{"id":86851,"date":"2023-09-08T14:08:32","date_gmt":"2023-09-08T18:08:32","guid":{"rendered":"https:\/\/staging.checkmarx.com\/?p=86851"},"modified":"2025-06-08T15:16:54","modified_gmt":"2025-06-08T13:16:54","slug":"best-fix-location-minimize-fix-time-and-maximize-security","status":"publish","type":"post","link":"https:\/\/checkmarx.com\/blog\/best-fix-location-minimize-fix-time-and-maximize-security\/","title":{"rendered":"Best Fix Location: Minimize Fix Time and Maximize Security"},"content":{"rendered":"

\nA Cascade of Errors<\/strong> <\/h2>\n\n\n\n


When I wrote Delphi code, I had to compile code into binaries to run on Windows.  The compiler wouldn’t produce a binary unless my code was semantically correct.  If the code was semantically correct, but had potential logic errors, the compiler would issue warnings.  My team always had an ironclad rule that we should never commit code with warnings.  (There were also hints that resulted from semantically correct, but syntactically meaningless, code.  We also never wanted to check-in code with hints…) <\/p>\n\n\n\n

Sometimes a compilation would result in many, many warnings. A quick examination would usually reveal the reason and making one fix in one spot would often resolve all the warnings. <\/p>\n\n\n\n

 A similar thing can happen with security vulnerabilities in your code.  Sometimes, when doing a Static Analysis Security Testing (SAST) scan, you can get a ton of (seemingly) unrelated errors.  You might look at that and think \u201cSweet Baby Elvis, this is going to take a long time to fix!\u201d  But fear not – our Static Application Security Testing (SAST) tool can make it easier for you to clear those errors as quickly as possible. <\/p>\n\n\n\n

The Best Place <\/strong><\/h2>\n\n\n\n

<\/p>\n\n\n\n

Very often, a single change to your code can cause many of the vulnerabilities in your code to go away. But it\u2019s finding that spot in your code can often be the challenge. <\/p>\n\n\n\n

Checkmarx SAST has a feature called \u201cBest Fix Location,\u201d or BFL for short.  The BFL is designed to find that “one fix, many vulnerabilities disappear” spot in your code.  As part of the scanning process, our SAST will process our code analysis, and then try to find the very best place to fix any given alert. Very often, that remediates the root problem for many other issues.   <\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

<\/p>\n\n\n\n

Above, you can see the Checkmarx One interface showing an alert in some JavaScript code that could lead to a DOM Stored Cross-site Scripting attack<\/a>.  This is a common problem that has an easy solution.  Sometimes, it can be difficult to figure out the best place to start.   <\/p>\n\n\n\n

In the upper right, you can see links to a chain of attack vectors \u2013 places that a malicious actor might try to place script code into your application.  The bottom link is the line of code \u201cclosest to the surface\u201d, and each line above it digs in a little deeper.   <\/p>\n\n\n\n

The top one, the fourth in the call stack, is the Best Fix Location.  It is the spot in the code that is the \u201croot of the problem.\u201d Make a correction there, and it is likely that other vulnerabilities that use that code at a \u201chigher\u201d point in the code will go away as well.   <\/p>\n\n\n\n

In this case, we can see that the responseText<\/strong> property will allow malicious users to be able to place unsanitized code into our page, leaving our application open to attack.   <\/p>\n\n\n\n

How This All Works <\/strong><\/h2>\n\n\n\n

Our SAST tools do something that is called \u201cData Flow Analysis.\u201d Data Flow Analysis focuses on how data flows through the application, showing how data is passed between different statements or blocks of code. It tracks the relationship between different variables, expressions, and operators in a particular program, and how they are used to compute values or change data.  Our solution uses this information to find vulnerabilities in your code.   <\/p>\n\n\n\n

Data Flow Analysis is much more resource intensive than some other solutions that use Regular Expressions or other ways of analyzing code.  This trade-off is worth it though, because Data Flow Analysis is a deep and thorough examination of not merely the code, but the way the code works. <\/p>\n\n\n\n

