[{"data":1,"prerenderedAt":580},["Reactive",2],{"$PslAyef5YX":3},{"data":4,"headers":552,"perPage":578,"total":579},{"stories":5,"cv":549,"rels":550,"links":551},[6,40,63,87,112,134,157,179,201,226,251,275,301,323,346,367,388,407,425,443,466,485,515,530],{"name":7,"created_at":8,"published_at":9,"id":10,"uuid":11,"content":12,"slug":27,"full_slug":28,"sort_by_date":29,"position":30,"tag_list":31,"is_startpage":22,"parent_id":35,"meta_data":29,"group_id":36,"first_published_at":37,"release_id":29,"lang":38,"path":29,"alternates":39,"default_full_slug":29,"translated_slugs":29},"Running DAST in CI/CD for Regression Testing","2024-01-09T04:58:08.193Z","2024-01-23T11:58:57.944Z",425143175,"2dab046c-e4a0-4f49-8a82-f36b0826cb44",{"_uid":13,"image":14,"title":7,"author":23,"details":24,"component":25,"meta_description":26},"94f6113c-c8d9-43a0-a327-84234ef44b1d",{"id":15,"alt":16,"name":17,"focus":17,"title":17,"source":17,"filename":18,"copyright":19,"fieldtype":20,"meta_data":21,"is_private":17,"is_external_url":22},13680902,"Illustration showing a large loupe taking a close look at a system of pipes that are on top of an opened laptop.","","https://a.storyblok.com/f/168460/1500x1500/247e7a0cad/dast-tool-integration-with-pipelines.jpg","Copyright 2024 by Kondukto Inc. All rights reserved.","asset",{},false,"Andreas Wiese","In the fast-paced field of software development, ensuring applications remain functional and secure through updates is essential. Regression testing, which checks that new code doesn't harm existing features, is key. Dynamic Application Security Testing (DAST) tools play a crucial role here. They identify security flaws in active web applications. This article explores the importance of DAST tools, integration, and enhancement in regression testing.\n\n## **Understanding DAST Tools**\n\n![](https://a.storyblok.com/f/168460/1702x948/0a8c3d3866/dast-integration-in-regression-testing.png)\n\nDAST tools are specialized software that tests an application from the outside. They simulate external attacks on a web application, identifying security flaws such as cross-site scripting, SQL injection and other vulnerabilities that attackers could exploit. \n\nOne of the benefits of DAST tools is their ability to analyze applications in their running state, just as an attacker would. This approach offers a realistic assessment of security vulnerabilities in real-world conditions.\n\nUnlike Static Application Security Testing (SAST) tools, which analyze source code, DAST tools like open-source [Zap](https://www.zaproxy.org/) and [Invicti](https://www.invicti.com/) do not require access to the source code. This distinction makes DAST tools helpful in testing third-party applications or services where source code access is unavailable. Moreover, they are often easier to use and can be implemented without a deep understanding of the application’s internal workings.\n\nIn the following example our Python script demonstrates how to set up an authenticated scan with OWASP ZAP. It involves creating a context, configuring authentication (form-based in this example), setting up a user, and then running both the spider and active scan as that user:\n\n~~~\nfrom zapv2 import ZAPv2\nimport time\n\n# Configuration\ntarget = 'http://example.com'\napi_key = 'your-api-key'\nzap_proxy = 'http://127.0.0.1:8080'\n\n# Connect to OWASP ZAP API\nzap = ZAPv2(apikey=api_key, proxies={'http': zap_proxy, 'https': zap_proxy})\n\n# Configure Context and Authentication\ncontext_id = zap.context.new_context('exampleContext', apikey=api_key)\nzap.context.include_in_context('exampleContext', target + '.*', apikey=api_key)\nzap.authentication.set_authentication_method(context_id, 'formBasedAuthentication', \n 'loginUrl=' + target + '/login&loginRequestData=username%3D%7B%25username%25%7D%26password%3D%7B%25password%25%7D', \n apikey=api_key)\nzap.authentication.set_logged_in_indicator(context_id, 'pattern', apikey=api_key)\nzap.authentication.set_logged_out_indicator(context_id, 'pattern', apikey=api_key)\n\n# Set up a user\nuser_id = zap.users.new_user(context_id, 'testUser', apikey=api_key)\nzap.users.set_authentication_credentials(context_id, user_id, 'username=test&password=secret', apikey=api_key)\nzap.users.set_user_enabled(context_id, user_id, True, apikey=api_key)\n\n# Start Spider and Active Scan\nzap.spider.scan_as_user(context_id, user_id, target, recurse=True, apikey=api_key)\nwhile int(zap.spider.status()) \u003C 100:\n time.sleep(2)\nzap.ascan.scan_as_user(context_id, user_id, target, recurse=True, apikey=api_key)\n~~~\n\n## **The Role of Regression Testing**\n\n![A 4 element schematic that illustrates the advantages of DAST in regression testing: Real World Testing, No Source Code Needed, Vulnerability Detection, Complementary Testing](https://a.storyblok.com/f/168460/1702x948/14bfc259c0/advantages-of-dast-in-regression-testing.png)\n\nRegression testing is integral to maintaining software quality and reliability. It involves re-running [functional](https://en.wikipedia.org/wiki/Functional_testing) and [non-functional tests](https://en.wikipedia.org/wiki/Non-functional_testing) to ensure that previously developed and tested software still performs as expected after a change. \n\nWhether the change is a bug fix, a new feature, or a code enhancement, regression testing helps confirm that the new code has not introduced new faults or caused regression of existing functionality.\n\nIn the fast-paced environment of continuous integration and continuous deployment (CI/CD), regression testing ensures that new code integrations do not break or degrade the application. This testing is not just about finding bugs. It's about verifying that the application continues to meet its requirements and function as expected.\n\n## **Integrating DAST Tools into Regression Testing**\n\nImplementing Dynamic Application Security Testing (DAST) tools effectively in regression testing is important for identifying security vulnerabilities in web applications. The key lies in integrating these tools into the testing process, for example:\n\n- **Incorporate DAST Early in the Development Cycle:** Integrate DAST tools early and throughout the development lifecycle to catch vulnerabilities as soon as possible\n- **Automate DAST in CI/CD Pipelines:** Include DAST scans in Continuous Integration/Continuous Deployment (CI/CD) pipelines to test new code automatically commits for vulnerabilities.\n- **Contextualize DAST Findings with Regression Tests:** Use DAST tool findings to inform and refine regression testing strategies, focusing on areas where changes are most likely to introduce vulnerabilities.\n- **Feed DAST with Manual Findings:** All new DAST tools provide an easy way for importing results with manual findings, such as pentest results or red team efforts, to enhance the overall assessment.\n\nBy following these best practices, organizations can effectively leverage DAST tools in regression testing, enhancing the security and robustness of their web applications.\n\n## **DAST Tool Mechanics**\n\n![Illustration that shows the 4 steps of DAST tools: External Simulation, Vulnerability Scanning, Response Analysis, Reporting](https://a.storyblok.com/f/168460/1702x948/259b74c773/the-mechanics-of-dast-tools.png)\n\nDAST tools operate by simulating an external attacker trying to breach the application. They typically perform automated black-box testing, meaning they cannot access the source code or the application's internal structure. \n\nThese tools scan for a wide range of vulnerabilities, including but not limited to input validation errors, broken authentication mechanisms, and misconfigured security settings.\n\nThe algorithms used by individual DAST tools vary but generally involve sending a series of malicious inputs to the application and observing the response. If the application reacts unexpectedly or insecurely, the tool flags it as a potential vulnerability. This method allows DAST tools to identify weaknesses that might not be visible in the source code.\n\n## Optimizing Testing with DAST Tools\n\n![Illustration providing details about the 6 components of best practices in DAST and regression testing: Aumate Testing, Regular Updates, Team Collaboration, Reduce False Positives, CI/CD Integration. Prioritize Vulnerabilities.](https://a.storyblok.com/f/168460/1702x948/7f41259a52/best-practices-for-dast-in-regression-testing.png)\n\nEffective optimization strategies include regular and comprehensive scanning schedules, integrating DAST tools into the CI/CD pipeline for automated scanning and continuously updating the tool’s knowledge base to recognize the latest vulnerabilities and attack patterns.\n\nAnother crucial aspect is to minimize false positives – incorrect identifications of vulnerabilities. This can be achieved by fine-tuning the tool’s settings and regularly updating its rules and signatures based on the application’s evolving landscape. Collaborative efforts between security and development teams can also enhance the effectiveness of DAST tools, ensuring that findings are accurately interpreted and addressed promptly.\n\n## Enhancing DAST and Regression Testing with Security Orchestration\n\nIn the context of DAST and regression testing, security orchestration can streamline the testing process, making it more efficient and effective. By coordinating different security tools, orchestration platforms can provide a more comprehensive view of an application’s security posture.\n\nImplementing security orchestration in regression testing involves integrating DAST tools with other security solutions like SAST or vulnerability scanners. This includes converting them into the right format and retesting in the pipeline. Using orchestration then enables powerful automation workflows across different tools and app specific risk scoring. It ensures that known vulnerabilities are not pushed to production. \n\nThe Kondukto Application Security Orchestration and Posture Management platform allows best of breed DAST solutions, like [Veracode](https://www.veracode.com/products/dynamic-analysis-dast) or Invicti, to re-test vulnerabilties and utilizes them in the CI/CD pipelines.  For example, here is how you would do this with Kondukto’s open-source CLI tool `kdt`:\n\n~~~\n# This command will trigger a \"re-test\" scan on the Invicti to ensure that they've been fixed.\nkdt scan -p $ProjectName -t invicti –scan-params=type:re-test \n~~~\n\n## Conclusion\n\nDAST tools ability to simulate real-world attacks and identify vulnerabilities in running applications makes them an invaluable asset. Organizations can significantly enhance the security and reliability of their software products by effectively integrating and optimizing these tools within the testing pipeline. As the software development landscape continues to evolve, taking advantage of DAST tools using a security orchestration platform will give you the automation capabilities to keep up.","Blog","Learn how to integrate dynamic application security testing (DAST) into your CI/CD pipeline and shift left with DAST to improve your web app security.","running-dast-in-ci-cd-for-regression-testing","blog/running-dast-in-ci-cd-for-regression-testing",null,-440,[32,33,34],"DAST","DevSecOps","AppSec",176736397,"046978e6-d352-4630-b572-40813845e183","2024-01-23T11:55:19.658Z","default",[],{"name":41,"created_at":42,"published_at":43,"id":44,"uuid":45,"content":46,"slug":55,"full_slug":56,"sort_by_date":29,"position":57,"tag_list":58,"is_startpage":22,"parent_id":35,"meta_data":29,"group_id":61,"first_published_at":43,"release_id":29,"lang":38,"path":29,"alternates":62,"default_full_slug":29,"translated_slugs":29},"Why SBOM Matters Infographic","2024-01-15T09:51:04.106Z","2024-01-15T10:49:12.005Z",426993246,"2c74f8b8-728f-4951-b31c-c5c768de05c4",{"_uid":47,"image":48,"title":52,"author":23,"details":53,"component":25,"meta_description":54},"5b6a9e0e-add8-45bd-bc72-26e49b89d3fa",{"id":49,"alt":17,"name":17,"focus":17,"title":17,"source":17,"filename":50,"copyright":19,"fieldtype":20,"meta_data":51,"is_private":17,"is_external_url":22},13734918,"https://a.storyblok.com/f/168460/2064x1018/b90de94df4/kondukto_blog_why-sbom-matters-infographic_2024-01-15.jpg",{},"Why SBOM Matters infographic","![The infographic is titled “Why SBOM Matters” by Kondukto. It explains the importance of SBOM for security, compliance, risk assessment, transparency, and facilitating software updates. SBOM stands for Software Bill of Materials, which is a detailed inventory of all software components in a product. It covers component coverage, purpose & benefits, evolution of SBOM. Key components of SBOM include software inventory (version information & vulnerabilities), licensing details (compliance & obligations), relationships