatives.
They are also often reserved for specific languages—meaning if you add components outside the supported code language, it may miss out on highlighting issues entirely.
But overall, using automated tools greatly reduces development time as they can catch possible flaws early into a development cycle with minimal effort. They are also easy to use and are a great addition to manual peer review.
- Software Composition Analysis (SCA) tools
Similar to how SAST tools augment manual review, software composition analysis (SCA) tools can also cover some of the limitations of SAST tools. SCA tools are primarily used to analyze and manage the open-source elements of applications and software source code.
UltraEdit, like most modern software, has external dependencies. UltraEdit is not open source software but it does use open source components. This is one of the more crucial steps that not every publisher will take. This type of scan cross-verifies each and every line in UE’s open source dependencies with a database of known vulnerabilities maintained by security professionals. This database is continuously updated so that security issues can be detected and mitigated as part of the standard product build pipeline.
Many SCA tools also provide an automated inventory of all open source components within a software package, including those components version numbers. This information is often published publicly via something called a Software Bill of Materials (SBOM), a document that is now required by United States executive order for all federal software procurement.
Keep in mind: To properly work, SCA tools must rely on an up-to-date components database and list of known vulnerabilities. This means that obscure vendors or unpopular open source projects may sometimes take its time before it is identified properly. Developers must still exercise due diligence in choosing and maintaining the components they add to their source code.
However, SCA tools significantly reduce the time and effort required to track the provenance of libraries, plugins, and inherited components in your source code. This makes the SAST-SCA tool combo one of the most comprehensive security solutions available for software development. It vets most of the self-written code.
Threats and vulnerabilities in text editors
Apart from the internal code that a team of developers writes, modern software is also built upon other pre-existing software and code. This makes it cheaper and faster to turn what would be a gargantuan development project into a more reasonable one-month sprint. However, this interdependent network of code also increases the scope of code that has to be secured and verified.
Even in a text editor—a usually unassuming piece of software—malicious actors may exploit security flaws due to the developers’ mistakes or due to inadvertent vulnerabilities embedded in the components of the source code.
- Security threats and vulnerabilities that can be present in a code or text editor include:
- Abuse of Third-Party Plugins: Security risks in popular extensible text editors that allow hackers to abuse plugins and escalate privileges on targeted systems
- Eval Injection: Improper neutralization of directives in dynamically evaluated code, which can lead to the execution of malicious code
- Broken Authentication: When authentication credentials are stolen, malicious actors can hijack user sessions and identities to impersonate the original user.
- SQL Injection: This can allow attackers to steal sensitive data, fake identities, and engage in various other malicious actions.
- Remote Takeover Vulnerabilities: Critical vulnerabilities in open source text editors that could allow attackers to remotely compromise a victim’s server and steal sensitive data
- Developer Negligence: Even without malicious actors, software may still become embedded with vulnerable components with security flaws if it gets published undetected.
Cybercrime takes on many forms: social engineering, network hacks, fraud, espionage, and a lot more. Each product or piece of software’s supply chain should theoretically be as fortified as possible. On the other hand, developer negligence and ignorance may also pose the same risks. Inadvertently using unverified source code and buggy, unreviewed code may bring as much harm as malicious actors.
The demand for extensibility has given birth to editor and IDE plugins—software components created by the open source community to solve each and every possible use case. Editor plugins and extensions provide exceptional flexibility and customizability to tailor to any user’s specific use case. (UltraEdit is adopting a modified version of this model.)
To mitigate these risks, it is important to use a combination of secure code review tools, regular testing during development, and monitoring and tracking repetitive issues. Secure code reviews can help identify and mitigate these vulnerabilities, ultimately strengthening the security of the code and text editors.
Looking forward: What to expect from UltraEdit
This blog post is meant to give you an idea about our approach to security and to share a bit about our two new security tools. There is no completely secure software available, period. But when it comes to security-hardened text editors, you can be sure that UltraEdit is one of the best (and maybe the only) choices available. Moving forward, UltraEdit will continue its endeavor to reinforce its security with the best industry practices.
Do you have specific use cases that need extra attention when it comes to security? The UltraEdit team is always looking for ways to improve the editor and its services. Send us a message detailing your use case, and we’ll make sure to consider it for the next release.
0 Comments