The security assessment in the software development generally refers to a process that a security expert tests the developed product for any vulnerabilities in terms of security.
The common challenges in the security assessment are as follows:
- Limited time – The development cannot be proceeded during the security assessment of the codes.
- Limited security policies – Risks such as leakage of the codes exist.
- Limited budget – Hiring security experts costs a significant amount of the money.
- Limited knowledge – In-depth knowledge in security is required to understand the result of the analysis.
Luniverse Security Assessment is a safe and convenient service that solves all the problems described above. This service provides a quick security assessment at any time developers want and provides an encryption feature to prevent leakage of the codes. In addition, Luniverse offers the service at a significantly reasonable price, compared to common security assessment services that need the human resource to be utilized. Luniverse also provides patch files to enable developers to easily fix the identified vulnerabilities even without security knowledge.
- Click [Security Assessment] on the menu at the top of Luniverse Console.
- Click [Assessment List] on the left to go to the Assessment List page.
- Click [Create Assessment] in the upper right corner to go to the Create Assessment screen.
- Security Assessment provides three tabs that you can use depending on the type of file you request for security assessment.
4-1. Past Code: Directly enter the source for Security Assessment.
4-2. Upload Project: Upload a Solidity source file. (One or more files can be uploaded.)
4-3. Upload Hashed Project: Upload encrypted source codes.
Download an encryption program to upload the Solidity source code in a format of the hashed project.
- Download and install a program supported in each operating system (MAC/Windows 32bit/Windows 64bit).
- Use the encryption program to compress the smart contract files.
- Click [Click to select upload .aegis file] to upload the compressed file.
- Click [Summit] to run Security Assessment.
Learn more about how to install the Luniverse Atom IDE plug-in in Developing Smart Contracts Using Atom IDE.
- Click [Create Audit] from the context menus displayed when you right-click on Atom Editor.
- When Security Assessment is done, the result will be displayed. The result shows the security level and also indicates the vulnerabilities in the levels of “Critical,” “High,” “Medium,” “Low,” and “Notes.”
- Click [Detail Report] to go to Luniverse Console and see the detailed report.
- The reports of Security Assessment that have been carried out so far are listed in the Assessment List screen.
- Click [Report] for the item you wish to see the security assessment report to go to the screen of the report.
- In the report screen, a list of the files where security assessments were performed and the security level of the contract are shown, as well as a list of vulnerabilities, which were found in the files, with the security levels.
- Select any file with vulnerabilities to see details.
(1) Issue Type: Shows the CWE number of the identified vulnerability. Click the number to go to the CWE Details page.
(2) Top 3 Vulnerabilities: Shows the top 3 vulnerabilities found in the file, which are listed in order of severity.
(3) Security Level: Indicates the security level of the contract on the right of the screen.
(4) The vulnerabilities found in the file are listed under Security Level. Click a vulnerability in the list of vulnerabilities to see the details of the vulnerability in the description section.
(5) Description: Shows the details of the selected vulnerability.
- On the [Create Assessment] page, click [Upload Hashed Project] and download the encryption program [#for MAC]. The downloaded file will be saved as “sooho.pkg.”
- Click "sooho.pkg" to install the program.
- Launch a terminal program for Mac and execute the sooho command. Run the following commands to see the summary of how to use the commands.
$ sooho CLI tool to interact with SOOHO VERSION @sooho/cli/0.3.3 darwin-x64 node-v10.12.0 USAGE $ sooho [COMMAND] COMMANDS audit Audit smart contract encrypt Encrypt source code into hash file help display help for sooho update update the sooho CLI
- Go to the directory containing the smart contract file and check the file list.
$ ls MintableNonFungibleToken.sol contracts $ ls contracts/ Augur.sol IControlled.sol factories reporting Controlled.sol IController.sol legacy_reputation trading Controller.sol LegacyReputationToken.sol libraries
- Create a file named “MintableNonFungibleToken.aegis” by running the command shown below.
$ sooho encrypt MintableNonFungibleToken.sol -a -s ✔ Parse files ✔ MintableNonFungibleToken.aegis has been created
- To encrypt the entire directory, enter the directory in the file path.
$ sooho encrypt contracts -a -s ✔ Parse files ✔ contracts.aegis has been created
- Upload the encrypted file from Luniverse Console.
- For more information about how to upload an encrypted file from the console, refer to [Using Security Assessment in Luniverse Console] at the top of this page.