between components (dependencies & conflicts). The infographic outlines steps like initial assessment (identify & evaluate assets), tool selection (identify tools & automate processes), training and awareness (educate staff & stakeholders). Integration with DevSecOps involves automated SBOM generation, real-time monitoring, policy enforcement for seamless integration and collaboration enhancement.](https://a.storyblok.com/f/168460/2500x6249/65a25451bd/kondukto-why-sbom-matters-infographic.jpg)","\"Why SBOM Matters\" infographic explains the importance of SBOM for security, compliance, risk assessment, transparency and software updates.","why-sbom-matters-infographic","blog/why-sbom-matters-infographic",-460,[59,60],"Supply Chain Security","SBOM","ea78c8c4-fb22-4775-b4c6-cebd51bf226f",[],{"name":64,"created_at":65,"published_at":66,"id":67,"uuid":68,"content":69,"slug":80,"full_slug":81,"sort_by_date":29,"position":82,"tag_list":83,"is_startpage":22,"parent_id":35,"meta_data":29,"group_id":85,"first_published_at":66,"release_id":29,"lang":38,"path":29,"alternates":86,"default_full_slug":29,"translated_slugs":29},"Create SBOM on Gradle with the CycloneDx Plugin","2024-01-10T13:16:40.272Z","2024-01-10T13:57:37.127Z",425690886,"4f4b3b59-0fc8-4f35-b30c-06a2b6c7fa9f",{"_uid":70,"image":71,"title":76,"author":77,"details":78,"component":25,"meta_description":79},"c0856588-66ab-490a-a545-c8e44108cdcd",{"id":72,"alt":73,"name":17,"focus":17,"title":17,"source":17,"filename":74,"copyright":19,"fieldtype":20,"meta_data":75,"is_private":17,"is_external_url":22},13696863,"Illustration that shows a cyclone above an open laptop.","https://a.storyblok.com/f/168460/1568x1568/bcf8b99ec0/create-sbom-with-cyclonedx-gradle-osv-and-kondukto.jpg",{},"Create SBOM on Gradle with the CycloneDX Plugin","Alperen Örsdemir","The Software Bill of Materials (SBOM) has become essential in application security as it provides a comprehensive list of every element within a software build. This is important because vulnerabilities can often emerge in third-party or transitive dependencies, not just in the main code. SBOM is used not only for vulnerability discovery but also to detect and understand open-source license violations in advance. By uncovering these hidden risks, an SBOM facilitates a more effective management of potential security threats. In fact, a recent [Executive Order mandates](https://www.whitehouse.gov/briefing-room/presidential-actions/2021/05/12/executive-order-on-improving-the-nations-cybersecurity/) that Federal Government agencies receive an SBOM for each software product, highlighting the critical role of SBOMs in national cybersecurity.\n\n[CycloneDX](https://cyclonedx.org/) is an open-source initiative focused on creating standardized formats for SBOMs. Project repositories and security-focused software need to conduct thorough checks of their dependencies. Generating SBOMs with CycloneDX simplifies this process and allows for a more comprehensive assessment of potential vulnerabilities. \n\nThis blog post is going to show you how to generate an SBOM during the build process using CycloneDX plugins. Additionally, we will scan the generated SBOM file with the OSV scanner to identify open-source vulnerabilities. We will also share the steps to implement these tools in a CI/CD pipeline to create and scan an SBOM for a Java/Kotlin Gradle project**.**\n\nWe use [Gradle plugins](https://plugins.gradle.org/plugin/org.cyclonedx.bom) specifically designed for CycloneDX to generate SBOMs within our build.gradle.kts and build.gradle files. This method streamlines SBOM creation and integrates seamlessly into our Gradle-based Java/Kotlin development workflow. It ensures efficient management of software dependencies and related security concerns. To see how this is implemented in this project, visit this GitHub [link](https://github.com/kondukto-io/sbom-gradle-cyclonedx-pipeline-scan/tree/main).\n\n![Screenshot showing how to include CycloneDX plugin in Gradle.](https://a.storyblok.com/f/168460/1814x1388/5fc8b5e310/cyclonedx-plugin-in-gradle.png)![Screenshot showing the inclusion of the CycloneDX plugin in Gradle and Kotlin.](https://a.storyblok.com/f/168460/1025x570/2318880484/kotlin.png)After adding the required plugin to our `build.gradle.kts` or `build.gradle` file, as shown above, we build our project using the command `gradle cyclonedxBom` in the project directory. \n\nWe suggest checking the CycloneDX Gradle plugin default tasks on CycloneDX’s [GitHub repository](https://github.com/CycloneDX/cyclonedx-gradle-plugin) before using it on your repositories. Some of the default tasks provided allow you to exclude specified components while generating SBOM, which could result in missing significant information. Consider excluding the specific tasks such as `skipConfigs` and `skipProjects` before using the plugin on the build so as not to miss any valuable SBOM components on your output files.\n\n## OSV Scan\n\n[OSV-scanner](https://google.github.io/osv-scanner/), a versatile command-line interface tool from Google, offers a range of capabilities, including checking for open-source vulnerabilities. Distributed under the [Apache-2.0 License](https://www.apache.org/licenses/LICENSE-2.0.html), it aligns with open-source principles. The tool is user-friendly and adaptable, capable of efficiently scanning for vulnerabilities.  Here is an example command for SBOM files:\n\n~~~\nosv-scanner -S sbom.json --json --output result.json\n~~~\n\nThis command scans the SBOM file and outputs the results in JSON format, making it easy to identify and address potential security issues. It is worth noting that if any vulnerabilities are found during the scan, the tool will have a return value of \"1\". If you use the OSV-scanner in a pipeline and want to prevent the pipeline from breaking due to this return value, you can use the `|| true` operand, as shown in the following.\n\n~~~\nosv-scanner -S sbom.json --json --output result.json || true\n~~~\n\nFor Java Maven projects, the integration of the CycloneDX plugin can be explored visiting this [link](https://kondukto.io/blog/how-to-generate-and-audit-sbom-in-a-ci-cd-pipeline#how-to-install-cyclonedx-maven-plugin). There is also a repository available showcasing this process [here](https://github.com/kondukto-io/sbom-pipeline-example/tree/main).\n\n## Import OSV scan results and SBOM on Kondukto with pipeline\n\nManaging vulnerabilities is a critical and time-saving aspect of cybersecurity management. To import OSV scan results and SBOM on Kondukto (see this [blog post for more details](https://kondukto.io/blog/how-to-generate-and-audit-sbom-in-a-ci-cd-pipeline#how-to-install-cyclonedx-maven-plugin)), an Application Security Orchestration and Posture Management (ASPM) platform, you can utilize Kondukto's CLI tool called \"kdt\". \n\nUsing `kdt`, you can easily import vulnerabilities through your pipeline, enhancing your cybersecurity efforts efficiently. The GitHub workflow provided below showcases the integration of the tools mentioned above into a pipeline, including the steps for building, SBOM generation, scanning, and importing.\n\n## ![Screenshot showing a GitHub workflow definition for CycloneDX, Gradle, OSV scan and Kondukto.](https://a.storyblok.com/f/168460/1080x895/4bca9a6cce/github-workflow-for-cyclonedx-gradle-osv-kondukto-pipeline.png) \nConclusion\n\nThe use of SBOMs, CycloneDX plugins, OSV-scanner and a mature ASPM platform like Kondukto can greatly contribute to the security and management of your software dependencies. In combination, they are allowing for a more comprehensive assessment of potential vulnerabilities and security posture of your applications.","Learn how to create and scan SBOMs with CycloneDX and Gradle plugins for Java/Kotlin projects. Improve your application security with SBOMs on Kondukto.","create-sbom-on-gradle-with-the-cyclonedx-plugin","blog/create-sbom-on-gradle-with-the-cyclonedx-plugin",-450,[84,59,60],"ASPM","1bc409e2-6e76-4f96-a5e3-6e9b4208ba54",[],{"name":88,"created_at":89,"published_at":90,"id":91,"uuid":92,"content":93,"slug":104,"full_slug":105,"sort_by_date":29,"position":106,"tag_list":107,"is_startpage":22,"parent_id":35,"meta_data":29,"group_id":109,"first_published_at":110,"release_id":29,"lang":38,"path":29,"alternates":111,"default_full_slug":29,"translated_slugs":29},"Enhancing Security with eBPF: Use Cases Explored","2023-12-28T10:53:31.290Z","2023-12-28T12:06:32.424Z",422956848,"3310f06e-808e-4d31-8e2d-6989ec8c0863",{"_uid":94,"image":95,"title":88,"author":101,"details":102,"component":25,"meta_description":103},"46389a8c-da02-4fae-906b-fd8259d2e1af",{"id":96,"alt":97,"name":17,"focus":17,"title":17,"source":17,"filename":98,"copyright":99,"fieldtype":20,"meta_data":100,"is_private":17,"is_external_url":22},13538759,"A security scanner. reminiscent of an airport luggage scanner, scanning packages that are destined for the world wide web.","https://a.storyblok.com/f/168460/1500x1500/63511ea649/kondukto_blog_ebpf-security-use-cases-explored_2023-12-28.jpg","Copyright 2023 by Kondukto Inc. All rights reserved.",{},"Cenk Kalpakoğlu","[eBPF](https://ebpf.io/what-is-ebpf/), short for Extended Berkeley Packet Filter, is a kernel technology that allows programs to run without requiring changes to the kernel source code or the addition of new modules. eBPF was built on top of the [Berkeley Packet Filter (cBPF)](https://en.wikipedia.org/wiki/Berkeley_Packet_Filter). Notable milestones in its development include the first in-kernel Linux JIT compiler in April 2011 and the first non-networking use case of the classic Berkeley Packet Filter, seccomp-bpf, appearing in January 2012.\n\nIt can be used for a variety of purposes. In this blog post, we will explore how eBPF can be used for runtime security, network security, container security, and CI/CD security.\n\n## **Runtime Security**\n\nRuntime security involves protecting a running system or application from unauthorized access, malicious activities, or vulnerabilities. By leveraging eBPF, we can monitor and enforce security policies at a very low level, providing granular control over system behavior. Let's take a look at an example of how eBPF can be utilized for runtime security.\n\nConsider a scenario where we want to detect and prevent the execution of a specific system call by a particular process. We can achieve this with an eBPF program that attaches to the kernel and intercepts the system calls made by the process. If the intercepted system call matches the one we want to block, the eBPF program can take action, such as terminating the process or logging the event for further investigation.\n\nHere is a simplified example of an eBPF program that blocks the execve system call made by a process with a specific process ID (PID):\n\n~~~\n#include \u003Clinux/bpf.h>\n#include \u003Clinux/types.h>\n#include \u003Clinux/ptrace.h>\n\nSEC(\"kprobe/security_sys_execve\")\nint bpf_sys_execve(struct pt_regs *ctx) {\n pid_t pid = bpf_get_current_pid_tgid() >> 32;\n \n if (pid == target_pid) {\n bpf_kern_panic();\n }\n \n return 0;\n}\n~~~\n\nWith this eBPF program in place, any attempt by the specified process to execute the `execve `system call will result in a kernel panic, effectively preventing the execution.\n\n## **Network Security**\n\neBPF provides powerful capabilities for monitoring and controlling network traffic, allowing us to enforce security policies in real-time.\n\nSuppose we want to block all incoming network connections except for those coming from a specific IP address range. We can achieve this with an eBPF program that attaches to the network stack and filters incoming packets based on their source IP addresses. If the source IP address is not in the allowed range, the eBPF program can drop the packet.\n\nHere is a simplified example of an eBPF program that enforces this network security policy:\n\n~~~\n#include \u003Clinux/bpf.h>\n#include \u003Clinux/if_ether.h>\n#include \u003Clinux/ip.h>\n\nSEC(\"filter\")\nint bpf_filter(struct __sk_buff *skb) {\n struct ethhdr *eth = bpf_hdr_pointer(skb);\n struct iphdr *ip = (struct iphdr *)(eth + 1);\n\n if (ip->saddr \u003C start_ip || ip->saddr > end_ip) {\n return XDP_DROP;\n }\n \n return XDP_PASS;\n}\n~~~\n\nBy attaching this eBPF program to an appropriate network interface, we can effectively block incoming network connections from IP addresses outside the specified range.\n\n## **Container Security**\n\nContainer security is of paramount importance in today's cloud-native landscape. eBPF can help enforce security policies within containers, providing visibility and control at the kernel level. Let's explore a practical example of using eBPF for container security.