Skip to main content

Using Periodic Security Reviews

info

The English user guide is currently in beta preview. Most of the documents have been automatically translated from the Japanese version. Should you find any inaccuracies, please reach out to Flatt Security.

What are Periodic Security Reviews?

Takumi can periodically conduct security reviews on repositories linked to Slack channels.
When you enable Security Reviews in the Active Takumi settings, Takumi will review commit differences within the specified period and notify the results to your Slack channel. Takumi notifying the start of an security review on Slack

Periodic security reviews help you regularly visualize the latest security risks even in teams where features are frequently added or modified.

We particularly recommend running security reviews at these times:

  • Run security reviews on weekends and share the latest issues on Monday morning team meetings
  • Set security reviews the day before regular meetings to review each development cycle

Difference from Scheduled Tasks

A similar feature to periodic security review is Scheduled Tasks.

  • Scheduled Tasks: You can freely request any task from Takumi at any timing.
  • Periodic security review: Specialized for performing regular reviews targeting commit differences within a specified period. Since it targets differences, it tends to consume fewer credits than assessing the entire application.

While scheduled tasks offer high flexibility, depending on the request content, there may be variations in the security review accuracy. With periodic secirity reviews, we manage the prompts on our side and provide workflows optimized for this workload, achieving stabilization and efficiency in assessment accuracy.

If you want to regularly assess the entire application instead of commit differences within a period, please use Scheduled Tasks.

Expected Review Time

It may take approximately 4 to 8 hours from when Takumi starts the security review until completion.

How to Set Up Periodic Security Reviews

  1. Invite Takumi to your Slack and set the required scopes.
    For details, see Invite Takumi to Slack.

  2. Enable periodic security review from "Settings > Takumi" in the Active Takumi settings.

You can choose the report frequency as "weekly" or "monthly".
Takumi will perform a security review on the commit differences within the specified period.

Periodic security review Usage Example

When periodic security review is enabled, you will receive results on Slack in the following format.

Slack Notification Example

Outputting the security review report in Markdown format

Takumi outputting the security review report in Markdown format on Slack

Explaining high-risk findings in threads

Takumi explaining high-risk findings in Slack threads

Markdown Output Example

# Vulnerability Details

## 1. Buffer Overflow in Path Buffer Management (Severity: Critical)

### Affected Feature

Buffer Overflow in Path Buffer Management

### Impacted Code

- src/file_handler/files.cpp

In AllocBuffer(): int length = strlen(targetFile); int pathLength = mFile - mPath; mLength = (len + pathLength) \* 2; // Integer overflow here, followed by strcpy(mFile, name); // Buffer overflow here

### Description

This vulnerability occurs in the local file system handling where the AllocBuffer() function fails to properly manage memory allocation for file paths. The issue has two critical components: first, an integer overflow can occur when calculating buffer sizes for very long file names, causing the system to allocate less memory than actually needed. Second, the code uses strcpy() operations without checking if the data will fit in the allocated buffer, leading to memory being written beyond the buffer boundaries. This happens when processing directories with extremely long file names that approach filesystem limits (typically 255+ characters).

### Risk

This buffer overflow vulnerability poses severe security risks as it can lead to memory corruption and potentially allow attackers to execute arbitrary code on the victim's system. In the worst case scenario, an attacker could craft malicious directories with extremely long file names and trick users, potentially resulting in complete system compromise. Even if code execution is not achieved, the vulnerability will likely cause application crashes, leading to denial of service and potential data loss for users.

### Solution

The most critical fix is replacing all strcpy() operations with secure alternatives like strncpy() or snprintf() that respect buffer boundaries. Additionally, implement proper integer overflow protection in the buffer size calculation by checking if (len + pathlen) would overflow before performing the multiplication. Consider using safer string handling functions throughout the codebase and implement comprehensive input validation to reject file names that exceed reasonable length limits. A complete solution should also include bounds checking before any string copy operation and consider using modern C++ string classes that handle memory management automatically.
Last updated on