- A common but unsafe practice by application developers is the unintentional commit of secrets and credentials such as usernames/passwords, encryption keys, API Tokents etc to the version conrol system (GIT – Remote Repository)
- If the third parties have access to the source or if the project is public, the sensitive information is then exposes and can be leverage by malicious users to gain access to the resources.
- For public GitHub repositories, we have tools such Git Guardian. In addition to that we have
- Git-Secrets Refer Here
- Git leaks Refer Here
- spectral Refer Here
- Yelp Detect Secrets Refer Here
- Open-source components scale up development, enabling teams to deliver value more rapidly, yet they also bring in security-flaws that can lead to significaant business and financial loss if not addressed properly Refer Here for a breach due to Apache Struts faced by Equifax
- To prevent such scenarios, dependency scanning also referred as software compositon analysis (SCA) tools track, analyze and identify publicly disclosed vulnerabilities within your applications open source components
- Many SAST providers offer SCA solutions and in general they are not as comprehensive and effective as a dedicated SCA solution is.
- SCA tools can be integrate with IDE’s, CI/CD Pipelines and also in post-deployment recurring checks.
- Popular tools are
- Open source alternative for this is OWASP Dependency check Refer Here
- Browse CVE Refer Here
Dynamic Application Security (DAST)
- DAST also known as web application vulnerability scanners are automated tools that scan web applications.
- These tools do not require code visibility.
- DAST can perform two types of analysis
- Passive Scan: DAST tools execute the scan and don’t actively attack the application
- Passive and Active Scan: DAST can be setup to execute and active scan to attack your application & provide a more comprehensive report
- Fewer false postivies
- As it tests the running application, possbilities of number of vulnerabilities to be found are high
- DAST is a slow testing process, so generally it is recommended to run DAST tools on test and staging environments.