Getting It Fixed <\/strong><\/h2>\n\n\n\n

<\/p>\n\n\n\n

Now you know where the problem lies. But we don\u2019t abandon you there.  We will point you to resources that will help you understand what the risk is, why it is a risk, and how to make the risk go away. <\/p>\n\n\n

\n
\"\"<\/figure>\n<\/div>\n\n\n

On the right is a quick description of what the vulnerability is.  You will be able to continue to learn more about the vulnerability by following the \u201cRead More\u201d link. There you will be given a complete description of the issue, including code examples of the problem occurring and recommended solutions.  In addition, we point you to resources within our CodeBashing<\/a> training solution that can give you even more information.  <\/p>\n\n\n\n

Once you understand the issue, we make it simple for you to remediate it.  You know your codebase, and so you know the best way to move forward with this alert.  Maybe it looks like a problem, but it isn\u2019t. Maybe it is<\/em> a problem and needs to be fixed in due course.  Or maybe it needs to be fixed immediately.  You can use the dashboard to give the issue a label to make sure that it will be dealt with properly, and so that it will receive the correct level of attention. <\/p>\n\n\n

\n
\"\"<\/figure>\n<\/div>\n\n\n

So far, we\u2019ve been looking at all of this in the Checkmarx One Dashboard.  But if you are a developer, you can do all of what we talked about here right inside your IDE.  We have plugin support for VS Code, Visual Studio, JetBrains Ultimate, and Eclipse.  Our plugins let you run SAST scans to see, process, and fix alerts without leaving your tool of choice. <\/p>\n\n\n

\n
\"\"<\/figure>\n<\/div>\n\n\n

Hunting down the location of the problem is often the biggest time-sink in dealing with a code security alert. Not having to even do the search is a huge productivity boost.  Getting all the information about the problem and advice on how to fix it is the icing on the cake.     <\/p>\n\n\n\n

In the end, the Best Fix Location feature will give you everything you need to make quick work of problems in your code.   <\/p>","protected":false},"excerpt":{"rendered":"

