SAST // Explained in 180
HTML-код
- Опубликовано: 16 июл 2024
- 47% of IT professionals in a survey run by GitLab said they aren't running any sort of SAST (Static Application Security Testing), but that's a major change from 2 years prior when it was 60%. What is SAST in the first place and is it really that important/useful anyway? Find out in this Explained in 180 seconds episode, where we take a look at an open-source SAST tool that can help you find vulnerabilities or other security issues in your code while you're still writing it, and way before you push to production. This can help you figure out whether SAST makes sense for you and your application, and if it does, how you can embed it into your DevSecOps lifecycle. Let's write more secure code 🙌
❤️ Special thanks to Bearer for supporting the channel by sponsoring this video which helps me create more content.
- Check out their open-source scanner here: github.com/Bearer/bearer
- Schedule a demo to learn how you can use Bearer to ship secure products:
www.bearer.com/demo
💬 Chat with me on Discord
cybr.com/discord
🔗 Resources
- GitLab DevSecOps Survey: about.gitlab.com/developer-su...
- Bearer open-source tool: github.com/Bearer/bearer
- RailsGoat: github.com/OWASP/railsgoat
- OWASP Juice Shop: github.com/juice-shop/juice-shop
👨🎓 My relevant courses:
- DevSecOps Fundamentals: cybr.com/courses/devsecops-fu...
- Introduction to Application Security: cybr.com/courses/introduction...
- Introduction to AWS Security: cybr.com/courses/introduction...
#cybersecurity #applicationsecurity #appsec #softwaredevelopment #cybersecuritytools #softwaredevelopers #appsecurity #devsecops #codesecurity #code
Really digging the content you are putting out. Keep up the great work! Any other SAST tools that you recommend a look at or not look at that you have had experience with?
Appreciate your comment! It depends on what languages/frameworks you're primarily developing in and some other requirements (like speed, stage you want to plug it into, etc) so I'm hesitant to make recommendations without knowing those details. I would honestly just do a quick search, write down names that keep popping up, and then dive into each to see if they fit your needs or not, then give them a test.
Looking back a bit, as a sort of ad-hoc retro learning session. Which of the following major vulnerabilities could have been detected and prevented (patched before shipping) by scanning source code:
1. Heartbleed - bug in a protocol fields length checking - basically buffer overflow, leading to spilling contents of server RAM
2. Intel ME's zero length password bug, that basically what I understood was a programmer error of mixing two pointers, choosing the wrong one. So any zero length password would pass as legit password, instead of the strcmp() type of comparison function should have used length of the already set password for comparison
3. Mariner 1 space probe's carrier rocket explosion, because of failure in its guidance software, which was coded in Fortran. Year 1962
4. more examples?
Jumping into a PHP scanner I felt originally that woa!! So many warnings and omissions. However, there's usually also certain logic to patch up those quickly, and even systematically at best. Once in the cycle of regularly running a scanner, it becomes a habit you wouldn't simply live without.
Yep, very fair point. A common reservation for not using SAST scanning is that it produces so many results, and a lot of them will probably end up being noise. If you don't go back through and tweak settings and it just keeps spitting out those noisy results, you just end up ignoring the scan results altogether and then it's pretty much useless. It's not the type of tool you just plug in and run...it requires time to get it right.