DevOps Classroomnotes 18/Aug/2022

Dependency in Code

  • Any application which developers code, they rely on open source libraries or packages or frameworks for
    • web applications
    • Database connections and query executions (ORM Frameworks)
    • Logging
    • Authentication and Authorizations
    • Notifications.
  • Scanning Dependencies for security risks is a mandatory operation as part of DevSecOps.
  • If we need to scan dependencies from security issues, we need a database of possible vulnerabilities => CVE and NVD

Static vs Dynamic Security Testing

  • Two possible ways to test for security
    • Static:
      • When the tool scans the application with the knowledge of code and reports vulnerability
      • This is called as SAST
    • Dynamic:
      • When the tool scans the application which is running and doesn’t have access to source code.
      • This is called as DAST

OWASP (Open Web Application Security Project® (OWASP))

  • This organization publishes top n issues to be concerned with early.
  • They also give necessary tools to scan
  • Refer Here for OWASP 10:2021
  • As a DevSecOps Engineer, We will be

    • performing SAST during packaging/building the application
    • performing DAST post application deployment
    • Ensuring our application doesnot have any issues mentioned/listed in OWASP TOP 10 (latest year)
  • Exercises:

    • Find information about what the following are
      • GDPR
      • PCI-DSS

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

About continuous learner

devops & cloud enthusiastic learner