DevSecOps

• At code level we perform
  • SCA (Software composition analysis): Checking if the depenecies have security isues
  • SAST (Static Application Security Testing): Checking if the code developed has security issues
• We deploy the application and perform
  • DAST (Dynamic Application Security Testing): Checking the application for security issues

Understanding CVE in Cybersecurity

CVE Definition
CVE stands for Common Vulnerabilities and Exposures, which is a standardized system that provides unique identifiers for publicly known cybersecurity vulnerabilities. These vulnerabilities can exist in software, hardware, or other digital systems, allowing organizations to effectively track and communicate security issues[1][2].

Origin and Purpose
The CVE system was established in 1999 by the MITRE Corporation, a nonprofit organization dedicated to advancing technology for public interest. Its primary purpose is to standardize the naming and tracking of vulnerabilities across various organizations and security tools. By providing a common language for discussing vulnerabilities, CVE facilitates coordination in efforts to mitigate and resolve these issues[1][3].

How CVE Works

CVE operates as a public catalog of known security vulnerabilities, where each entry includes a unique identifier (CVE ID), a brief description of the vulnerability, and references to additional resources. The format of a CVE ID typically follows “CVE-YYYY-NNNNN”, where YYYY represents the year of publication and NNNNN is a sequential number[2][3].

Criteria for Inclusion

To qualify for inclusion in the CVE list, a vulnerability must meet specific criteria:
– Independently Fixable: The flaw can be addressed without needing to fix other issues.
– Vendor Acknowledgment: The affected vendor must acknowledge the flaw’s existence and its negative impact on security.
– Single Codebase Impact: The vulnerability must affect only one codebase, such as a specific software product[2][4].

Importance of CVE

CVE plays a critical role in cybersecurity by:
– Facilitating Communication: It allows IT professionals to coordinate their efforts effectively by referencing standardized CVE IDs when discussing vulnerabilities.
– Enhancing Security Management: Organizations can prioritize vulnerabilities based on their severity and impact, enabling timely responses to potential threats[1][5].
– Supporting Risk Management: Security tools and advisories often reference CVEs, helping organizations automate vulnerability detection and improve incident response practices[3][4].

Conclusion

The Common Vulnerabilities and Exposures system is essential for maintaining cybersecurity standards. By providing a structured approach to identifying and communicating about vulnerabilities, CVE enhances collaboration among security professionals, ultimately contributing to more secure digital environments.

Citations:
[1] https://www.lacework.com/cloud-security-fundamentals/what-is-cve
[2] https://www.redhat.com/en/topics/security/what-is-cve
[3] https://www.techtarget.com/searchsecurity/definition/Common-Vulnerabilities-and-Exposures-CVE
[4] https://www.appknox.com/cyber-security-jargons/common-vulnerability-exposure-cve
[5] https://www.upguard.com/blog/cve
[6] https://en.wikipedia.org/wiki/Common_Vulnerabilities_and_Exposures

CVE entries are maintained primarily by the MITRE Corporation, which operates the Common Vulnerabilities and Exposures (CVE) system. This system is funded by the U.S. Department of Homeland Security and is publicly accessible for anyone interested in cybersecurity vulnerabilities[1][2].

Key Sources for CVE Information

1. MITRE CVE Database: This is the original source where CVE IDs are assigned and described. You can search for CVEs directly on their website[1].
2. National Vulnerability Database (NVD): Managed by the National Institute of Standards and Technology (NIST), the NVD enriches CVE entries with additional details such as severity scores, impact ratings, and references to patches and advisories[2][5].
3. CVE Details: This website provides a comprehensive CVE database that includes additional information like exploits, tools, and advisories related to each vulnerability, making it a valuable resource for cybersecurity professionals[4].
4. Vendor-specific Databases: Many software vendors maintain their own lists of vulnerabilities, often based on CVE entries. These can provide tailored information relevant to specific products (e.g., Microsoft, Oracle)[5].

These resources collectively ensure that CVE information is widely available and easily accessible for those looking to understand and mitigate security vulnerabilities.

Citations:
[1] https://en.wikipedia.org/wiki/Common_Vulnerabilities_and_Exposures
[2] https://nvd.nist.gov/general/cve-process
[3] https://www.reddit.com/r/cybersecurity/comments/waes7m/where_to_get_cve_information/
[4] https://www.cvedetails.com
[5] https://www.redhat.com/en/topics/security/what-is-cve

OWASP

The Open Web Application Security Project (OWASP) is a nonprofit organization dedicated to improving the security of software applications. Founded in 2001, OWASP provides a wealth of resources, tools, and knowledge aimed at helping organizations develop, acquire, and maintain secure software.

Key Features of OWASP

• Community-driven: OWASP operates as an open community where anyone can participate in projects, discussions, and events. This collaborative approach fosters innovation and shared knowledge among security professionals and developers.
• Free Resources: All materials produced by OWASP, including documentation, tools, and educational content, are freely available. This accessibility ensures that organizations of all sizes can benefit from OWASP’s insights and recommendations.
• OWASP Top 10: One of the most recognized initiatives is the OWASP Top 10, a regularly updated report that outlines the ten most critical security risks facing web applications. This document serves as an awareness tool for developers and organizations to understand and mitigate common vulnerabilities.
• Global Reach: With over 250 local chapters worldwide and tens of thousands of members, OWASP has established a significant presence in the cybersecurity community. It hosts conferences and events that promote education and collaboration on application security topics.

Mission and Vision

OWASP’s mission is to be a global community that empowers organizations to create secure software through education, tools, and collaboration. Its vision is to eliminate insecure software by promoting best practices in application development and security.

In summary, OWASP plays a crucial role in enhancing software security by providing valuable resources and fostering a community focused on addressing the challenges of web application vulnerabilities.

Citations:
[1] https://www.radware.com/cyberpedia/application-security/what-is-owasp/
[2] https://owasp.org/about/
[3] https://www.techtarget.com/searchsoftwarequality/definition/OWASP
[4] https://www.fortinet.com/resources/cyberglossary/owasp
[5] https://www.f5.com/glossary/owasp
[6] https://www.blackduck.com/glossary/what-is-owasp-top-10.html
[7] https://www.cloudflare.com/learning/security/threats/owasp-top-10/
[8] https://en.wikipedia.org/wiki/OWASP

CI/CD Pipeline to scan, build and deploy into k8s cluster

• github repo
• Actions