A Cascade of Errors  When I wrote Delphi code, I had to compile code into binaries to run on Windows.  The compiler wouldn’t produce a binary unless my code was semantically correct.  If the code was semantically correct, but had potential logic errors, the compiler would issue warnings.  My team always had an ironclad rule […]<\/p>\n","protected":false},"author":89,"featured_media":85759,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[85,84],"tags":[87,397,435,190,403],"class_list":["post-86851","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-application-security-trends","category-blog","tag-appsec","tag-developer","tag-developer-advocate","tag-english","tag-leadership"],"acf":[],"yoast_head":"\nBest Fix Location: Minimize Fix Time and Maximize Security<\/title>\n<meta name=\"description\" content=\"Emphasizes both security and efficiency benefits, while highlighting the core concept of "Best Fix Location."\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/checkmarx.com\/blog\/best-fix-location-minimize-fix-time-and-maximize-security\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Best Fix Location: Minimize Fix Time and Maximize Security\" \/>\n<meta property=\"og:description\" content=\"Emphasizes both security and efficiency benefits, while highlighting the core concept of "Best Fix Location."\" \/>\n<meta property=\"og:url\" content=\"https:\/\/checkmarx.com\/blog\/best-fix-location-minimize-fix-time-and-maximize-security\/\" \/>\n<meta property=\"og:site_name\" content=\"Checkmarx\" \/>\n<meta property=\"article:publisher\" content=\"https:\/\/www.facebook.com\/Checkmarx.Source.Code.Analysis\" \/>\n<meta property=\"article:published_time\" content=\"2023-09-08T18:08:32+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2025-06-08T13:16:54+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/checkmarx.com\/wp-content\/uploads\/2023\/07\/Version_2.0_blog_banner2.jpg\" \/>\n\t<meta property=\"og:image:width\" content=\"2500\" \/>\n\t<meta property=\"og:image:height\" content=\"1312\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/jpeg\" \/>\n<meta name=\"author\" content=\"Nick Hodges\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@checkmarx\" \/>\n<meta name=\"twitter:site\" content=\"@checkmarx\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Nick Hodges\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"5 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/checkmarx.com\/blog\/best-fix-location-minimize-fix-time-and-maximize-security\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/checkmarx.com\/blog\/best-fix-location-minimize-fix-time-and-maximize-security\/\"},\"author\":{\"name\":\"Nick Hodges\",\"@id\":\"https:\/\/checkmarx.com\/#\/schema\/person\/e527cee1a05cc146c393f2ce0dc3815a\"},\"headline\":\"Best Fix Location: Minimize Fix Time and Maximize Security\",\"datePublished\":\"2023-09-08T18:08:32+00:00\",\"dateModified\":\"2025-06-08T13:16:54+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/checkmarx.com\/blog\/best-fix-location-minimize-fix-time-and-maximize-security\/\"},\"wordCount\":1027,\"publisher\":{\"@id\":\"https:\/\/checkmarx.com\/#organization\"},\"image\":{\"@id\":\"https:\/\/checkmarx.com\/blog\/best-fix-location-minimize-fix-time-and-maximize-security\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/checkmarx.com\/wp-content\/uploads\/2023\/07\/Version_2.0_blog_banner2.jpg\",\"keywords\":[\"AppSec\",\"Developer\",\"Developer Advocate\",\"English\",\"Leadership\"],\"articleSection\":[\"Application Security Trends & Insights\",\"Blog\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/checkmarx.com\/blog\/best-fix-location-minimize-fix-time-and-maximize-security\/\",\"url\":\"https:\/\/checkmarx.com\/blog\/best-fix-location-minimize-fix-time-and-maximize-security\/\",\"name\":\"Best Fix Location: Minimize Fix Time and Maximize Security\",\"isPartOf\":{\"@id\":\"https:\/\/checkmarx.com\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/checkmarx.com\/blog\/best-fix-location-minimize-fix-time-and-maximize-security\/#primaryimage\"},\"image\":{\"@id\":\"https:\/\/checkmarx.com\/blog\/best-fix-location-minimize-fix-time-and-maximize-security\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/checkmarx.com\/wp-content\/uploads\/2023\/07\/Version_2.0_blog_banner2.jpg\",\"datePublished\":\"2023-09-08T18:08:32+00:00\",\"dateModified\":\"2025-06-08T13:16:54+00:00\",\"description\":\"Emphasizes both security and efficiency benefits, while highlighting the core concept of \\\"Best Fix Location.