Introducing Design Static Application Security Testing (DSAST) with Devici Code Genius

During a recent Devici Advisory Board meeting, we discussed Code Genius, our tool for scanning existing code and generating a threat model. We began to ponder what to call this new type of application security scanning technology, and a comment from Izar Tarandach sparked a new concept: DSAST—Design Static Application Security Testing.

DSAST uses the SAST principles of scanning source code for security and privacy challenges line by line and goes far further by extracting design information from the application's core. We scan specific code and collect additional insights from the application, framework, and database.

Why Aren’t We Threat Modeling Everything?

Historically, threat modeling has been an activity we prescribe as early as possible in the product or application life cycle. The goal is to identify security and privacy challenges early, allowing developers, architects, and product people to design the obstacles away. However, studies show that organizations can realize millions in returns by reducing rework, up to $22M for small organizations and $114M for large enterprises.

As an industry, we recommended threat modeling early and often, but almost nobody delivered. The bulk of code in production today has never been threat modeled. Think about how much risk that translates to. Those designs were never considered against security and privacy.

Why? The current tools and resources haven’t provided a programmatic, scalable solution. Threat modeling can be time-consuming, suffer from knowledge gaps, and become outdated quickly. For most organizations, the results don't justify the time investment, and security leadership can’t get buy-in from the development teams.

Our mission is to change this.

Define a New Category

While discussing Code Genius, Izar coined the term Design SAST, which resonated with us. We're using SAST capabilities to scan source code, not to identify individual code-level issues, but to extract a high-level design and convert it into a data flow diagram for threat modeling. We’ve adopted the SAST concept to capture application design and identify threats to save valuable rework time. Ultimately, this will allow dev teams to build more new features.

This is particularly beneficial for pre-existing code. It analyzes the code architecture, identifies weaknesses, and generates a comprehensive list of potential threats. This allows teams to address issues across the entire product with a complete understanding of the situation.

I know. We’re creating another new category. Do we need another AppSec tooling category? In this case, yes, we do. Because Devici Code Genius is doing something that has never been done before. Applying this technology will save time in the threat modeling process and break down barriers with developers who claim threat modeling is too complicated or takes too long. With Devici Code Genius, threat modeling is simple, quick, AND actionable.

Code Genius – Unprecedented Threat Model Automation

Code Genius scans existing code at the function, file, or repository level and generates a multi-faceted threat model. Using a configuration file, you can define and describe how to segment the model into more usable pieces. Hence, the term Design SAST.

Code Genius then leverages the Devici Codex to auto-assign attributes based on its code analysis. These attributes guide our recommendations for relevant threats and mitigations. When you open a model generated by Code Genius, you'll find a collection of potential threats and mitigations to consider.

While automation handles the heavy lifting, human expertise remains integral. Devici creates the scaffolding, enabling engineers, architects, and designers to refine and enhance the threat model. We give you the framework and a draft, so you spend time refining, not building.

Code Genius works in two ways: local command and within the repository. With local command mode, developers can create threat models from their local machines as they build new features. With repository mode, you can automatically generate threat models on every code commit within your repository. Imagine a process integrated into your source code check-in, generating a threat model for review during code review (e.g., GitHub Action).

We launched Code Genuis with support for JavaScript and TypeScript. We'll soon add support for additional languages. Given its complexity and lack of mandatory code structure, starting with JavaScript allowed us to tackle the most challenging language first. This foundational work will be applied to other languages.

Security First

As a security-first platform, we understand concerns about code security. Devici Code Genius ensures that your code never leaves your control. It remains on your computer or within your source code control system. We do not, and will never, send your code outside your control.

With Devici Code Genius, threat modeling is no longer daunting. It's simple, quick, and actionable, paving the way for more secure and private solutions, whether on your developer’s local machine or embedded within your code repository. Code Genius is the future of secure and private by design and default.