Standards

• The OpenSCAP Project:
  • The Security Conent Automation Protocol (SCAP) is a U.S Security Standard Maintained by National Instititue of Standards and Technology
  • This project is collection of open-source tools for implementing and enforcing this standard
  • Refer Here
• The Center for Internet Security (CIS)
  • They provide security benchmarks and National Checklist Program (NCP), defined by NIST
  • They offer guidance on the security configuration of the
    • operating systems
    • databases
    • virtualizations
    • frameworks
    • applications
  • Refer Here
• The Cloud Controls Matrix (CCM)
  • The Cloud Security Aliance (CSA) has consolidate most security compliance methods into a single resource called as the Cloud Controls Matrix (CCM)
  • The CCM includes all security compliance controls suc as ISO, FedRAMP and NIST
  • It defines the control ID use to uniquely identify vulnerabilities
  • The CSA also provides the Consensus Assesments Initiative Questionarre (CAIQ) which is means of security self assesment for both consumers and providers
  • Refer Here
• The Open Web Application Security Project (OWASP)
  • This is a community project that provides free articles, methodologies, documents, tools and technologies for web application security
  • Refer Here
• Federal Information Processing Standards (FIPS)
  • These are security standards developed by US federal governement for use in non military governement computer systems.
  • Refer Here
  • Refer Here for storage cheatsheets

Identifying and Scoring Vulnerabilities

• Common Vulnerabilities adn Exposure (CVE) is a dictionary-style list of standardized names for vulnerabilities and other information related to security exposures
• CVE aims to standardize the names of publicly known vulnerabilities and security exposures
• The Common Vulnerability Scoring System (CVSS) is a free and open industry standard for assessing the severity of security vulnerabiliites
• CVSS assigns severity scores to vulnerabilities, using which development can prioritize according the threat level
  
  
• The National Checklist Program (NCP) provides secure configuration for specific software components

Exercise: Find all the vulnerabilites from NVD (National Vulnerability Database)

• Docker
• Kubernetes
• Tomcat
• Nginx

DAST

• Owasp ZAP Refer Here is the free tool to test your application for passive and active tests: Refer Here for the tool download
  
  

Next Steps:

• Jenkins Server Up:
  • Python Code
    • SCA
    • SAST
    • DAST
  • Java Code
    • SCA
    • SAST
    • DAST