Four Ways to Harden Your Code Against Security Vulnerabilities and Weaknesses

The specter of security vulnerabilities is a constant concern in today’s digital landscape. They’re the hidden pitfalls that can undermine even the most meticulously crafted code. But what if you could turn the tables on these threats? There’s a way to harden your code to stand tall against these attacks without developers having to become cybersecurity experts themselves.

This article provides an overview of the four ways you can fortify your code against some of the toughest application security problems—even the OWASP Top 10—using automated code refactoring, remediation, and analysis recipes available from the open source OpenRewrite ecosystem.

#1: Code analysis to find exposed secrets and API insecurities

Too often, an organization’s codebase is a black box. (Not something a security pro wants to hear!) It’s hard to visualize and understand all the intricate dependent relationships of code managed through a growing assortment of application programming interfaces (APIs).

It’s important to have a detailed view of all direct and transitive dependencies across a codebase, enabling users to extract rich, meaningful insights that help improve application security. Examples of the type of data you can retrieve include:

• Find API endpoints — Identify all the API endpoints that an application exposes to more readily analyze impact and risk.
• Find sensitive API endpoints — Find data models exposed by REST APIs that contain sensitive information like PII and secrets.
• Find secrets — Locate secrets that are stored in plain text in code for a large assortment of tools and technology. This includes data used to authenticate, authorize, or encrypt communication between various components of an application or between the application and external services.

#2: Static Application Security Testing (SAST) with automated source code fixes 

Static code analysis is critical to a comprehensive application security practice. It enables you to build more secure source code by identifying security weaknesses and compliance issues early in the development process, as well as to continually improve your security posture.

OpenRewrite recipes provide robust static code analysis and take SAST to another level by also fixing security weaknesses in the source code your team develops. It’s like having a security expert for developers who not only discovers issues and shares security knowledge but also automates the manual work of fixing them. Developers only have to review and accept the changes.

It’s important to use both control flow and data flow analysis when you are assessing code for both insecure operational order performance, as well as looking for issues by understanding how data values propagate through a program (great for finding injection and encoding problems).

Examples of auto-remediation that are important to address include:

• Common static analysis issues — Find and resolve the common static analysis issues that are typically reported by traditional SAST tools. It’s essential to have a consistent code style to make code easier for everyone on the team to read. Engineers naturally pick up and internalize best practices when followed ubiquitously, making good code easier for everyone on the team to write. Teams will benefit from fewer operational disruptions from bugs and increases in performance.
• Remediate vulnerabilities from the OWASP Top 10 — Identify and remediate vulnerabilities found in the OWASP Top Ten list, such as broken access control, cryptographic failures, and security misconfigurations.
• Partial path traversal vulnerability — Fix the code to prevent a common directory traversal attack.
• Zip slip—Find and fix the Zip Slip vulnerabilities in your codebase. Zip slip is a specific form of directory traversal whereby an attacker can overwrite executable files, invoke them remotely (or wait for the system or user to call them), and achieve remote command execution on the victim’s machine.
• Enable CSRF attack prevention — Guard against Cross-Site Request Forgery (CSRF) attacks, a type of attack that occurs when a malicious website, email, blog, instant message, or program causes a user’s web browser to perform an unwanted action on a trusted site when the user is authenticated.

#3: Software composition analysis with automated dependency upgrades

Third-party and open-source dependencies, which change and evolve at their own pace, create a larger attack surface for teams to manage. Software vulnerabilities can be introduced by anyone at any time, and vulnerabilities can be dormant until they are exploited. That’s why software composition analysis (SCA) is vital to managing the security of today’s complex, assembled codebases—to more proactively manage security concerns from open-source and third-party components.

It’s possible to accelerate third-party code security through comprehensive visibility into dependencies—direct and transitive—across your entire codebase. Teams can then take steps to mitigate risks when armed with SCA capabilities, such as updating vulnerable dependencies, replacing components with more secure alternatives, or ensuring that licensing requirements are met. Here are a few examples of best practices:

#4: Automated migration of third-party software to eliminate known vulnerabilities

While some vulnerabilities can be closed by upgrading dependency versions with available patches, all too often resolving a security vulnerability requires changes to the application’s source code. Some fixes are straightforward, like changing an API signature. Others are more complex, involving multiple major lifts and requiring the expertise of migration engineers.

Code migration work is labor-intensive, chaotic, and clerical. It typically involves migrating not just one framework but a collection of cascading dependencies that must also be updated across the codebase. Examples of automating code migrations include:

• Migrate to Spring Boot 3.3 — Modify an application’s build files, make changes to deprecated/preferred APIs, and migrate configuration settings that have changed between versions (plus additional framework migrations).
• Migrate to Java 21 — Upgrade to Java 21 by updating and/or adding dependencies, replacing deprecated APIs, updating build files and plugins, etc.
• Migrate from Log4j to SLF4J — Migrate usage of Apache Log4j to use Simple Logging Facade for Java (SLF4J) directly to eliminate the potential for exposure.
• Marshaling (e.g., SnakeYAML constructor, Jackson default typing): Configure common serialization libraries to prevent the deserialization of maliciously crafted data, preventing the execution of hidden malicious code.

The journey to harden your code against security vulnerabilities involves balancing the urgency of fixing issues with the continuous delivery of business value. Security scans often interrupt the developer’s workflow, highlighting vulnerabilities that must be rapidly resolved to prevent deployment blocks. This remediation work, while critical, can divert resources from other valuable projects. That’s why automation—and tools like the open source OpenRewrite project that automate code refactoring—are critical for analyzing and addressing security vulnerabilities quickly.

The ultimate goal is to ensure that application security improvements and business objectives advance harmoniously, creating a resilient and productive development environment. How is your organization balancing these demands?

About the Author

Olga Kundzich, CTO & Co-Founder of Moderne, has extensive experience building enterprise software solutions. Previously, she worked as a technical product manager at Pivotal focused on application delivery and management solutions (e.g., Spinnaker). She was also a lead software engineer and manager at Dell EMC, working closely with enterprise users on implementing data protection practices. Olga is a co-author of “Automated Code Remediation: How to Refactor and Secure the Modern Software Supply Chain” (O’Reilly).

Olga can be reached online at [email protected] and at our company website https://www.moderne.ai/