DevSecOps — What Security Controls exist and when to implement them?

  1. Linters
  2. Detecting secrets tool
  3. Static application security testing (SAST)
  4. Software Composition Analysis (SCA)
  5. Container Security checks
  6. Dynamic Application Security Testing (DAST)
  • Detect errors
  • Detect formations of styling issues
  • Maintains the code easier
  • Suggests the best practice
  • Sensitive data should not be hardcoded
  • Sensitive data should not be unencrypted
  • Sensitive data should not be stored in the source code
  • Detecting security vulnerabilities with an apparent pattern
  • Detecting secrets
  • High level of false positives
  • What advantage does it give to us?
  • We know what dependencies we use
  • We know what vulnerabilities exists in the dependencies we use
  • We can select the dependencies versions with fewer vulnerabilities
  • We know can if we can fix the vulnerability by updating some dependency to the lasted version
  • Is the OS out of date?
  • Does the container contain vulnerable open-source libs(focus on critical and high)?
  • What about the file system permissions?
  • Are there Open ports?
  • Detect incorrectly configured containers
  • Detect the updated operating system
  • Detect vulnerable libraries
  • Detect some common vulnerabilities
  • Detect some known misconfigurations
  • Detect some vulnerable software/components used

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
YevhSec1

YevhSec1

443 Followers

MSc in Cyber Security, OSCP, eWPTXv2, CEH Master. Awarded by Apple, Trello, Kraken... Connect: https://www.linkedin.com/in/yevhenii-molchanov-aa565210b/