\n\nAssume we want to monitor all outgoing network connections from a container and alert on any connections to a suspicious IP address. With eBPF, we can write a program that attaches to the container's network namespace and inspects outgoing packets. If the destination IP address matches the suspicious IP address, the eBPF program can generate an alert.\n\nHere is a simplified example of an eBPF program for monitoring container network connections:\n\n~~~\n#include \u003Clinux/bpf.h>\n#include \u003Clinux/if_ether.h>\n#include \u003Clinux/ip.h>\n\nSEC(\"kprobe/tcp_v4_connect\")\nint bpf_tcp_connect(struct pt_regs *ctx) {\n struct sock *sk = (struct sock *)PT_REGS_PARM1(ctx);\n struct iphdr *iph = (struct iphdr *)skb_network_header(sk->sk_skb); \n \n if (ntohl(iph->daddr) == suspicious_ip) {\n bpf_printk(\"Suspicious outgoing connection detected from container!\");\n }\n \n return 0;\n}\n~~~\n\nBy attaching this eBPF program to the container's network namespace, we can monitor all outgoing TCP connections and alert on any connections to the specified suspicious IP address.\n\n## **CI/CD Security**\n\nIn the context of CI/CD Security, eBPF can be used to monitor and block system calls made by the pipeline.[ ](https://blog.aquasec.com/cicd-pipeline-security-tool-tracee)This can be done by attaching an eBPF program to the kernel that monitors the system calls made by the pipeline and blocks any unauthorized or malicious activity.\n\nThe eBPF program can be designed to monitor specific system calls made by the pipeline such as `execve`, `open`, `write`, `read`, and `connect`. The program can also be designed to monitor the arguments passed to these system calls and block any unauthorized or malicious activity.\n\nFor example, if a pipeline is attempting to execute a command that is not authorized, the eBPF program can block the `execve` system call and prevent the command from being executed. Similarly, if a pipeline is attempting to write to a file that is not authorized, the eBPF program can block the `write` system call and prevent the write operation from being performed.\n\neBPF can also be used to monitor network traffic generated by the pipeline and block any unauthorized or malicious activity. For example, if a pipeline is attempting to connect to a malicious IP address, the eBPF program can block the `connect` system call and prevent the connection from being established.\n\n### **Example: Enforcing Outbound Connection Whitelisting**\n\nTo secure your CI/CD pipelines using eBPF, you can leverage its capabilities to monitor and enforce security policies on outgoing network connections. Let's take an example where you want to block any outbound network connections from your CI/CD pipeline, except for specific whitelisted endpoints.\n\nFirst, you need to write an eBPF program that matches outbound traffic from your CI/CD pipeline and compares the destination IP address against a whitelist. If the destination IP address is not in the whitelist, the eBPF program drops the packet.\n\nBelow is a simplified example of an eBPF program that demonstrates this behavior:\n\n~~~\n#include \u003Clinux/bpf.h>\n#include \u003Clinux/if_ether.h>\n#include \u003Clinux/ip.h>\n#include \u003Clinux/tcp.h>\n\nSEC(\"filter\")\nint block_outbound_network(struct __sk_buff *skb) {\n struct ethhdr *eth = bpf_hdr_pointer(skb);\n struct iphdr *ip = (struct iphdr *)(eth + 1);\n \n if (ip->daddr != whitelist_ip) {\n bpf_skb_drop(skb);\n return XDP_DROP;\n }\n \n return XDP_PASS;\n}\n~~~\n\nBy attaching this eBPF program to the appropriate network interface used by your CI/CD pipeline, you can effectively block any outbound network connections that are not whitelisted.\n\nInteracting with eBPF programs like this typically requires using a applications like bcc, bpftrace, Cilium or Falco. These applications provides high-level functions to simplify the process of enabling and managing eBPF programs for CI/CD security. They provide convenient APIs to load and attach eBPF programs to specific network interfaces or containers, effectively enforcing the defined security policies.\n\nFor a more complete and production-ready solution, consider leveraging existing eBPF-based security frameworks like [Cilium](https://docs.cilium.io/en/stable/) or [Falco](https://falco.org/docs/). These frameworks offer additional features such as network visibility, deep packet inspection, and integration with orchestration platforms.\n\n## **Conclusion**\n\nIn this blog post, we explored how eBPF can be utilized for runtime security, network security, container security, and CI/CD security. We provided detailed explanations and practical examples for each use case, showcasing the capabilities of eBPF in enhancing security at a granular level. By leveraging eBPF, you can enforce custom security policies, monitor network traffic, and protect your systems from malicious activities, ultimately strengthening the overall security of your applications.","Learn how eBPF can enhance container security and other security use cases. This post explains eBPF and provides examples of how to use it for security.","enhancing-security-with-ebpf-use-cases-explored","blog/enhancing-security-with-ebpf-use-cases-explored",-430,[33,108],"Container Security","110ee2a0-76e8-4168-92f5-0fbdcfefd80b","2023-12-28T11:08:02.874Z",[],{"name":113,"created_at":114,"published_at":115,"id":116,"uuid":117,"content":118,"slug":128,"full_slug":129,"sort_by_date":29,"position":130,"tag_list":131,"is_startpage":22,"parent_id":35,"meta_data":29,"group_id":132,"first_published_at":115,"release_id":29,"lang":38,"path":29,"alternates":133,"default_full_slug":29,"translated_slugs":29},"A Look into Modern Security Orchestration","2023-12-26T06:14:31.559Z","2023-12-26T07:28:06.401Z",422480820,"26943300-4753-408c-a65b-33a1dd3ccaed",{"_uid":119,"image":120,"title":113,"author":125,"details":126,"component":25,"meta_description":127},"a7ebf4a5-71ae-4011-9436-043c4bf1f0a1",{"id":121,"alt":122,"name":17,"focus":17,"title":17,"source":17,"filename":123,"copyright":99,"fieldtype":20,"meta_data":124,"is_private":17,"is_external_url":22},13477981,"Illustration that shows a DevSecOp Team working with an Application Security Orchestration Platform.","https://a.storyblok.com/f/168460/1500x1500/4a3f6d66cc/kondukto_blog_look-into-security-orchestration.jpg",{},"Can Taylan Bilgin","Have you ever thought there could be a smarter way to handle your organization's app security? In this blog post we're going to provide an overview of modern Security Orchestration, show how it fits perfectly with DevSecOps and how to make sure that security is part of your software development lifecycle right from the start.\n\n## What is Security Orchestration?\n\n![](https://a.storyblok.com/f/168460/957x533/de7a1d58fc/navigating-the-workflow-of-security-orchestration.png)Security orchestration is a strategic approach to connecting and automating cybersecurity processes and tools. Its main goal is to create an efficient and proactive system for cyber threats. It builds a unified environment where security components work together, not as separate units. Let’s explore the concepts presented in the illustration above in greater detail:\n\n- **Threat Detection**: This involves using the most advanced technologies to identify potential security threats quickly. It's essential because the sooner a threat is detected, the faster it can be addressed, reducing the potential damage to a system or network.\n- **Alert Prioritization**: Once threats are detected, they need to be prioritized. This process determines which threats pose the greatest risk and should be handled first. It's a critical step because it ensures that the most serious threats receive immediate attention.\n- **Automated Response**: The system is automatically taking action against threats based on predefined rules. This allows for an immediate security response because it reduces the time it takes for human operators to react, which can be crucial when dealing with fast-moving cyber attacks.\n- **Analysis**: This step involves thoroughly investigating the threat to understand how it works and its potential impact. This is essential for learning from each incident and improving the system's ability to prevent similar threats in the future.\n- **Mitigation**: This is about taking steps to reduce the severity of a threat. It includes things like patching vulnerabilities or isolating affected parts of the network. It's part of the process because stopping a threat from causing more damage is as important as detecting it in the first place.\n- **Resolution**: The final step involves fixing the damage caused by the threat and getting systems back to normal. This is crucial for resuming normal business operations with minimal downtime and ensuring the same threat doesn't reoccur.\n\nBy weaving these components into a complete security orchestration framework, security engineers can better predict, prepare for, and tackle cyber threats with greater agility and accuracy. Integrating these aspects forms the core of a strong cybersecurity defense, crucial in today’s environment, where digital threats constantly evolve.\n\n## The Evolution of Application Security\n\n![](https://a.storyblok.com/f/168460/957x533/601f63cec8/evolution-of-application-security.png)Significant advancements have marked the evolution of Application Security (AppSec). In the early days, security was often a manual afterthought. \n\nTraditional security methods, such as manual code reviews and basic firewall configurations, became less effective as technology advanced. These methods were no longer enough to protect against the modern and complex cyber threats that emerged. They also struggled to cope with the growth in scale and complexity.\n\nTo address these challenges, more proactive and innovative security measures were needed. This led to the creation of advanced strategies like security orchestration, which is a way of automating and coordinating security tasks across different tools and teams.\n\nUnlike earlier methods, security orchestration integrates various cybersecurity tools, enables automated processes and provides a single-pane-of-glass.\n\n## The Significance of Security Orchestration in AppSec\n\n![](https://a.storyblok.com/f/168460/957x533/3f22329ebe/core-components-of-security-orchestration.png)Here are some key points about security orchestration:\n\n- **Enhanced Efficiency**: It speeds up the entire security process by automating the basic tasks that used to take up valuable time.\n- **Better Integration**: Various security tools can work together smoothly, making the security process more cohesive and stronger.\n- **Quick Responses**: When threats are detected, the system can react instantly because of predefined automation protocols.\n\nThe need for security that grows with your organization is also met with security orchestration. As companies expand, they encounter new security challenges. Security needs to be scalable, meaning it can grow in strength and capacity alongside the company's expansion.\n\nSecurity orchestration allows for this kind of growth, ensuring that they're protected no matter how large a company becomes or how much data they're handling:\n\n- **Scalability**: As an organization grows, so does its security system, without the need for constant manual updates or overhauls.\n- P**rotection for More Assets**: A bigger network and more data mean more potential targets for threats, security orchestration covers all bases.\n\nIt's about using the technology for repetitive tasks, which not only cuts down on the chances of human error but also gives the security team more time to tackle strategic issues.\n\n## Integrating Security Orchestration in AppSec Strategies\n\nIncorporating security orchestration into your existing application security framework is a task that requires careful planning and action. Here's how you can make this process more actionable and manageable:\n\n- **Evaluate Your Current Security Setup**: Look at what your organization already has regarding security. Identify the tools, processes, and systems you're currently using. This is like mapping your security landscape to see where you stand.\n- **Spot the Opportunities for Automation**: Once you know your current setup, find out where automation and integration could make a difference. Some tasks waste too much time or are areas where human error could be reduced. These are your starting points.\n- **Plan Your Integration in Stages**: Instead of trying to do everything simultaneously, break it down into smaller, more manageable phases. Start with the simpler tasks that are easier to automate. For instance, automating regular security scans or alerts can be a foundational step. A practical tool for this initial phase is OWASP ZAP (Zed Attack Proxy), an open-source web application security scanner. It's designed to help automatically find security vulnerabilities in your web applications while you are developing and testing them. Learn more and get started with OWASP ZAP from their [official website](https://www.zaproxy.org/).