Vulnerability Scanning

Static Application Security Testing (SAST)

SAST Overview

SAST analyzes source code, bytecode, or binaries without executing the application to identify security vulnerabilities.

SAST Techniques

• Pattern Matching: Match code against known vulnerability patterns
• Data Flow Analysis: Track data flow through the application to identify tainted data
• Control Flow Analysis: Analyze execution paths to identify potential issues
• Taint Analysis: Track user input through the application to identify injection points
• Semantic Analysis: Understand code semantics to identify complex vulnerabilities

Common SAST Vulnerabilities

• Injection Flaws: SQL injection, command injection, LDAP injection
• Cross-Site Scripting (XSS): Reflected, stored, and DOM-based XSS
• Authentication Issues: Weak authentication, session management flaws
• Authorization Issues: Broken access controls, privilege escalation
• Cryptographic Issues: Weak algorithms, improper key management
• Input Validation: Missing or insufficient input validation
• Error Handling: Information leakage through error messages

SAST Tools

• SonarQube: Code quality and security analysis with extensive rule sets
• Checkmarx: Enterprise SAST solution with deep code analysis
• Fortify Static Code Analyzer: Comprehensive SAST from Micro Focus
• Semgrep: Fast, open-source static analysis with custom rules
• CodeQL: Semantic code analysis from GitHub
• Bandit: Python security linter
• ESLint: JavaScript security plugins (eslint-plugin-security)
• SpotBugs: Java static analysis with security rules

Dynamic Application Security Testing (DAST)

DAST Overview

DAST analyzes running applications to identify security vulnerabilities through external testing.

DAST Techniques

• Crawling and Spidering: Discover application endpoints and functionality
• Fuzzing: Send malformed or unexpected input to identify vulnerabilities
• Authentication Testing: Test authentication mechanisms for weaknesses
• Session Management: Analyze session handling for security issues
• Input Validation: Test input fields for injection vulnerabilities
• Business Logic: Test business logic flaws and authorization bypasses

Common DAST Vulnerabilities

• Injection Attacks: SQL injection, command injection, XSS
• Authentication Flaws: Weak passwords, session fixation
• Authorization Issues: IDOR, privilege escalation
• Session Management: Session hijacking, fixation
• Cryptographic Issues: Weak SSL/TLS, insecure cookies
• Information Disclosure: Sensitive data in responses, error messages

DAST Tools

• OWASP ZAP: Free, open-source web application security scanner
• Burp Suite: Comprehensive web security testing platform
• AppScan: Enterprise DAST solution from IBM
• Nessus: Vulnerability scanner with web application testing
• Arachni: Open-source web application security scanner
• SQLMap: Automated SQL injection tool
• Nikto: Web server scanner

Software Composition Analysis (SCA)

SCA Overview

SCA identifies and analyzes third-party components and dependencies for known vulnerabilities.

SCA Techniques

• Dependency Analysis: Identify all direct and transitive dependencies
• Vulnerability Matching: Match dependencies against vulnerability databases
• License Compliance: Check for license compliance issues
• Version Analysis: Track dependency versions and updates
• Risk Scoring: Assess risk based on vulnerability severity and usage

SCA Vulnerability Databases

• NVD (National Vulnerability Database): US government vulnerability database
• CVE (Common Vulnerabilities and Exposures): Standardized vulnerability identifiers
• GitHub Advisory Database: GitHub's vulnerability database
• Snyk Vulnerability Database: Snyk's curated vulnerability database
• OSS Index: Sonatype's open-source vulnerability database

SCA Tools

• Snyk: Developer-first security platform with SCA, SAST, and container scanning
• Trivy: Comprehensive vulnerability scanner for containers, files, and dependencies
• Dependabot: GitHub's automated dependency updates and vulnerability alerts
• WhiteSource: Enterprise SCA with comprehensive vulnerability database
• Black Duck: Enterprise SCA with license compliance
• OWASP Dependency-Check: Open-source SCA tool
• npm audit: Node.js package manager's built-in SCA
• pip-audit: Python package manager's security audit tool