\\\"\",\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/checkmarx.com\/blog\/best-fix-location-minimize-fix-time-and-maximize-security\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/checkmarx.com\/blog\/best-fix-location-minimize-fix-time-and-maximize-security\/#primaryimage\",\"url\":\"https:\/\/checkmarx.com\/wp-content\/uploads\/2023\/07\/Version_2.0_blog_banner2.jpg\",\"contentUrl\":\"https:\/\/checkmarx.com\/wp-content\/uploads\/2023\/07\/Version_2.0_blog_banner2.jpg\",\"width\":2500,\"height\":1312},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/checkmarx.com\/#website\",\"url\":\"https:\/\/checkmarx.com\/\",\"name\":\"Checkmarx\",\"description\":\"The world runs on code. We secure it.\",\"publisher\":{\"@id\":\"https:\/\/checkmarx.com\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/checkmarx.com\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/checkmarx.com\/#organization\",\"name\":\"Checkmarx\",\"url\":\"https:\/\/checkmarx.com\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/checkmarx.com\/#\/schema\/logo\/image\/\",\"url\":\"https:\/\/checkmarx.com\/wp-content\/uploads\/2024\/02\/logo-dark.svg\",\"contentUrl\":\"https:\/\/checkmarx.com\/wp-content\/uploads\/2024\/02\/logo-dark.svg\",\"width\":1,\"height\":1,\"caption\":\"Checkmarx\"},\"image\":{\"@id\":\"https:\/\/checkmarx.com\/#\/schema\/logo\/image\/\"},\"sameAs\":[\"https:\/\/www.facebook.com\/Checkmarx.Source.Code.Analysis\",\"https:\/\/x.com\/checkmarx\",\"https:\/\/www.youtube.com\/user\/CheckmarxResearchLab\",\"https:\/\/www.linkedin.com\/company\/checkmarx\"]},{\"@type\":\"Person\",\"@id\":\"https:\/\/checkmarx.com\/#\/schema\/person\/e527cee1a05cc146c393f2ce0dc3815a\",\"name\":\"Nick Hodges\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/checkmarx.com\/#\/schema\/person\/image\/\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/957f71f3b34b12a985d7c772772fbf7a9f0db0776a004881aeab45f70dcd6456?s=96&d=mm&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/957f71f3b34b12a985d7c772772fbf7a9f0db0776a004881aeab45f70dcd6456?s=96&d=mm&r=g\",\"caption\":\"Nick Hodges\"},\"url\":\"https:\/\/checkmarx.com\/author\/nickhodges\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Best Fix Location: Minimize Fix Time and Maximize Security","description":"Emphasizes both security and efficiency benefits, while highlighting the core concept of \"Best Fix Location.\"","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/checkmarx.com\/blog\/best-fix-location-minimize-fix-time-and-maximize-security\/","og_locale":"en_US","og_type":"article","og_title":"Best Fix Location: Minimize Fix Time and Maximize Security","og_description":"Emphasizes both security and efficiency benefits, while highlighting the core concept of \"Best Fix Location.\"","og_url":"https:\/\/checkmarx.com\/blog\/best-fix-location-minimize-fix-time-and-maximize-security\/","og_site_name":"Checkmarx","article_publisher":"https:\/\/www.facebook.com\/Checkmarx.Source.Code.Analysis","article_published_time":"2023-09-08T18:08:32+00:00","article_modified_time":"2025-06-08T13:16:54+00:00","og_image":[{"width":2500,"height":1312,"url":"https:\/\/checkmarx.com\/wp-content\/uploads\/2023\/07\/Version_2.0_blog_banner2.jpg","type":"image\/jpeg"}],"author":"Nick Hodges","twitter_card":"summary_large_image","twitter_creator":"@checkmarx","twitter_site":"@checkmarx","twitter_misc":{"Written by":"Nick Hodges","Est. reading time":"5 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/checkmarx.com\/blog\/best-fix-location-minimize-fix-time-and-maximize-security\/#article","isPartOf":{"@id":"https:\/\/checkmarx.com\/blog\/best-fix-location-minimize-fix-time-and-maximize-security\/"},"author":{"name":"Nick Hodges","@id":"https:\/\/checkmarx.com\/#\/schema\/person\/e527cee1a05cc146c393f2ce0dc3815a"},"headline":"Best Fix Location: Minimize Fix Time and Maximize