What’s Changing?

The upcoming release introduces modifications to the risk levels across multiple functions, impacting HR Managers, Tech Managers, Security Managers, and investors alike. Here’s a breakdown of the key updates:

Risk Level Adjustments

In Codenteam 1.5, you’ll see a recalibration of certain risk levels across both static and dynamic code analysis. These changes ensure that risk assessments are more accurate and actionable:

1. Injection Detection Confidence Lowered for Static Code Analysis
   Some injection detection scenarios in static code analysis have had their confidence ratings reduced to medium. While this might suggest that these injections are less likely to be exploited, the overall risk level remains critical or high to emphasize the potential danger if not addressed.
2. New Detection Capabilities for Dynamic Application Testing
   We’re enhancing dynamic testing by introducing the ability to detect DOM-based Cross-Site Scripting (XSS) vulnerabilities in Active Scanning Mode. This upgrade is particularly useful in external due diligence processes, helping to identify client-side security issues that previously went unnoticed.

Critical Code Ownership Risks

Ownership of code has emerged as a critical factor in security management, especially when linked to ex-employees or singular developers. The following risks have been updated in Codenteam 1.5:

• Ex-Employee Code Ownership of More Than 50% (Company Level): This scenario is now classified as a critical risk. A company whose codebase is still majority-owned by ex-employees may face significant operational and security vulnerabilities.
• Ex-Employee Code Ownership of More Than 50% (Team Level): This represents a high risk. The knowledge gap and potential access threats pose considerable challenges for teams.
• Single-Developer Ownership of Company Code: If a single developer controls most of the company’s code, it is now considered a high risk. A similar risk applies to teams where code ownership is heavily concentrated with one person.
• Module Ownership by Ex-Employees: Any module still owned or managed by ex-employees is flagged as a critical risk, given the potential for lingering access or knowledge gaps.
• Module Ownership by a Single Developer: This risk is now rated high, as the absence of distributed ownership can lead to operational bottlenecks and possible security threats.
• Modules with No Clear Ownership: If no specific person or team is accountable for a module, it is assigned a medium risk rating. While not as severe as other scenarios, this presents a governance issue that could evolve into more serious risks.

Specific Changes Impacting Due Diligence, Internal, and External Runs

• Due Diligence Module (Investors Hub): Investors and stakeholders can now gain more comprehensive insight into the codebase with enhanced injection detection for DOM XSS. This will significantly improve the accuracy of external audits and due diligence.
• External and Internal Runs: The adjustments to injection detection confidence levels and the introduction of DOM XSS detection give both internal security teams and external auditors better visibility into potential risks in the codebase.

New Tools for HR Managers

One exciting new feature for HR Managers in Codenteam 1.5 is the ability to access static code analysis results for candidates during the screening process. This change allows HR teams to assess a candidate’s code quality and security hygiene as part of their recruitment workflow, providing an extra layer of insight before extending an offer.

Preparing for Codenteam 1.5

These updates bring improvements across the board—from better injection detection and DOM XSS scanning to more nuanced risk classification around code ownership. Make sure to review your internal and external risk management processes to take full advantage of the new capabilities in Codenteam 1.5.

Stay tuned for the official release, and be ready to integrate these powerful tools and insights into your workflows!

Codenteam 1.5 – Empowering Teams with Actionable Risk Intelligence

The post Changes in Risk Levels: What to Expect in Codenteam 1.5 appeared first on Codenteam.