\n- **Move to More Complex Tasks Gradually**: Once the basic elements are automated, you can start looking at the more complex parts of your security system. This phased approach helps everyone get used to the new system without disrupting their operations.\n\nBy following these steps, you can effectively weave security orchestration into your existing setup, making your security efforts more efficient and robust without disrupting your daily operations.\n\n## Tools and Technologies in Security Orchestration\n\nIn security orchestration, a wide variety of tools and technologies are available, ranging from basic automation to full-fledged orchestration platforms. Each tool has its features and ways of working with other systems, so choosing the right ones is important.\n\nHere are some key features to look for:\n\n- **Validation Scan**: Automatically checks if fixes work, making it easier for AppSec and development teams to work together without unnecessary back-and-forth.\n- **Role-Based Access & Workflows**: Allows different levels of access and streamlines processes, ensuring everyone uses the tools and data they need effectively.\n- **SBOM Radar**: Quickly finds vulnerable components and the applications they affect, helping speed up the fixing process.\n- **Vulnerability Deduplication**: Identifies and removes repeated vulnerabilities, making things less cluttered for security teams.\n- **Onboarding & Health Check**: Provides a tailored setup process and regular checks to ensure everything works optimally for your specific situation.\n- **Remediation & Learning Hub**: Creates a space for sharing information about vulnerabilities and offers tailored training based on detailed vulnerability data.\n\nWhen choosing these tools, think about how easily they'll fit into your existing setup, their ability to grow with your needs, their compatibility with different security protocols, and how user-friendly they are. Selecting the right tools will improve your security and ensure they integrate well with your current system, resulting in a stronger, more efficient security orchestration framework.\n\n## Security Orchestration and DevSecOps: A Synergistic Approach\n\n![](https://a.storyblok.com/f/168460/957x533/fbc8f61af8/synergy-between-security-orchestration-and-devsecops.png)Security orchestration and [DevSecOps](https://en.wikipedia.org/wiki/DevOps#DevSecOps,\\_shifting_security_left) (a blend of Development, Security, and Operations) work well in modern application security. DevSecOps is all about making sure security is a key part of the entire software development process right from the start. It's like building a culture where security isn't just something you think about at the end, but at every step of the way. \n\nSecurity orchestration fits into this by offering the tools and ways of doing things that make security tasks automatic and more streamlined within your DevSecOps system.\n\nBringing security orchestration into DevSecOps makes the whole security side of things much more efficient and effective. It's about ensuring security isn't just tacked on at the end but is a core part of software development. \n\nThis way of doing things leads to software built to be more secure from the ground up, lowers the chances of security problems, and makes the whole software development process faster and more adaptable.\n\n## Summary\n\nSecurity orchestration is a strategic approach to connecting and automating cybersecurity processes and tools, with the goal of creating a proactive and efficient system for handling cyber threats. We looked at the components of security orchestration, including threat detection, alert prioritization, automated response, analysis, mitigation, and resolution. Integrating these components into a comprehensive framework, security orchestration allows for scalability and protection of your assets as your organization grows. \n\nBy automating repetitive tasks, it lowers the risk of human error and frees up the security team to focus on strategic issues. We also talked about how security orchestration and DevSecOps work together, where security is built into the whole software development process from the beginning and makes sure that your software is and stays secure.","Learn how security orchestration can automate and streamline your cybersecurity processes and tools, how it works with DevSecOps to ensure a secure SDLC.","a-look-into-modern-security-orchestration","blog/a-look-into-modern-security-orchestration",-420,[84,34,33],"df45e7ba-ac6b-4806-84a6-66c53218d304",[],{"name":135,"created_at":136,"published_at":137,"id":138,"uuid":139,"content":140,"slug":150,"full_slug":151,"sort_by_date":29,"position":152,"tag_list":153,"is_startpage":22,"parent_id":35,"meta_data":29,"group_id":154,"first_published_at":155,"release_id":29,"lang":38,"path":29,"alternates":156,"default_full_slug":29,"translated_slugs":29},"How Malicious Code Enters Applications","2023-12-07T06:12:54.324Z","2023-12-07T10:54:19.317Z",415770189,"302a2991-6a40-4ef7-b8b5-bf3cac3e58a5",{"_uid":141,"image":142,"title":135,"author":23,"details":148,"component":25,"meta_description":149},"76c545ec-81df-4c20-9bec-c31f33127f57",{"id":143,"alt":144,"name":17,"focus":17,"title":145,"source":17,"filename":146,"copyright":99,"fieldtype":20,"meta_data":147,"is_external_url":22},13204152,"A shadowy figure opening a fence that protected the source code of an application.","Malicious Code entering an Application","https://a.storyblok.com/f/168460/1500x1202/fb50e93ea3/kondukto_blog_malicious-code_hero-image_2023-12-07.jpg",{},"As the backbone of modern business operations, applications are frequently targeted by sophisticated malicious threats. In this blog post, we provide a high-level overview of how malicious code can enter your software applications. We look at different forms of malicious code, their entry points, practical tools and strategies for detection & prevention, focusing on innovative solutions.\n\n## **Overview of Malicious Code Entry**\n\n### **Types of Malicious Code**\n\nIn AppSec, understanding the various types of malicious code is fundamental. These malicious entities, ranging from viruses to spyware, each possess unique traits and attack vectors. \nHere are some of the most common types of malicious code: \n\n 1. **Viruses:** are malicious programs that attach themselves to clean files and spread throughout a computer system, infecting files with malicious code. For instance, the [ILOVEYOU virus](https://en.wikipedia.org/wiki/ILOVEYOU) in 2000 caused widespread damage globally by overwriting files and replicating itself via email.\n 2. **Worms:** Like viruses, they can spread autonomously without a host file. Worms often exploit network vulnerabilities to spread across connected systems. The [Conficker worm](https://www.nytimes.com/2019/06/29/opinion/sunday/conficker-worm-ukraine.html), discovered in 2008, rapidly spread by exploiting a vulnerability in Windows OS and created a massive botnet.\n 3. **Trojans:** are deceptive software that appears legitimate but performs hidden, harmful functions. Trojans can create backdoors in your security to let other malware in. A notable example is the [Zeus Trojan](https://securityintelligence.com/articles/how-the-zeus-trojan-info-stealer-changed-cybersecurity/), known for stealing banking information by logging keystrokes and form grabbing.\n 4. **Ransomware:** This malicious software encrypts a user's data and demands payment for the decryption key. The [WannaCry ransomware attack](https://www.bbc.com/news/technology-39901382) in 2017 affected hundreds of thousands of computers worldwide, encrypting data and demanding Bitcoin ransom payments.\n 5. **Spyware:** Designed to monitor and collect information about the user secretly. It can track everything from web browsing habits to personal information. [CoolWebSearch](https://en.wikipedia.org/wiki/CoolWebSearch), a well-known spyware, hijacked web browsers and redirected users to unwanted websites.\n 6. **Adware:** Though not always malicious, adware can be annoying as it displays unwanted advertisements on your computer. Some adware tracks your browsing behavior to serve targeted ads. [Gator](https://www.investopedia.com/terms/g/gator.asp) was a prevalent adware that displayed ads and collected user data without consent.\n 7. **Rootkits:** These are designed to obtain administrator-level control over a computer system without being detected. Rootkits can manipulate system functions and hide other malware. The [Sony BMG rootkit scandal](https://en.wikipedia.org/wiki/Sony_BMG_copy_protection_rootkit_scandal) in 2005 involved CDs that secretly installed rootkits on users' computers.\n 8. **Keyloggers:** These monitor and record keystrokes, allowing attackers to capture sensitive data like passwords and financial information. The FBI reportedly developed a keylogger software called [Magic Lantern](https://en.wikipedia.org/wiki/Magic_Lantern\\_(software)), used in criminal investigations to gather encryption keys and other sensitive data by recording keystrokes.\n 9. **Botnets:** Networks of infected computers controlled remotely by an attacker, usually used for coordinated attacks or to send spam. The [Mirai botnet](https://www.bbc.com/news/technology-42342221), known for converting networked IoT devices into remotely controlled bots, caused massive internet outages.\n10. **Logic Bombs:** These are malicious code snippets that trigger a malicious action when certain conditions are met, like a specific date or the launching of a particular program. A well-known case is the [Chernobyl virus](https://en.wikipedia.org/wiki/CIH\\_(computer_virus)), which acted as a logic bomb, wiping data on infected systems on a specific date.\n\nFrom viruses to botnets, each type of malicious code presents a unique challenge in cybersecurity. \n\n### **Infiltration Pathways of Malicious Code**\n\nThe pathways through which malicious code breaches applications are as diverse as the threats themselves. Understanding the common entry points is crucial for developing effective defense strategies:\n\n- **Unpatched Software Vulnerabilities:** Outdated or unpatched software can be easily exploited, allowing attackers to insert malicious code.\n- **Insecure APIs:** Weakly secured APIs can be a gateway for attackers to inject malware or extract sensitive data.\n- **Code Injection:** Vulnerabilities like SQL injection and [Cross-Site Scripting (XSS)](https://owasp.org/www-community/attacks/xss/) where attackers can insert harmful code into the application.\n- **Phishing Attacks:** Tricks users into downloading malicious code or revealing sensitive information, leading to application compromise.\n- **Third-party Libraries and Dependencies:** Using external code with hidden vulnerabilities can inadvertently introduce malicious code into the application.\n- **File Upload Vulnerabilities:** Applications allowing file uploads without proper validation and scanning can be exploited to upload malware.\n- **Buffer Overflow:** This attack overruns application memory, potentially allowing attackers to execute malicious code.\n- **Man-in-the-Middle (MITM) Attacks:** Attackers intercept communication between the user and application to inject or modify data.\n- **Poor Authentication and Authorization Controls:** Weak security in these areas can allow unauthorized access and the possibility of code injection.\n- **Cross-Site Request Forgery (CSRF):** Exploits a user's authenticated session, potentially leading to unauthorized actions and code execution.\n\nResources such as the [OWASP Top 10](https://owasp.org/www-project-top-ten/) and the [SANS Top 25](https://www.sans.org/top25-software-errors/) provide extensive insights and guidelines for a deeper understanding of these common tactics.\n\n### **Detection Tools and Techniques**\n\nDetection tools and techniques form the cornerstone of a robust cybersecurity strategy. They encompass a range of approaches, from analyzing source code for potential weaknesses to simulating real-world attacks. These methodologies are vital for uncovering and addressing security vulnerabilities:\n\n- **Static Application Security Testing (SAST):** SAST involves analyzing source code (byte or binary) for vulnerabilities without executing the program. It's typically done early in the development process. \n Tools like [Checkmarx](https://checkmarx.com/) and [Veracode](https://www.veracode.com/) fit into this category. It scans the source code to identify security vulnerabilities, coding flaws, and compliance issues, enabling developers to address these issues during the coding phase.