Security","datePublished":"2023-09-08T18:08:32+00:00","dateModified":"2025-06-08T13:16:54+00:00","mainEntityOfPage":{"@id":"https:\/\/checkmarx.com\/blog\/best-fix-location-minimize-fix-time-and-maximize-security\/"},"wordCount":1027,"publisher":{"@id":"https:\/\/checkmarx.com\/#organization"},"image":{"@id":"https:\/\/checkmarx.com\/blog\/best-fix-location-minimize-fix-time-and-maximize-security\/#primaryimage"},"thumbnailUrl":"https:\/\/checkmarx.com\/wp-content\/uploads\/2023\/07\/Version_2.0_blog_banner2.jpg","keywords":["AppSec","Developer","Developer Advocate","English","Leadership"],"articleSection":["Application Security Trends & Insights","Blog"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/checkmarx.com\/blog\/best-fix-location-minimize-fix-time-and-maximize-security\/","url":"https:\/\/checkmarx.com\/blog\/best-fix-location-minimize-fix-time-and-maximize-security\/","name":"Best Fix Location: Minimize Fix Time and Maximize Security","isPartOf":{"@id":"https:\/\/checkmarx.com\/#website"},"primaryImageOfPage":{"@id":"https:\/\/checkmarx.com\/blog\/best-fix-location-minimize-fix-time-and-maximize-security\/#primaryimage"},"image":{"@id":"https:\/\/checkmarx.com\/blog\/best-fix-location-minimize-fix-time-and-maximize-security\/#primaryimage"},"thumbnailUrl":"https:\/\/checkmarx.com\/wp-content\/uploads\/2023\/07\/Version_2.0_blog_banner2.jpg","datePublished":"2023-09-08T18:08:32+00:00","dateModified":"2025-06-08T13:16:54+00:00","description":"Emphasizes both security and efficiency benefits, while highlighting the core concept of \"Best Fix Location.\"","inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/checkmarx.com\/blog\/best-fix-location-minimize-fix-time-and-maximize-security\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/checkmarx.com\/blog\/best-fix-location-minimize-fix-time-and-maximize-security\/#primaryimage","url":"https:\/\/checkmarx.com\/wp-content\/uploads\/2023\/07\/Version_2.0_blog_banner2.jpg","contentUrl":"https:\/\/checkmarx.com\/wp-content\/uploads\/2023\/07\/Version_2.0_blog_banner2.jpg","width":2500,"height":1312},{"@type":"WebSite","@id":"https:\/\/checkmarx.com\/#website","url":"https:\/\/checkmarx.com\/","name":"Checkmarx","description":"The world runs on code. We secure it.","publisher":{"@id":"https:\/\/checkmarx.com\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/checkmarx.com\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/checkmarx.com\/#organization","name":"Checkmarx","url":"https:\/\/checkmarx.com\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/checkmarx.com\/#\/schema\/logo\/image\/","url":"https:\/\/checkmarx.com\/wp-content\/uploads\/2024\/02\/logo-dark.svg","contentUrl":"https:\/\/checkmarx.com\/wp-content\/uploads\/2024\/02\/logo-dark.svg","width":1,"height":1,"caption":"Checkmarx"},"image":{"@id":"https:\/\/checkmarx.com\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/www.facebook.com\/Checkmarx.Source.Code.Analysis","https:\/\/x.com\/checkmarx","https:\/\/www.youtube.com\/user\/CheckmarxResearchLab","https:\/\/www.linkedin.com\/company\/checkmarx"]},{"@type":"Person","@id":"https:\/\/checkmarx.com\/#\/schema\/person\/e527cee1a05cc146c393f2ce0dc3815a","name":"Nick Hodges","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/checkmarx.com\/#\/schema\/person\/image\/","url":"https:\/\/secure.gravatar.com\/avatar\/957f71f3b34b12a985d7c772772fbf7a9f0db0776a004881aeab45f70dcd6456?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/957f71f3b34b12a985d7c772772fbf7a9f0db0776a004881aeab45f70dcd6456?s=96&d=mm&r=g","caption":"Nick Hodges"},"url":"https:\/\/checkmarx.com\/author\/nickhodges\/"}]}},"_links":{"self":[{"href":"https:\/\/checkmarx.com\/wp-json\/wp\/v2\/posts\/86851","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/checkmarx.com\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/checkmarx.com\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/checkmarx.com\/wp-json\/wp\/v2\/users\/89"}],"replies":[{"embeddable":true,"href":"https:\/\/checkmarx.com\/wp-json\/wp\/v2\/comments?post=86851"}],"version-history":[{"count":0,"href":"https:\/\/checkmarx.com\/wp-json\/wp\/v2\/posts\/86851\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/checkmarx.com\/wp-json\/wp\/v2\/media\/85759"}],"wp:attachment":[{"href":"https:\/\/checkmarx.com\/wp-json\/wp\/v2\/media?parent=86851"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/checkmarx.com\/wp-json\/wp\/v2\/categories?post=86851"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/checkmarx.com\/wp-json\/wp\/v2\/tags?post=86851"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}