For the last two years, we’ve been quietly building a new kind of static application security testing (SAST) solution that allows security and engineering teams to assess, prioritize, and remediate security risks and vulnerabilities in their code by what matters most – sensitive data.
Today, we are officially announcing its release as an Open Source project, Bearer.
By design, every issue Bearer reports is filtered and prioritized in accordance with the presence—directly or indirectly—of sensitive data. Ultimately, Bearer only reports risks that can have a major business impact, providing a clear actionable next step for security and engineering teams to protect their organization at the earliest stages of their product development lifecycle.
Our mission for Bearer is simple, to help security and engineering teams ship secure software faster by focusing on what matters the most.
It starts with empowering developers, the ones that build the products we use every day, by explaining in simple terms what the top issues are, why they matter, and how to fix them. All without disturbing their focus or annoying them. We also don’t think this can be done by asking anyone for a demo, signup, or even worse, a sales call.
That is the raison d’être of Bearer.
We’ve built Bearer for everyone, a single developer building their solo business, a small startup trying to revolutionize an industry, or a big social network trying to keep pace. After all, we all build software with the same technologies. Developers are developers, so why don’t we secure apps the same way? Security doesn’t have to be complex, cumbersome, or expensive.
What does Bearer do exactly?
Bearer is a static application security testing (SAST) solution that assesses the OWASP Top 10 security risks and vulnerabilities found in Web Applications today with a native filtering and prioritization mechanism based on their impact on sensitive data.
In practical terms, we provide a set of rules that assess the variety of ways known code vulnerabilities (CWE) ultimately impact your application security and we reconcile it with your sensitive data flows. At the time of this writing, Bearer provides more than 100 rules.
Here are some practical examples of what those rules can detect:
- Non-filtered user input that can lead to breaches of sensitive information.
- Leakage of sensitive data through cookies, internal loggers, third-party logging services, and into analytics environments.
- Usage of weak encryption libraries or misusage of encryption algorithms.
- Unencrypted incoming and outgoing communication (HTTP, FTP, SMTP) of sensitive information.
- Hard-coded secrets and tokens.
And more.
Our rules are easily extendable to allow anyone to contribute in a simplified manner. If you can write code in a given language, you can create a rule for it. (link to contribution).
For example, some of our users use this system to detect the leakage of sensitive data in their backup environments or missing application-level encryption of their health data (read more).
Last, thanks to our unique ability to detect sensitive data flows, Bearer allows you to generate a privacy report that will greatly help your team comply with privacy regulations such as GDPR, CCPA/CPRA, etc. It’s not meant to make you “auto-magically” comply, but it automates an important part of the evidence gathering across all your applications, often done manually and poorly. Your privacy team will love this.
How do you detect sensitive data flows from the code?
When you run Bearer on your codebase, it discovers and classifies data by identifying patterns in the source code. Specifically, it looks for data types and matches against them. Most importantly, it never views the actual values (it just can’t)—but only the code itself.
Bearer assesses 120+ data types from sensitive data categories such as Personal Data (PD), Sensitive PD, Personally identifiable information (PII), and Personal Health Information (PHI). You can view the full list in the supported data types documentation.
In a nutshell, our static code analysis is performed on two levels:
- Analyzing class names, methods, functions, variables, properties, and attributes. It then ties those together to detected data structures. It does variable reconciliation etc.
- Analyzing data structure definitions files such as OpenAPI, SQL, GraphQL, and Protobuf.
Bearer then passes this over to the classification engine we built to support this very particular discovery process.
If you want to learn more, here is the longer explanation.
What makes Bearer different from any other SAST?
SAST tools are known to bury security teams and developers under hundreds of issues with little context and no sense of priority, often requiring security analysts to triage issues. Not Bearer.
The most vulnerable asset today is sensitive data, so we start there and prioritize application security risks and vulnerabilities by assessing sensitive data flows in your code to highlight what is urgent, and what is not. We do so by identifying and classifying, from your code, 122 different sensitive data types grouped in well-known categories (PII, PHI, Personal Data).
For example, if you are communicating an email address to an unsecured API, we will report it, but with a lower priority than if it is health information. Or if you are using a weak encryption library in an application that doesn’t process any sensitive data, we will just not report it by default.
We believe that by linking security issues with a clear business impact, risk of a data breach or data leak, we can build better and more robust software, at no extra cost.
In addition, by being Open Source, extendable by design, and built with a great developer UX in mind, we bet you will see the difference for yourself.
How do I use it?
Bearer is a CLI tool you can run locally on your machine or as part of your CI/CD. We also provide a GitHub action to make things super easy. You can install Bearer in 15 seconds, from cURL, Homebrew, apt-get, yum, or as a docker image. Point it at your project, and start scanning and remediating the top issues right away.
How long does it take to scan my code?
It really depends on the size of your applications. It can take as little as 20 seconds, up to a few minutes for an extremely large code base. We’ve added an internal caching layer that only looks at delta changes to allow quick, subsequent scans.
What languages do you support today?
We currently support JavaScript and Ruby and their associated most used frameworks and libraries. But we have many more languages on the way, and in reality, we already have some support baked in the current version for PHP, Go, Python, Java, and C#.
But before expanding the language support, we want to gather as much feedback, and insights and bake as many improvements as possible, especially when it comes to more detection rules.
I hate static code analyzers, why should I try this one?
There are (at least) three reasons to dislike SAST:
- A deluge of issues and no priority
- Poor user experience
- Black box concept.
One of the reasons is that they often only target security teams, whereas Bearer focuses just as much on the experience of developers. Bearer’s aim is to get out of the way. Just enough friction to help you make the best security choices, but not so much that it breaks developers’ workflow and requires an army of security analysts.
If you recognize your experience with other SAST tools, try Bearer.
I’m already using another SAST, why should I try this one?
While Bearer uses some of the same underlying concepts as many other SAST tools, no other solutions are able to filter and prioritize issues in the same way as we do. You may still find value in other SAST products, but we think Bearer’s emphasis on surfacing the most impactful issues first makes it an essential solution if you have to start somewhere.
Why do you use the Elastic License?
Elastic lets us offer a fair license for developers and organizations to use and benefit from Bearer, while still protecting ourselves from large existing vendors that may be tempted to repackage it into a commercial product. Here is the story behind this license.
How are you going to make money?
Bearer Cloud, our commercial offering, provides additional features on top of this Open Source version, mostly in terms of workflow and reporting for security organizations (read more).
To be clear, this Open Source version is not locked into any ways to favor our commercial offering, it’s just an additional layer on top of it that is not required for most of you.
Try it now, in 60 seconds!
« I want to see value under 60 seconds », that’s what one of our engineers said when we decided to launch Bearer OSS, so here we are!
You can find a complete « getting started » guide here, but if you want this 60 seconds experience:
- Install Bearer (alternative options)
- Clone this demo application
- Run your first security scan!
And to prove it works under 60 seconds, here is a short screencast.
Do you have any questions? Feedback? Are you looking to contribute?
Please join the discussion on Github.