\n- **Dynamic Application Security Testing (DAST):**  DAST tools test applications from the outside while they are running. It simulates external attacks to identify security vulnerabilities. [Burp Suite](https://portswigger.net/burp) and [Invicti](https://www.invicti.com/) are prominent DAST tools. It operates while the application is in execution, simulating real-world attacks to identify vulnerabilities and security holes that would be visible to an attacker.\n- **Interactive Application Security Testing (IAST):** IAST combines aspects of both SAST and DAST. It often works within the application during testing phases to identify real-time vulnerabilities. Tools that offer IAST capabilities analyze code for vulnerabilities during runtime, providing immediate feedback to developers. They bridge the gap between SAST and DAST, offering a more integrated approach to application security testing.\n\nIntegrating SAST, DAST, and IAST in the AppSec security posture represents a comprehensive approach to vulnerability detection. By combining static, dynamic, and interactive testing methods, these tools offer a multifaceted defense against cyber threats. Let's next examine the strategies for evaluating and prioritizing the risks they uncover.\n\n## **Risk Scoring**\n\nRisk Scoring is a key element of your Security Posture Management (see below). As a metric it quantifies your security posture based on the number and severity of the security issues that affect your assets and applications:\n\n- **Automated Vulnerability Identification:** Security tools scan systems and applications to identify potential vulnerabilities automatically using various detection methods like signature-based, anomaly-based, or behavior-based techniques.\n- **Risk Score Assignment:** Each identified vulnerability is assigned a risk score. This score is typically calculated based on several factors:\n - **Severity of the Vulnerability:** Assessed based on the potential impact of the exploited vulnerability. This may include the extent of potential damage, data breach severity, or system compromise.\n - **Exploitability:** Evaluate how easily an attacker can exploit the vulnerability. This considers factors like the exploit's complexity, required skill level, and availability of exploit tools.\n - **Prevalence and Exposure:** Considers how widespread the vulnerability is and how much the system is exposed to potential exploitation.\n - **Mitigation and Remediation Difficulty:** Assesses the effort required to mitigate or patch the vulnerability.\n- **Prioritization Based on Risk Score:** The tool ranks the vulnerabilities based on risk scores, allowing security teams to prioritize their response effectively.\n - **High-Risk Vulnerabilities:** These are prioritized for immediate action, typically requiring urgent patching or mitigation.\n - **Medium and Low-Risk Vulnerabilities:** Addressed on a scheduled basis, depending on their potential impact and likelihood of exploitation.\n- **Risk Score Algorithms:** There are specific algorithms to combine the abovementioned factors into a single risk score. Standard models include [CVSS (Common Vulnerability Scoring System)](https://www.sans.org/blog/what-is-cvss/) and proprietary algorithms developed by security tool vendors.\n- **Dynamic Risk Scoring:** Some advanced threat intelligence tools and frameworks offer dynamic risk scoring, where the risk score of a vulnerability can change over time based on new information, threat landscape evolution, or changes in the environment.\n- **Integration with Security Response:** The risk scoring is integrated with the organization’s security response plan, ensuring that mitigation efforts align with the prioritized risks.\n\nTools equipped with risk-scoring capabilities can quickly highlight the most critical issues that need immediate attention, streamlining the decision-making process. \nKondukto provides two levels of risk scoring: on a project and on a vulnerability level: \n\n- Projects that are internet-facing can automatically be identified through CNAPP integrations and assigned an appropriate label. Vulnerabilities in these projects can then be given a higher priority over others.\n- On a vulnerability level, Kondukto can integrate with threat intelligence tools like [Mandiant](https://www.mandiant.com/advantage/threat-intelligence) and frameworks like [EPSS](https://www.first.org/epss/) or CISA KEV to provide further context about the probability of an exploit, whether the vulnerability is actively being exploited in the wild or if there is a known fix for the vulnerability at hand.\n\n## **Security Posture Management**\n\nSecurity Posture Management is a set of practices and technologies that help you assess, monitor and reduce the risk related to data & resources in your environments. Some of these best practices are: \n\n- **Strengthen Application Defenses:** Implement application-specific security measures like [Web Application Firewalls (WAF)](https://en.wikipedia.org/wiki/Web_application_firewall) and [secure coding practices](https://owasp.org/www-project-secure-coding-practices-quick-reference-guide/assets/docs/OWASP_SCP_Quick_Reference_Guide_v21.pdf).\n- **Enforce Application Security Policies:** Develop and uphold strict application development, deployment and maintenance policies.\n- **Perform Application Vulnerability Assessments:** Regularly conduct security audits and application assessments to identify and address vulnerabilities.\n- **Educate Development Teams:** Provide ongoing training to development teams on secure coding practices and emerging security threats with platforms like [Secure Code Warrior](https://www.securecodewarrior.com/), [SecureFlag](https://www.secureflag.com/) and [Avatao](https://avatao.com/).\n- **Establish Incident Response for Applications:** Develop response plans for potential application security breaches.\n- **Ensure Regular Updates and Patch Management:** Maintain application and library updates to mitigate known vulnerabilities.\n- **Evaluate Third-Party Components:** Rigorously assess the security of third-party libraries and APIs integrated into applications.\n\nBy focusing on these best practices, enforcing robust security policies and taking proactive measures like developer training and recurring audits, you can build a strong and responsive barrier against application-level cyber threats. Deploy detection tools that fit your specific applications and that collectively cover your whole software development lifecycle. Finally, by using Risk Scores effectively to keep you focused on the high priority and most urgent threats and vulnerabilities, you will be able to stay on top of the noise.","This blog post provides a brief overview of the types of malicious code, how they enter applications and how ASPM can help protecting your applications.","how-malicious-code-enters-applications","blog/how-malicious-code-enters-applications",-410,[59,34,84],"c2dd1caf-6fe1-49fd-a3da-c74095a8728c","2023-12-07T10:50:14.625Z",[],{"name":158,"created_at":159,"published_at":160,"id":161,"uuid":162,"content":163,"slug":172,"full_slug":173,"sort_by_date":29,"position":174,"tag_list":175,"is_startpage":22,"parent_id":35,"meta_data":29,"group_id":177,"first_published_at":160,"release_id":29,"lang":38,"path":29,"alternates":178,"default_full_slug":29,"translated_slugs":29},"ASPM and Security Testing Orchestration","2023-11-28T02:54:59.710Z","2023-11-28T18:21:59.564Z",411490610,"3cf69e75-d7e2-4f94-b800-56c032ae30f0",{"_uid":164,"image":165,"title":158,"author":125,"details":170,"component":25,"meta_description":171},"5c3b76c9-03aa-4724-a326-803e578a5182",{"id":166,"alt":167,"name":17,"focus":17,"title":17,"source":17,"filename":168,"copyright":99,"fieldtype":20,"meta_data":169,"is_external_url":22},13091817,"An abstract visualisation of orchestrating various elements.","https://a.storyblok.com/f/168460/1500x1024/abb6f7159e/kondukto_blog_aspm-security-testing-orchestration_1_2023-11-28.jpg",{},"Considering the complexity of the modern application stack and developer tooling, ensuring the security of your application throughout its lifecycle can quickly become a daunting task.\n\nApplication Security Posture Management (ASPM) solutions are designed to simplify and streamline exactly this process of finding and fixing software vulnerabilities. They integrate with various sources of security data and automate testing workflows across different stages of application development. By correlating and analyzing the security data, ASPM platforms provide a unified view of the vulnerability landscape and help you prioritize and coordinate remediation actions. One of the most important types of security data comes from application security testing solutions. This blog will provide a brief overview of the security testing landscape.\n\n## **Testing Orchestration**\n\nSecurity testing involves identifying and mitigating potential vulnerabilities and risks that may compromise the functionality, performance or data integrity of software. In the modern software development lifecycle, security testing should be integrated as early as possible, following the principle of shift-left testing. This way, security issues can be detected and resolved before they become costly or damaging for the software and its users.\n\n### Static Application Security Testing (SAST)\n\nStatic Application Security Testing, commonly known as SAST, is a critical component of a robust security strategy. It involves the analysis of source code, bytecode, or binary code for security vulnerabilities. ASPM platforms integrate advanced SAST tools, ensuring early detection of vulnerabilities in the source code. By pinpointing issues during the development phase, security teams can proactively mitigate risks. SAST helps identify issues such as buffer overflows, SQL injection, and other potential vulnerabilities that can be exploited by attackers.\n\nExplore industry standards like [OWASP Code Review Guide](https://owasp.org/www-project-code-review-guide/) for best practices in SAST and look into the SAST solutions like [Veracode](https://www.veracode.com/products/binary-static-analysis-sast) or [Checkmarx](https://checkmarx.com/cxsast-source-code-scanning/) as a starting point of your evaluation process. \nSecrets like API keys, digital certificates or passwords left forgotten in the source code can also be discovered by secret scanning tools like [GitGuardian](https://www.gitguardian.com/) or the open-source [TruffleHog](https://github.com/trufflesecurity/trufflehog).\n\n### Dynamic Application Security Testing (DAST)\n\nDynamic Application Security Testing, or DAST, is a testing methodology that evaluates an application's security while it's running. By simulating real-world attacks, security engineers can identify and rectify vulnerabilities that may not be apparent in static analysis.\n\nASPM platforms that integrate DAST tools allow you for real-time testing in dynamic environments within one consolidated source of truth. The [OWASP Web Security Testing Guide](https://owasp.org/www-project-web-security-testing-guide/) is a good resource to learn more about DAST best practices.\n\n### Software Composition Analysis (SCA)\n\nModern applications rely on third-party libraries and components. Software Composition Analysis (SCA) is the practice of identifying and managing open-source and third-party components within a software application. SCA tools identify vulnerabilities in these components, helping security teams understand and mitigate risks associated with third-party dependencies.\n\nFamiliarize yourself with the [National Vulnerability Database (NVD)](https://nvd.nist.gov/) for current known vulnerabilities and stay up to date on SCA scanners (e.g., [Mend](https://www.mend.io/sca/), [Snyk](https://snyk.io/), [Sonatype](https://www.sonatype.com/)) to minimize the risk of exploitable vulnerabilities in your third-party components.\n\n### API Security Testing\n\nAPIs play a crucial role in modern microservice based applications, facilitating communication and data exchange between different software components and consumers. API Security solutions assess and secure your APIs to prevent unauthorized access, data breaches, and other security threats.\n\nThe [OWASP API Security Project](https://owasp.org/www-project-api-security/) is a great resource on API security best practices.\n\n### Infrastructure as Code (IaC) Security\n\nMore and more organizations are managing their infrastructure through code, increasing automation and consistency. Modern ASPM platforms extend their reach to secure IaC deployments, ensuring that security is embedded throughout the development lifecycle. This involves analyzing IaC scripts for security vulnerabilities, misconfigurations, and compliance violations.