Prerequisite You have completed a scan, and you have Policy Management enabled. Reach out to your Corgea contact to enable Policy Management.

Corgea comes pre-configured with a comprehensive set of policies designed to provide immediate value and maximize your security analysis experience. These built-in policies cover common security patterns, frameworks, and infrastructure setups.

You can further customize and extend these policies to enrich the platform with additional business, network, and environmental context to improve the accuracy of vulnerability detection, false positive identification, and fix generation. By providing this context through policies, you can help Corgea better understand your specific security requirements and infrastructure.

Important Policy Behaviors

Before diving into policy structure, there are some key behaviors to understand:

  1. Policy Application: New policies only take effect on new scans - they won’t retroactively affect existing results.

  2. Policy Precedence:

    • More specific policies take precedence over general policies for false positive detection and fixes
    • For example, a SSRF-specific false positive policy would override a general false positive policy
    • Customer-defined policies always override Corgea’s native policies

  3. Policy Grouping: For scanning policies, it’s recommended to group related security concerns together rather than creating individual policies. For example:

    • Group authentication, authorization, and permission handling together
    • Combine related data validation checks
    • Bundle associated security control verifications This approach yields better results as these security concerns often overlap and interact.

Policy Structure

A well-structured policy should include the following components:

  1. Policy Type: Specify the type of policy you’re creating, such as BLAST (detecting vulnerabilities), False Positive (identifying false positives), or Fix (suggesting code fixes).

  2. Business Context: Provide detailed information about your:

    • Business domain and requirements
    • Network architecture and security controls
    • Environment-specific configurations
    • Data classification and handling requirements
    • Compliance requirements (e.g., PCI, HIPAA, GDPR)

  3. Description: Clear instructions incorporating your context, including:

    • Specific vulnerability patterns in your environment
    • Code examples relevant to your architecture
    • How issues should be handled given your infrastructure

  4. Vulnerability Types (CWEs): Choose which types of security vulnerabilities this policy should handle, based on your risk profile.

  5. Scope: Select which projects to apply this policy to, allowing for environment-specific policies.

Policy Best Practices

When writing policies, follow these best practices to provide effective context:

  1. Be Specific About Your Environment: Detail your infrastructure, security controls, and compensating controls.

  2. Include Business Logic: Explain business-specific validation rules, data flows, and security requirements.

  3. Describe Security Architecture: Document your security layers, trust boundaries, and protection mechanisms.

  4. Define Data Context: Specify how different types of data should be handled in your environment.

  5. Document Exceptions: Note any legitimate business cases for apparent security issues.

Examples

When creating policy examples, follow these tips to make them more effective:

  1. Use Multiple Examples: Include 3-5 diverse examples for each policy type to:

    • Show different use cases and scenarios
    • Cover edge cases specific to your environment
    • Demonstrate varying levels of complexity
    • Illustrate different security controls and compensating measures

  2. Make Examples Relevant: Ensure your examples:

    • Reflect your actual infrastructure and architecture
    • Include real security controls you use
    • Reference your specific tools and frameworks
    • Match your development patterns and practices

  3. Structure Examples Clearly: Format your examples with:

    • Clear section headers and labels
    • Consistent formatting and indentation
    • Detailed comments explaining key points
    • Tags to separate different components

  4. Include Context: Each example should provide:

    • The specific business scenario
    • Relevant infrastructure details
    • Security controls in place
    • Expected behavior and outcomes

Below are example policies demonstrating these principles:

BLAST Policy Example

Policy Type: BLAST

Business Context: Our application processes healthcare data behind a secure API gateway that handles encryption. Internal services communicate over a private network with mutual TLS. All database access is through our custom ORM that implements row-level encryption.

Description: Review code considering our infrastructure. Flag potential PHI exposure but account for our API gateway encryption. Consider our network segregation when evaluating internal service communication. Verify proper use of our custom ORM for database access.

Use Cases:
- Detecting direct database access bypassing our ORM
- Identifying services accidentally exposed outside the API gateway
- Finding improper internal service authentication
- Detecting logging of pre-encryption PHI
- Identifying misuse of our security infrastructure

False Positive Policy Example

Policy Type: False Positive

Business Context: Our test environments use sanitized data and mock services. All external services are replaced with stubs. The test network is isolated and all traffic is monitored. We use a custom test framework that simulates security controls.

Description: Consider our test infrastructure when evaluating security issues. Data that appears sensitive is actually sanitized. External service calls are mocked. Network isolation provides additional security layers.

Use Cases:
- Validating test data handling
- Confirming proper use of service mocks
- Verifying test environment isolation
- Checking sanitized data usage
- Validating test security controls

Fix Policy Example

Here’s an example of a Fix policy that uses a custom middleware to protect against XSS vulnerabilities:

Policy Type: Fix

Business Context: We use a custom security middleware called "SecureMiddleware" that provides XSS protection, among other security features. All web applications must use this middleware for request handling. The middleware automatically sanitizes user input and encodes output to prevent XSS attacks.

Description: Generate fixes that integrate with our SecureMiddleware for XSS protection. Use the built-in sanitization and encoding functions provided by the middleware. Follow our secure coding guidelines for handling user input and rendering output.

Use Cases:
- Implementing XSS protection using SecureMiddleware
Example: 
```javascript
// Import the SecureMiddleware
import SecureMiddleware from '../middleware/SecureMiddleware';

// Use the middleware for request handling
router.get('/profile', SecureMiddleware.sanitizeInput(), (req, res) => {
  const username = req.query.username; // Username is now sanitized
  
  // Render the profile page with encoded output
  res.render('profile', { 
    username: SecureMiddleware.encodeOutput(username)
  });
});
`` `
In this example, the `SecureMiddleware.sanitizeInput()` function is used to sanitize the `username` parameter from the query string, preventing XSS attacks through user input. The `SecureMiddleware.encodeOutput()` function is then used to encode the `username` value before rendering it in the template, preventing XSS attacks through output rendering.

- Integrating with our centralized security middleware
Example or description: [Add an content]

- Following secure coding practices for user input handling
Example or description: [Add an content]

- Implementing context-specific XSS protection measures
Example or description: [Add an content]

By providing this context, Corgea can generate fixes that properly integrate with your custom security middleware and follow your secure coding guidelines for XSS protection.

Policy Type: Fix

Business Context: We use a custom security framework that provides encryption, authentication, and audit logging. All services must use our security middleware. We have specific requirements for key rotation and cipher selection.

Description: Generate fixes that integrate with our security framework. Use our standard middleware components. Follow our encryption standards and key management practices. Ensure proper audit logging through our centralized system.

Use Cases:
- Implementing framework-compliant security controls
Example or description: [Add an content]

- Integrating with our authentication services
Example or description: [Add an content]

- Setting up proper audit logging
Example or description: [Add an content]

- Configuring encryption using our standards
Example or description: [Add an content]

- Establishing service-to-service authentication
Example or description: [Add an content]

- Implementing environment-specific security measures
Example or description: [Add an content]

By providing rich context about your business environment, security controls, and infrastructure, you help Corgea deliver more accurate and relevant security analysis tailored to your specific needs.

False Positive DetectionUser Management