How to Use CodeWhisperer to Identify Issues and Use Suggestions to Improve Code Security in your IDE

Sidra Saleem - Jan 17 - - Dev Community

It is a common practice adopted by beginner developers to start writing the code without thinking about other things. This practice continues to grow when there is lack of guidance from expert resources. A similar situation has been stated by a fellow developer who used to code blindly without taking security concerns into consideration. As the time passed, he got to know the advantages of considering security concerns at the start of the project. It can definitely save a lot of time and can reduce frustration up to a significant level.

You will be happy to know that the security which we consider at the early development phases goes by the name DevSecOps. An AWS approach which helps in identifying and improving security issues at an early stage of development is what DevSecOps is created for. Instead of wasting a ton of money on security and reworking, it is a better idea to consider all the crucial security issues at the very start.

Importance of CodeWhisperer

The mention of CodeWhisperer always comes when we talk about coding in our respective IDEs. CodeWhisperer possesses scanning capabilities which help us in identifying security issues while we code in our IDEs.

The most important features that CodeWhisperer has to offer are as follows:

  • Providing Suggestions

Whenever you code within your IDE CodeWhisperer starts offering refactoring suggestions which eventually improves the code security and helps in avoiding last-minute panic situations if there is a change in your code.

  • Increasing Productivity

CodeWhisperer is capable of understanding English language comments. Due to this understanding, it generates real time code suggestions which increase the developer’s productivity. All this magic is made possible due to the presence of Large Language Models. These LLMs are trained on available codes in which potential security vulnerabilities are identified and removed during the training process.

AWS Toolkit for JetBrains

There are security scans available in JetBrains for Python, Java, JavaScript, TypeScript, and VS code as well. AWS CodeGuru Security is another amazing security tool that takes the assistance from detection engine. Detector Library is an important component of detection engine which is responsible in making you understand why your code was highlighted by CodeWhisperer and whether an action is to be taken or not. Along with this the relationship and understanding the paths through code is made possible through a machine learning model that uses neural networks and regression.

Installing AWS Toolkit for JetBrains

In order to install the AWS toolkit for JetBrains you will have to start by installing PyCharm first and then configuring it to use AWS Toolkit. Next you will be needing an AWS Builder ID which will authenticate the extension with AWS. You must have a weak hashing algorithm, once you type this code in PyCharm, the CodeWhisperer will label it as a weak hashing algorithm and start giving suggestions to improve the code security.

Prerequisites Needed

To experience a hurdle-free procedure, it is recommended to have the following prerequisites installed.

  • PyCharm
  • Python (Version 3.10 or latest)
  • Pip3

Step-by-Step Procedure

Providing step-by-step guidance for installing AWS Toolkit for JetBrains is easier to follow for the users. In a nutshell, the procedure goes as follows; you install the latest version of AWS toolkit, make a new project in PyCharm, do a signup using AWS Builder ID, and authenticate the toolkit with AWS using this ID. In case you don’t have AWS Builder ID, you can use the details of AWS IAM Identity Center or simple AWS IAM credentials.

Installing AWS Toolkit Plugin

  • Install PyCharm (Community Version – Preferred)
  • Choose Plugins option present on the left pane
  • Search for AWS Toolkit in the search box
  • Select it and click Install

Creating a new PyCharm Project

  • Open PyCharm IDE
  • Go to Menu Bar and choose File
  • Select the option of New Project and then Create

Authenticating CodeWhisperer with AWS

  • Now that you have created the project, search for the AWS icon in the left pane and click on it

  • Choose the Developers Tool tab

  • Under CodeWhisperer option, select Sign in to get started
  • Choose the option Connect and you will be given a code