\n\n### Container Security\n\nBuilding secure applications can be a futile effort if those applications are deployed on insecure containers. Container security tools can scan images, reveal their content and search for known vulnerabilities.  Also take a look at [CIS Benchmarks](https://www.cisecurity.org/benchmark/) for related container security standards.\n\n### Cloud Security\n\nWith the rise of cloud-native applications, misconfigurations in service providers have been gateways for many yber-attacks. Cloud security tools aim to protect data, applications and infrastructure in cloud computing environments from unauthorized access, data breaches and other threats. Hyperscalers offer their native security modules while there are also many commercial solutions (e.g., [Wiz](https://www.wiz.io/), [Aqua Security](https://www.aquasec.com/), [Lacework](https://www.lacework.com/)) that aim to centralize the management of vulnerabilities discovered in infrastructures across all cloud providers.\n\n## Conclusion\n\nBy incorporating security testing technologies that cover your whole application lifecycle such as the mentioned SAST, SCA, API security, DAST, cloud, container, IaC security solutions, you will substantially harden your application security. Orchestrating them with a modern ASPM platform will keep you productive while your toolset grows and will give you the opportunity to get the most out of each of your security testing tool.","A brief overview of how ASPM and Security Testing Orchestration can help you secure your application throughout its lifecycle. ","aspm-and-security-testing-orchestration","blog/aspm-and-security-testing-orchestration",-400,[59,176,84],"SAST","d13878bd-020e-40c6-bd7d-d942c9a764d3",[],{"name":180,"created_at":181,"published_at":182,"id":183,"uuid":184,"content":185,"slug":194,"full_slug":195,"sort_by_date":29,"position":196,"tag_list":197,"is_startpage":22,"parent_id":35,"meta_data":29,"group_id":198,"first_published_at":199,"release_id":29,"lang":38,"path":29,"alternates":200,"default_full_slug":29,"translated_slugs":29},"Container Security: A Quick Overview","2023-11-21T13:55:31.812Z","2023-11-21T14:55:42.400Z",408789376,"32232b30-6e9f-407a-b7ff-f967cc97fc52",{"_uid":186,"image":187,"title":180,"author":23,"details":192,"component":25,"meta_description":193},"cc550cb2-af80-4071-8fdd-d84eda28a6f8",{"id":188,"alt":189,"name":17,"focus":17,"title":17,"source":17,"filename":190,"copyright":99,"fieldtype":20,"meta_data":191,"is_external_url":22},12957951,"A square shipping container with Docker written on it that is secured by large metal chains.","https://a.storyblok.com/f/168460/1678x1162/19c554fa9b/kondukto_blog_container-security_hero_edited_2023-11-21.jpg",{},"Container security is an increasingly vital aspect of modern software development and deployment. Understanding and implementing effective security measures becomes essential as organizations shift towards containerizing their applications. This article will explore practical insights and strategies for ensuring robust container security. We will delve into some best practices and tools to secure container environments, focusing on securing images and registries, container deployment, runtime security, and more.\n\n## **Securing Images and Registries**\n\n### **Trusted Base Images**\n\nThe cornerstone of container security is the use of trusted base images. These images form the foundation upon which containers are built and run. Ensure that these base images come from reputable sources and are up-to-date with security patches. \n\nTo establish a secure foundation for your containerized applications, focus on selecting and maintaining trusted base images:\n\n1. **Select Reputable Sources:** Always obtain your base images from well-known, official repositories like [Alpine Linux](https://www.alpinelinux.org/) or [Ubuntu Minimal](https://wiki.ubuntu.com/Minimal). Avoid third-party sources unless they are verified and trusted within the industry. This will significantly reduce the risk of incorporating potentially compromised images.\n2. **Implement Vulnerability Scanning:** Set up automated tools to regularly scan your base images for vulnerabilities. Tools like [Primsa Cloud](https://www.paloaltonetworks.com/prisma/cloud) or [Trivy](https://github.com/aquasecurity/trivy) can be integrated into your CI/CD pipeline to monitor for and alert you to new vulnerabilities as they are discovered.\n3. **Establish a Regular Update Schedule:** Create a policy for routinely updating your base images with the latest security patches. This policy should specify a regular interval for checks and updates, ensuring that your images are always equipped with the latest defenses against known vulnerabilities.\n\n### **Registry Security Measures**\n\nBeyond the images themselves, the security of the container registries where these images are stored and distributed is equally important. Implementing secure access controls to these registries is essential to prevent unauthorized access. \n\nHere’s how you can secure your container’s registry:\n\n1. **Implement Access Controls:** Define and enforce strict access controls for container registries. This means setting permissions for who can push (upload) or pull (download) images. Use tools like [Portus](http://port.us.org/) or [Harbor](https://goharbor.io/) to manage these permissions effectively.\n2. **Integrate with Identity Management Systems:** Link your registry with your organization’s identity and access management (IAM) systems. This integration ensures that access to your container registries is consistent with your overall security policies and that only authorized personnel can access them. If your organization doesn’t have an IAM solution, companies like [Okta](https://www.okta.com/) can help achieve this.\n3. **Utilize Image Signing:** Adopt image signing mechanisms to ensure the images' integrity. Solutions like [Docker Content Trust](https://docs.docker.com/engine/security/trust/) or [Red Hat’s Simple Signing](https://www.redhat.com/en/blog/container-image-signing) provide methods for signing container images, adding verification steps to confirm that the images are genuine and untampered.\n\n## **Container Deployment and Runtime Security**\n\nAfter establishing a secure foundation with trusted images and registries, the next step of our container security journey is to secure our images during deployment and runtime. \n\n### **Hardening For Deployment Environments**\n\nThe security of the environment where containers are deployed includes hardening the host operating system and ensuring secure network configurations.\n\n- **Role-Based Access Control (RBAC):** Platforms like [Kubernetes](https://kubernetes.io/) have built-in RBAC features essential for defining and enforcing who has access to what within the container ecosystem. This level of control is instrumental in preventing unauthorized access and potential breaches.\n- **Resource and Network Access Management:** These platforms enable the setting up of specific policies that govern how resources are used and network access is granted. This granular control helps in effectively managing the security of containerized applications, ensuring that resources are optimally allocated and that network access is tightly regulated.\n- **Immutable Deployments:** Adopting an immutable deployment strategy has emerged as a best practice. This involves creating a static instance image during the build process, which is then used to deploy new instances. To update the application, new images are created, and old instances are replaced, reducing the risk of configuration drift and ensuring a consistent environment across deployments.\n- **Secrets Management:** Handling sensitive information securely within containerized environments is crucial. Orchestration platforms often offer integrated solutions for managing secrets, such as API keys and credentials, ensuring they are stored, transmitted, and accessed securely. Many container platforms come with their own secrets management solutions ([AWS Secrets Manager](https://aws.amazon.com/secrets-manager/), [Azure Key Vault](https://azure.microsoft.com/en-us/products/key-vault/)).\n\n### **Securing Container Runtime**\n\nRuntime security is a critical yet often overlooked aspect of container security. To strengthen this area, here are some key best practices:\n\n- **Dedicated Network Segmentation for Containers:** Implement network segmentation to isolate containers, significantly reducing the attack surface and limiting the spread of potential breaches.\n- **Principle of Least Privilege Enforcement:** Strictly control container access, only allowing necessary connectivity. This reduces vulnerabilities and minimizes the risk of unauthorized access.\n- **Selective Port Exposure:** Expose only essential ports for your application's operation. This includes service ports like SSH, ensuring non-essential ports remain inaccessible to reduce security risks.\n- **Secure Communication with TLS:** Use Transport Layer Security (TLS) for all service communications. This encrypts data in transit and confirms the authenticity of communicating endpoints, bolstering network security.\n- **Image Policy Control:** Integrate an image policy tool like [Docker's Content Trust](https://docs.docker.com/engine/security/trust/#about-docker-content-trust-dct) to restrict the deployment of images to pre-approved or whitelisted, preventing unauthorized or potentially harmful images from being used.\n\n## **Reducing Attack Surface and Limiting Privileges**\n\nIn container security, the 'attack surface' refers to the sum of different points where an unauthorized user can try to enter data or extract data from your environment. Limiting privileges involves granting only the necessary access rights to container processes, minimizing the potential damage if a container is compromised.\n\n### **Implementing Ephemeral Containers for Reduced Exposure**\n\nUsing ephemeral containers, which are short-lived and stateless, can significantly reduce your attack surface. These containers are typically used for a single operation or process and are destroyed afterward. This approach limits the time window for an attack. It reduces the potential impact of a security breach, as ephemeral containers contain less sensitive data and are less integrated into the system.\n\nIn practice, here is how you utilize ephemeral containers:\n\n1. **Identify Suitable Use-Cases:** Determine which tasks or processes in your workflow are suitable for ephemeral containers. Ideal candidates are short-lived operations like batch processing, testing, or temporary data manipulation.\n2. **Configure Ephemeral Containers:** Set up your container orchestrator (e.g., Kubernetes) to deploy these containers for the identified tasks. Ensure these containers are stateless and designed to perform a single function or process.\n3. **Automate Container Lifecycle:** Implement automation for creating, deploying, and destroying ephemeral containers. Ensure that these containers are automatically destroyed after completing their designated task.\n4. **Integrate with CI/CD Pipelines:** Incorporate ephemeral containers into CI/CD pipelines, particularly for testing new builds or performing temporary computations. This ensures that new code is tested in a clean, isolated environment each time.\n5. **Monitor and Audit:** Regularly monitor the usage of ephemeral containers to ensure they are functioning as intended. Audit the process to confirm that these containers do not retain or leak sensitive data and effectively minimize the attack surface.\n\n### **Privilege Limitation Strategies**\n\nLimiting the privileges of containers is a fundamental security principle. Containers should be granted only the minimum privileges necessary for their operation. This includes running containers with non-root user privileges wherever possible and limiting the system resources they can access. Reducing container privileges minimizes the potential damage in the event of a container compromise.\n\nFor your existing containers, follow the process below to limit privileges:\n\n1. **Audit Container Privileges:** Review existing containers to identify those running with excessive privileges, especially those operating as root.\n2. **Create Non-Root Users:** Modify Dockerfiles and configurations to establish non-root user accounts for running container processes.\n3. **Set Up RBAC:** Implement Role-Based Access Control using tools like Kubernetes, assigning only essential permissions to each role.\n4. **Define Security Contexts:** In Kubernetes deployments, configure security contexts for pods, specifying user, group, and privilege settings.\n5. **Monitor and Adjust:** Continuously monitor for privilege escalations and regularly audit RBAC configurations, making necessary adjustments to maintain security.\n\n## **Network Security and Monitoring**\n\nContainers bring unique challenges in network security, such as securing data in transit and managing complex inter-container communications. Effectively addressing these challenges is crucial for maintaining the integrity and security of containerized infrastructures.\n\n### **Network Segmentation and Policy Enforcement**\n\nNetwork segmentation is key in container environments, as it isolates containers and reduces the risk and scope of potential breaches. This isolation helps contain threats and prevents them from spreading across the network. \n\nImplementing network policies, particularly in orchestration platforms like Kubernetes, is essential for controlling traffic flow and pod-to-pod communication. These policies dictate how containers interact, enhancing overall network security and efficiency.\n\n### **Container Monitoring Techniques**\n\nMonitoring container performance and network activity is essential for early detection of security threats. Utilize a tool such as [Prometheus](https://docs.docker.com/config/daemon/prometheus/) for this purpose. \n\nThey provide real-time insights into container performance, helping to identify unusual patterns that may indicate a security issue quickly. Set up alerts for anomalies to ensure prompt response to potential threats. \n\nRegular monitoring not only aids in immediate threat detection but also contributes to a deeper understanding of your container environment's typical behavior, which is invaluable for ongoing security management.\n\n### **Service Mesh for Secure Communication**\n\nIncorporating a service mesh, like [Istio](https://istio.io/) or [Linkerd](https://linkerd.io/), can significantly improve secure communication between containers. These service meshes provide capabilities such as mutual TLS, which ensures that all data transfers are encrypted and authenticated. This is particularly important in environments where containers need to communicate sensitive data. \n\nA service mesh also offers fine-grained control over communication policies, further enhancing container interactions' security and reliability. Integrating a service mesh into your container environment helps safeguard data in transit and maintain the integrity of your network communications.\n\n## **Use Security Orchestration** \n\nSecurity orchestration addresses the need for swift and coordinated responses to the diverse and rapidly evolving threats in modern container environments. This approach simplifies the complex task of securing containers by:\n\n- **Streamlining Vulnerability Management:** In container environments, security threats can emerge rapidly and from multiple sources. Security orchestration tools like [Kondukto ](https://kondukto.io/platform)consolidate and let you manage vulnerabilities efficiently. They provide a unified view, reduce the complexity of tracking and addressing them across all your containerized (and not yet containerized) applications.\n- **Enhanced Collaboration and Remediation:** Security orchestration facilitates better collaboration between security and development teams. By integrating with common development tools, these platforms enable quick sharing of important contexts and fixes. They make it easier for you to understand and fix vulnerabilities faster.\n\n## **Conclusion**\n\nTo ensure a safe container environment, you need trusted and secure base images. You also need to protect your container registry and the network layer. A service mesh can help with that, as well as network segmentation, RBAC and minimal privileges. Ephemeral Containers will reduce the risk of attacks by limiting the container lifespan, use them where feasable. Finally, connect your container infrastructure to your security monitoring and posture management systems to stay alert and responsive.","This blog post provides practical tips for achieving strong container security. It covers some best practices on how to secure your container infra.","container-security-a-quick-overview","blog/container-security-a-quick-overview",-390,[108,33,34],"f97219fa-65f1-49e6-9c8b-cc4a5efee25a","2023-11-21T14:49:41.538Z",[],{"name":202,"created_at":203,"published_at":204,"id":205,"uuid":206,"content":207,"slug":219,"full_slug":220,"sort_by_date":29,"position":221,"tag_list":222,"is_startpage":22,"parent_id":35,"meta_data":29,"group_id":223,"first_published_at":224,"release_id":29,"lang":38,"path":29,"alternates":225,"default_full_slug":29,"translated_slugs":29},"Unveiling Java Library Vulnerabilities Through XXE Exploration","2023-10-30T03:22:58.536Z","2023-11-02T01:18:49.397Z",397508667,"7f9224dc-e725-4253-83f3-8dc0bc4443f5",{"_uid":208,"image":209,"title":216,"author":77,"details":217,"component":25,"meta_description":218},"fdce9a7c-cc45-41a3-8fca-95906a436027",{"id":210,"alt":211,"name":17,"focus":17,"title":212,"source":17,"filename":213,"copyright":214,"fieldtype":20,"meta_data":215,"is_external_url":22},12192385,"A screenshot showing the home page of the javulna project on GitHub","javulna repository on GitHub","https://a.storyblok.com/f/168460/1233x735/5998911b37/kondukto_xxe_javulna_2023-11-01.jpg","© 2023 by Kondukto Inc. All rights reserved.",{},"Unveiling Java Library Vulnerabilities","During a recent customer engagement, we encountered an interesting situation. The customer had raised concerns about a Java XXE (XML External Entity) vulnerability that had left their developers puzzled. Notably, their Static Application Security Testing (SAST) scans consistently identified this as a potential vulnerability. Given the complexity of the issue, our security consultancy team challenged me to dive deep into the issue and provide a clear and comprehensive explanation of this vulnerability to our customer. For a detailed, case-driven exploration of XXE vulnerabilities and their remediation in Java, refer to my specialized GitHub repository [here](https://github.com/kondukto-io/java-xxe-vulnerability-search-semgrep-remediation).\n\nThis article marks the beginning of our efforts to demystify Java XXE vulnerabilities, with the goal of equipping developers and security teams with the knowledge to effectively address them.\n\n![](https://a.storyblok.com/f/168460/1978x984/8be1aee0de/screenshot-2023-10-31-at-18-28-39.png)\n\nIn this insightful journey, we'll be deliberately utilizing the vulnerable Java repository (\u003Chttps://github.com/edu-secmachine/javulna>) as our testing ground. This serves as an ideal platform to showcase the exploitation of a critical Java library vulnerability. Our exploration will be two-fold: initially, we'll employ [Semgrep](https://semgrep.dev/) for a static analysis scan to identify the vulnerability, followed by a hands-on demonstration via terminal execution of a Java file, and we also will demonstrate remediation on a vulnerable code.\n\n## Static Analysis with Semgrep: A Docker-Integrated Approach\n\nSeamlessly integrated into a Docker container, Semgrep allows for streamlined scanning of repositories. The command below initiates the scan, providing us with invaluable insights into potential weaknesses:\n\n![](https://a.storyblok.com/f/168460/2034x1000/37a0a1720c/screenshot-2023-10-31-at-18-29-58.png)\n\n~~~\n$docker run --rm -v SPWD:/src returntocorp/semgrep semgrep --config p/owasp-top-ten --json -o /src/semgrepscan-results.json\n~~~\n\nIn this command, we specify the configuration as p/owasp-top-ten, focusing the scan on the top vulnerabilities commonly encountered.\n\nWe can see the XXE vulnerability listed inside the results, with additional information about the vulnerability such as “likelihood factor LOW”.\n\nTo deepen our understanding, let's examine the Semgrep scan results captured in the image below:\n\n![](https://a.storyblok.com/f/168460/2028x1280/8fa4044d70/screenshot-2023-10-31-at-18-30-47.png)\n\nHere the “likelihood” in Semgrep indicates the probability that a detected issue is a true positive and not a false alarm. The screenshot above reveals detailed information about the detected vulnerabilities, including the XXE vulnerability we're particularly interested in. The likelihood factor is marked as “LOW”, inviting further inquiry.\n\n## Exploitation with XXE\n\nThe image below offers a comprehensive look at the code, the compiled binary file, and its terminal execution.\n\n![](https://a.storyblok.com/f/168460/1998x1080/8311f1411a/screenshot-2023-10-31-at-18-31-49.png)\n\nAs seen in the output displayed on the terminal, the exploit successfully targets the vulnerability by invoking the /etc/passwd file. This action confirms that the code can indeed compromise the system, capturing sensitive data and outputting it directly in the terminal.\n\n## Out of Band XXE: Escalating Risks and Internet-Wide Exploits\n\nAnother alarming facet of this vulnerability is its potential for Out of Band XML External Entity (OOB XXE) attacks. This form of attack allows the malicious code to send packets across the internet, laying the groundwork for more extensive exploits.\n\n![](https://a.storyblok.com/f/168460/2154x1092/219b0d28ee/screenshot-2023-10-31-at-18-32-39.png)In our next experiment, we modify the initial code to utilize an external XML file. The image below vividly illustrates this adaptation, attaching the payload XML with a common website “webhook”.\n\n![](https://a.storyblok.com/f/168460/2112x628/80733c5ea7/screenshot-2023-10-31-at-18-33-31.png)By incorporating an external XML file, the exploit gains an added layer of complexity and versatility. This approach further broadens the attack vector, making it even more crucial to address this vulnerability.\n\n![](https://a.storyblok.com/f/168460/2016x400/d3bdf9021e/screenshot-2023-10-31-at-18-34-36.png)\n\n## Anatomy of the XXE Exploit: Breaking Down the XML Behavior\n\nLet's dissect the XML snippet responsible for the XXE attack and explore how each segment contributes to the compromise. The code snippet, presented below, employs a well-crafted XML structure to trick the XML parser.\n\n~~~\n\u003C?xml version=\"1.0\" encoding=\"UTF-8\"?>\n\u003C!DOCTYPE foo [\u003C!ENTITY xxe SYSTEM \"file:///etc/passwd\" >]>\n\u003Cfoo>&xxe;\u003C/foo>\n~~~\n\n### XML Components and their Roles\n\n1. XML Declaration: `\u003C?xml version=\"1.0\" encoding=\"UTF-8\"?>` \n This part specifies the XML version and its character encoding.\n2. Document Type Definition (DTD): `\u003C!DOCTYPE foo [\u003C!ENTITY xxe SYSTEM \"file:///etc/passwd\" >]>` \n The DTD defines the structure of the XML document and plays a pivotal role in this attack\n - Role of `DOCTYPE:` The DOCTYPE declaration specifies that the document type is \"foo\" and sets the stage for defining entities used in the XML document. It sets up a framework for XML validation and for defining entities, such as “xxe” in this case.\n - Entity Definition: The segment `[\u003C!ENTITY xxe SYSTEM \"\u003Cfile:///etc/passwd>\" >]` is the crux of the XXE attack.\n - `\u003C!ENTITY xxe:` Declares an entity named `xxe`.\n - `SYSTEM \"\u003Cfile:///etc/passwd>\"`: This entity fetches a system file using the `\u003Cfile://>` protocol, targeting the /etc/passwd file commonly used in Unix-based systems.\n3. XML Content: `\u003Cfoo>&xxe;\u003C/foo>` \n This part of the XML houses the root element foo and invokes the malicious xxe entity using &xxe;.\n\n### **The Exploitation Sequence**\n\n1. The XML parser identifies the &xxe; entity within the \u003Cfoo> element.\n2. It then looks up the xxe definition in the DTD.\n3. The DTD specifies the SYSTEM keyword followed by a file path (\u003Cfile:///etc/passwd>).\n4. Finally, the XML parser attempts to read the /etc/passwd file on the host system.\n\nBy executing this process, an inadequately secured XML parser will successfully retrieve the /etc/passwd file, leaking sensitive user account information.\n\nWith this understanding, it becomes abundantly clear why robust XML parser configurations to make the code secure are not just optional but essential in fortifying applications against XXE vulnerabilities. These configurations are considered as remediations which will be shown in the remediations part.\n\n## The Consequences of Lax XML Parser Configuration\n\nIf the XML parser isn't rigorously configured to guard against XML External Entity (XXE) attacks, it becomes an unwitting accomplice in a security breach. By executing the malicious XML, the parser can access sensitive system files, such as /etc/passwd. This file is a treasure trove of sensitive information, typically housing user account details. An attacker can exploit this vulnerability to harvest this data.