Container Security Scanning

Container Vulnerabilities

• Base Image Vulnerabilities: Vulnerabilities in the base OS image
• Application Dependencies: Vulnerabilities in application dependencies
• Configuration Issues: Insecure container configurations
• Secrets in Images: Hardcoded secrets or credentials
• Outdated Packages: Outdated packages with known vulnerabilities

Container Scanning Tools

• Trivy: Comprehensive vulnerability scanner for containers
• Clair: Open-source vulnerability static analysis for containers
• Anchore: Container inspection and vulnerability analysis
• Aqua Security: Enterprise container security platform
• Twistlock: Container security from Prisma Cloud
• Docker Scout: Docker's built-in vulnerability scanner
• Grype: Vulnerability scanner for container images

Container Security Best Practices

• Use Minimal Base Images: Use minimal base images like Alpine or distroless
• Scan Images: Scan images at build time and runtime
• Patch Regularly: Keep base images and dependencies updated
• Scan Dependencies: Include SCA for application dependencies
• Run as Non-Root: Run containers as non-root users
• Read-Only Filesystems: Use read-only filesystems where possible
• Resource Limits: Set resource limits to prevent DoS

Dependency Vulnerability Management

Dependency Management Strategies

• Regular Updates: Regularly update dependencies to latest secure versions
• Automated Scanning: Integrate SCA into CI/CD pipelines
• Vulnerability Alerts: Set up alerts for new vulnerabilities
• Version Pinning: Pin specific versions to prevent unexpected updates
• Lock Files: Use lock files to ensure reproducible builds
• Supply Chain Security: Verify package integrity and provenance

SBOM (Software Bill of Materials)

• What is SBOM: Formal inventory of software components and dependencies
• SBOM Formats: SPDX, CycloneDX, SWID tags
• SBOM Benefits: Vulnerability tracking, license compliance, supply chain security
• SBOM Tools: Syft, Trivy, Microsoft SBOM Tool, CycloneDX tools

Supply Chain Security

• Package Integrity: Verify package signatures and checksums
• Provenance: Track package origin and build process
• Signed Artifacts: Use signed packages and container images
• Dependency Pinning: Pin to specific verified versions
• Private Registries: Use private registries for sensitive packages
• Reproducible Builds: Ensure builds are reproducible and verifiable

Common Vulnerability Tools

Snyk

• Features: SCA, SAST, container scanning, IaC scanning
• Integration: CI/CD, IDEs, package managers, registries
• Languages: JavaScript, Python, Java, Go, Ruby, PHP, .NET
• Use Cases: Developer-first security, automated scanning, remediation

Trivy

• Features: Container scanning, file scanning, dependency scanning
• Integration: CI/CD, container registries, Kubernetes
• Languages: Supports multiple languages and package managers
• Use Cases: DevSecOps, container security, infrastructure scanning

OWASP ZAP

• Features: Automated and manual web application security testing
• Integration: CI/CD, browsers, proxies
• Capabilities: Spidering, scanning, fuzzing, authentication testing
• Use Cases: DAST, web application security, penetration testing

SonarQube

• Features: Code quality, security analysis, technical debt tracking
• Integration: CI/CD, IDEs, build tools
• Languages: 25+ programming languages
• Use Cases: Code quality, security, technical debt management

Grype

• Features: Container image and filesystem vulnerability scanning
• Integration: CI/CD, container registries
• Vulnerability Database: Uses Grype vulnerability database
• Use Cases: Container security, DevSecOps pipelines

Vulnerability Scanning Best Practices

Scanning Strategy

• Shift Left: Scan early and often in the development lifecycle
• Automate: Integrate scanning into CI/CD pipelines
• Multiple Tools: Use multiple tools for comprehensive coverage
• Regular Scans: Schedule regular scans for production systems
• False Positive Management: Establish process for managing false positives
• Prioritization: Prioritize vulnerabilities based on risk and exploitability

Remediation Process

• Triage: Categorize vulnerabilities by severity and risk
• Prioritize: Prioritize based on CVSS score, exploitability, and business impact
• Remediate: Fix vulnerabilities or apply mitigations
• Verify: Verify that remediation was successful
• Monitor: Monitor for new vulnerabilities
• Report: Report on vulnerability status and trends