LTA IS MORE SECURE
Delivering secure code isn’t enough; you also need to deliver code securely
Delivering perfect code doesn’t mean much if it comes from a compromised pipeline. Securing your DevOps infrastructure is nearly as important as the code itself.
We don’t care only about the security of your code, we also care about the security of your SonarQube environment. From SonarQube 8.9 LTA, operating SonarQube is more secure than ever, with simple but effective new safeguards.
Download nowForces administrators to change the default SonarQube admin credentials – to make adherence to best practices routine.
Authenticated access as the default – to help you keep private code private.
Limited plugin access to core functionality and restricted library loading – to prevent 3rd-party plugins from tampering with your installation.
Additional controls in the plugin Marketplace (as a gentle reminder that you use community plugins at your own risk) - to stay mindful about the risks you accept.
A routine part of delivery is periodic penetration testing. In addition to hardening SonarQube itself, we’ve also hardened our own build pipeline so you can be sure we’re delivering SonarQube to you securely. You can read more about what our penetration test, Cure53, had to say about SonarQube 9.8 and 9.9 LTA.
In Cure53’s expert opinion, this project confirmed a very solid security premise at SonarSource… [SonarQube Server] is currently well protected against a broad number of web application attack vectors.
One can argue that the outcome highlights the development team’s commitment to maintaining security features with due diligence and adherence to best practices. Despite extensive deep-dives and exemplary coverage toward a plethora of application features by the Cure53 testers, no serious issues were detected.
Penetration Testing @ Cure53