  • Select the option Proceed to Browser and you will be redirected to it

  • If the code matches then select Confirm and Continue option

  • Enter the email address or select the option Already have AWS Builder ID if you have one
  • After providing your email, you will have to provide your name and then proceed further
  • You will receive a verification code on your provided email. Copy the code and paste it in the provided space and select Verify
  • After a successful verification, now is the time to create a password for your account
  • Choose Create AWS Builder ID option
  • You will be directed to a page asking you to “Allow AWS Toolkit for JetBrains to access your data?”, choose Allow
  • To confirm the authentication, select the AWS icon in the left pane of PyCharm. Under AWS Toolkit window “Connected with AWS Builder ID” should be displayed

Using CodeWhisperer Security Scans to Identify a Weak Hashing Algorithm

We will be intentionally using a weak hashing algorithm, SHA-224. The reason for using this algorithm is because CodeWhisperer considers it as a weak algorithm. So instead of using the recommended algorithm, we will prefer using a weaker one.

Creating a New File in PyCharm Project

  • First you need to create a new file in the previously created project
  • Name the file as app.py
  • Copy the following code snippet in the newly created file (app.py)
import hashlib

import os

salt = os.urandom(8)

password = ‘secret’.encode()

# Noncompliant: potentially weak algorithm used.

derivedkey = hashlib.pbkdf2_hmac('sha224', password, salt, 100000)

derivedkey.hex()

Initiating a Security Scan

  • In the AWS Toolkit section, just under the Developer Tools tab click the run button present there
  • This will open CodeWhisperer Security Issues tab confirming that the scan was initiated successfully

Interpreting the CodeWhisperer Results

  • After a successful security scan, CodeWhisperer will highlight a particular code row where it has found some issues
  • Hover over the highlighted line to know more about its description
  • In this case, the description shows that the hashing algorithm which is used is weak

Now that you have come across the fact that there lies an issue, how to know whether to take an action or not? For this, you need to use Detector Library which takes assistance from the scanning capabilities of CodeWhisperer. You will be able to gather some additional information.

The additional information includes a truncated output which is an easy target to collision attacks. If you don’t know about a collision attack then allow me to explain. It is basically a way to find another input that produces or yields another identical hash.

CodeWhisperer Suggestions

  • CodeWhisperer suggestions include code as well as function completion. The suggestions are real-time based, it means the suggestions are automatically generated as you start typing the code. Due to the training of LLM on vast data, the suggestions might be different every time you type your code. Now it is your duty to select the suggestion that appears smart to you.
  • CodeWhisperer also gives you an option to replace the entire algorithm. You just need to delete the arguments from the function. The CodeWhisperer suggestion will say to replace the previous algorithm with a new one.

Validating CodeWhisperer Suggestions

There is no 100% trust when it comes to security vulnerabilities. The suggestions by CodeWhisperer might still contain some vulnerabilities so it is important to cross check them. It is really important to get familiar with the code suggestion before you actually use it in your code. It also depends on the algorithm that you choose. By accepting a certain suggestion you might be reducing the computing as well as the execution speed of the algorithm. It is really important to validate the suggestions generated by CodeWhisperer.

You can rerun the scan by choosing Run Security Scan option. A notification will pop up when the scan has been completed successfully with no issues found.

Wrap Up

All in all, it was an informative experience to know about the usage process of CodeWhisperer with PyCharm. They both help in scanning the code for potential security threats, getting to know about the potential issues and understanding them. You followed a really simple procedure by accepting the suggestions by CodeWhisperer and then rerunning the scan again in order to validate the suggestions.

Apart from this, CodeWhisperer has the potential to detect other stuff as well including top-ten web application security risks, top 25 most dangerous software weaknesses, insecure use of AWS SDKs and APIs. All this is possible with the help of a Detector Library. It contains references, descriptions as well as examples to provide additional information.

Have you heard about CI/CD pipeline? Well, it is an important concept in DevOps which stands for Continuous Integration and Continuous Delivery. By combining CodeWhisperer and CI/CD pipeline you can detect vulnerabilities throughout the delivery process. It is a great practice to search for the security vulnerabilities early in the development process.

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .