code • Know which libraries we’re using. Licensing issues? Vulnerabilities? • Find the problems as early as possible: shift left • Company is growing very quickly: this cannot be a manual process Why do we need security in our CI/CD pipeline?
audit • Snyk • Safety • RetireJS •Commercial: • WhiteHat • Veracode (https://www.sourceclear.com/) • Nexus-auditor • PT Application Inspector • and many others For most of commercial SAST that feature is already by default Dependency Checkers?
specific dangerous words in code such as: • For Django - mark_safe(), extra(), RawSQL • For React – dangerouslySetInnerHTML() or innerHTML • Catch changes: • What and when it happened • Configuration files • requirements.txt/packages.lock Catch something dangerous
provide info about licenses of dependencies • ScanCode toolkit • Veracode/Whitehat and other commercial scanners • AquaSec checks licenses of libraries in docker images Check licenses of used dependencies?
But they can’t cover all situations • Use specialized tools like: • GitLeaks • TruffleHog • Gitrob • and many other clones. • User defined patterns • Look for the patterns in: • log aggregation tools (e.g., Splunk) • Messaging apps (e.g., Slack) • Ticket systems such as JIRA Hunt for leaked credentials: problems
• Checkmarx • Start your internal guideline for developers: • Which libs should be used • Best security practice for frameworks • Make friends with the dev team who care about security • Transparency of your job for dev team. Do not only notify them, talk to them is not less important. Developer Education program