Policies allow you to describe the data and methods in your application and how they relate to each other. This information is helpful to preZero because it enhances the code property graph generated, allowing you to generate higher-level conclusions and relevant security findings.
More specifically, preZero uses policies to gain insight into:
- How your application communicates with other applications, APIs, services, etc.
- The transformations that exist on your data
- The information flows that should be considered as security violations
preZero includes default application policies that define patterns; data flows that match the established patterns typically lead to security violations or data transformations.
The included policies define the most commonly found patterns. You can create custom policies to provide additional knowledge regarding your app and exclude parts of a default policy that don't apply to your app.
You can use custom policies instead of or in conjunction with preZero's default policies.
Policy file locations
preZero policies are located in the Qwiet repository; using Qwiet's CLI, you can:
- View a policy
- Upload a custom policy you've written
- Manage default policies
The namespace information informs the name of the policy. For example, a policy you'd use whenever your application calls the java.io.ObjectInputStream class from the Java Standard Library is available in Qwiet's repository as java.io/ObjectInputStream.