\n\n## A Cautionary Tale on XXE Vulnerabilities\n\nIn essence, the xmlData string acts as a trojan horse, using a craftily designed Document Type Definition (DTD) to deceive the XML parser into accessing the /etc/passwd file. This exploit is a textbook case of XML External Entity (XXE) attacks. It underscores the imperative need for robust security measures, specifically around XML parser configurations, in real-world applications.\n\nThe implications are clear: an improperly secured XML parser isn't just a minor oversight but a glaring security gap that could lead to significant data breaches. Therefore, hardening XML parsers against XXE vulnerabilities isn't just advisable—it's essential.\n\n## Remediation: Securing XML Parsing in Java\n\nThe code under discussion is serving as a robust mechanism for thwarting XML External Entity (XXE) attacks in Java-based applications. XXE attacks can wreak havoc by introducing harmful XML entities into otherwise benign XML data. Let's delve into the code's protective layers to understand its efficacy.\n\n`DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();`\n\nThis line kicks off the remediation process by creating a new instance of DocumentBuilderFactory. This factory object will later be customized to give birth to DocumentBuilder instances, which are in charge of parsing XML documents.\n\n`factory.setFeature(\"http://apache.org/xml/features/disallow-doctype-decl\", true);`\n\nThe above line makes a pivotal security adjustment to DocumentBuilderFactory. It disallows the use of Document Type Definitions (DTDs) within XML documents. This is crucial because DTDs can be weaponized to define hazardous entities, leading to XXE attacks.\n\n`factory.setFeature(\"http://xml.org/sax/features/external-general-entities\", false);`\n\n`factory.setFeature(\"http://xml.org/sax/features/external-parameter-entities\", false);`\n\nHere, the code further enhances security by disabling the parsing of external general and parameter entities. These entities can point to external files and resources, serving as vectors for XXE attacks.\n\n## Summary: A Proactive Defense\n\nIn essence, the code carefully configures DocumentBuilderFactory to fortify its XML parsing capabilities against XXE vulnerabilities. By disallowing DTDs and deactivating external entity parsing, the code significantly reduces the attack surface.\n\nThis remediation tactic is not just a good practice but a cybersecurity imperative, given the evolving landscape of threats. The code encapsulates a proactive approach to security, underlining the importance of nipping vulnerabilities in the bud.\n\n![](https://a.storyblok.com/f/168460/1978x1284/ad4bb89d33/screenshot-2023-10-31-at-18-36-07.png)\n\nAfter applying the remediation code, the terminal output clearly shows that the exploit is no longer functional. Unlike before, there are no attempts to access or write to sensitive files, affirming that the vulnerability has been successfully mitigated.\n\n![](https://a.storyblok.com/f/168460/1998x232/02fc6c5b12/screenshot-2023-10-31-at-18-36-53.png)\n\nThe absence of any significant output or messages in the terminal, post-execution of the binary with remediated code, serves as a silent testimony to the effectiveness of the security measures. Had the exploit been viable, one would expect to see evidence of unauthorized file access or other malicious activity.\n\n## Bonus: Alternative Strategies\n\nThere are several approaches to mitigate XML External Entity (XXE) vulnerabilities besides the code example I provided earlier in number 1 and number 2 which are the summaries of the process we have done together. Here are some common strategies:\n\n1. Secure XML Parser: Use libraries like OWASP's ESAPI for built-in XXE protection.\n2. Disable DTDs: Configure DocumentBuilderFactory to disable DTD processing, enhancing security.\n3. Whitelist Entities: Allow only pre-defined, safe entities to be processed.\n4. Input Validation: Implement strict schema validation to filter out malicious XML payloads.\n5. Content Security Policies: Limit the sources from which external entities can be fetched.\n6. Use WAF: Deploy a Web Application Firewall to block malicious XML payloads.\n7. Keep Libraries Updated: Use the most recent versions of XML processing libraries.\n8. Regular Audits: Conduct security reviews and penetration testing to identify vulnerabilities.\n\nEach of these strategies has its own merits and can be combined for comprehensive XML security.\n\n## Bonus++: Semgrep p/owasp-top-ten doesn’t detect the remediation\n\nAfter applying our remediation code, we scanned our Java application once again using Semgrep's OWASP Top Ten rule set. Intriguingly, even though the code was remediated, the scan still flagged it as vulnerable under the same CWE-611 label. Before remediation, the vulnerability showed up twice, each with a different check_id:\n\n1. \"[contrib.owasp.java.xxe.documentbuilderfactory.owasp.java](http://contrib.owasp.java.xxe.documentbuilderfactory.owasp.java).xxe.javax.xml.parsers.DocumentBuilderFactory\"\n2. \"[Java.lang.security](http://Java.lang.security).audit.xxe.documentbuilderfactory-disallow-doctype-decl-missing.documentbuilderfactory-disallow-doctype-decl-missing\"\n\nPost-remediation, only the first check_id continued to appear in the scan results. This lingering flag suggests that this particular rule might be outdated and in need of an update.\n\n![](https://a.storyblok.com/f/168460/2006x632/ed0b7adfb7/screenshot-2023-10-31-at-18-37-36.png)For a closer look at the rule set and its potential limitations, you can visit the [Semgrep OWASP Top Ten Rule Set](https://semgrep.dev/p/owasp-top-ten).\n\n![](https://a.storyblok.com/f/168460/1990x1294/77949965f9/screenshot-2023-10-31-at-18-38-25.png)\n\nThe persistent flagging by the first check_id, despite successful remediation, serves as a reminder: automated security tools are a vital component but not a complete solution. They should be integrated into a more comprehensive, layered security strategy.\n\n### Differences between Remediations/Rules\n\nWhile remediation for the check_id starts with ”[Java.lang.security](http://Java.lang.security).audit” is remediated with the functions mentioned early in the this blog, vulnerability alarm still exists with the check_id starts with “[contrib.owasp.java](http://contrib.owasp.java)” which potentially result in False Positives and potential times loses for security and developer teams in the company.\n\nHere we can see the different findings have the same CWE number “CWE-611” yet remediation for one is not enough for the other. Therefore, we inspected the unremediated rule and added functions in accordance with.\n\n![](https://a.storyblok.com/f/168460/1988x1406/25866ed559/screenshot-2023-10-31-at-18-39-53.png)\n\nHere we include the new codes of remediation which are considered as missing.\n\n![](https://a.storyblok.com/f/168460/2000x1136/c80e3025a6/screenshot-2023-10-31-at-18-40-49.png)\n\nWe can see the results of the Semgrep scan with the final including functions, the vulnerabilities or False Positive alerts have disappeared.\n\n![](https://a.storyblok.com/f/168460/1996x696/7552995b86/screenshot-2023-10-31-at-18-41-25.png)\n\nHere we look at the remediation functions one by one so that we can understand the functionalities and the processes that can affect the codes mentioned. In the remediation section, two types of Java functions are highlighted: one is crucial for the detection of both rule sets, while the other is specific to the OWASP Top Ten ruleset configuration. We will explore these functions as configured in two distinct YAML files, focusing on the differences. Here the first function appears in both rule sets, whereas the other is exclusive to the OWASP configuration.\n\n1. Mitigating XXE with External Entity Parsing: XXE vulnerabilities often stem from the XML parser's capability to fetch and evaluate external entities. To prevent this we can use the codes previously mentioned as remediation: \n `setFeature(\"http://xml.org/sax/features/external-general-entities\", false);`\n\n `setFeature(\"http://xml.org/sax/features/external-parameter-entities\", false);` \n These configurations inhibit the parser from interpreting both, general and parameter, external entities. This considerably reduces the possibility of an XXE attack.\n2. Understanding XInclude & Namespace Configurations: While these configurations aren't direct mitigations for XXE, they do influence XML parsing behavior:\n\n `factory.setXIncludeAware(true);`\n\n `factory.setNamespaceAware(true);`\n\nWith setXIncludeAware(true), XML documents can embed other XML documents. If not managed correctly, this can be a potential attack vector. On the other hand, setNamespaceAware(true) equips the parser to recognize XML namespaces, crucial for maintaining XML document structure and validation.\n\nIn essence, while XML brings versatile data structuring capabilities, securing parsers against XXE vulnerabilities is of paramount importance to protect sensitive data and system integrity.\n\nWrapping up: XXE attacks are a serious threat that require proper understanding and mitigation. However, we should also be careful not to be misled by false positives, which can distract us from the real vulnerabilities. We need to try to keep a balanced focus and give XXE vulnerabilities the attention they need.\n\n## References used in this Blog Post\n\n1\\.)\u003Chttps://community.veracode.com/s/article/Java-Remediation-Guidance-for-XXE>\n\n2\\.)[https://owasp.org/www-community/vulnerabilities/XML_External_Entity\\\\\\_(XXE)\\\\\\_Processing](https://owasp.org/www-community/vulnerabilities/XML_External_Entity%5C\\_(XXE)%5C_Processing)\n\n3\\.)\u003Chttps://semgrep.dev/p/owasp-top-ten>\n\n4\\.)\u003Chttps://portswigger.net/web-security/xxe>\n\n5\\.)\u003Chttps://github.com/edu-secmachine/javulna>\n\n6\\.)\u003Chttps://mcoskuner.medium.com/>","In this article, we will explain the basics of Java XXE vulnerabilities, how they can be exploited and how they can be prevented. ","unveiling-java-library-vulnerabilities-through-xxe-exploration","blog/unveiling-java-library-vulnerabilities-through-xxe-exploration",-380,[59,34],"b6274025-849a-47ae-8c52-9aadff8df554","2023-10-31T13:47:40.771Z",[],{"name":227,"created_at":228,"published_at":229,"id":230,"uuid":231,"content":232,"slug":243,"full_slug":244,"sort_by_date":29,"position":245,"tag_list":246,"is_startpage":22,"parent_id":35,"meta_data":29,"group_id":248,"first_published_at":249,"release_id":29,"lang":38,"path":29,"alternates":250,"default_full_slug":29,"translated_slugs":29},"Get Management Buy-in with AppSec Metrics","2023-10-17T04:10:57.784Z","2023-10-17T12:42:36.764Z",390537383,"81708e21-50bd-498e-acff-541a201740d9",{"_uid":233,"image":234,"title":227,"author":101,"details":241,"component":25,"meta_description":242},"010b1c9a-03e2-4f5e-a426-7930a83df4f9",{"id":235,"alt":236,"name":17,"focus":17,"title":237,"source":17,"filename":238,"copyright":99,"fieldtype":20,"meta_data":239,"content_type":240,"is_external_url":22},11920624,"an area chart that shows how open vulnerability count developed over time segmented by serverity","Vulnerability Burn Down Chart","https://a.storyblok.com/f/168460/790x454/c85b7a7d86/vulnerability-burn-down-chart_2023-10-17.png",{},"png","Getting management to back your application security plans can be a tough sell. Metrics are vital because they help you understand how effective your initial cybersecurity measures are and how to turn them into measurable data that's easy for everyone to understand. This article will explore how to use metrics to get the support you need and make your application security programs more effective.\n\n## **Why Metrics are the Cornerstone of Application Security**\n\nMetrics are the core foundation of measuring the success of your application security program. They give you the numbers to see how well your security measures work. Without them, you're flying blind.\n\nMetrics provide a way to measure your program's effectiveness and are crucial for making informed decisions. They're the tools you need to see where you're doing well and where you need to step up your game.\n\n### **Identifying Bottlenecks Through Metrics**\n\nMetrics helps you spot the weak links in your security chain. When you notice that it's taking too long to fix vulnerabilities, that's a sign you need to dig deeper. Metrics can show you exactly where things are getting stuck so you can fix those issues.\n\nBy identifying these bottlenecks, you can allocate your resources more effectively and efficiently, strengthening your entire security program.\n\n## **Technical Bottleneck Identification**\n\nIdentifying bottlenecks isn't just a managerial task. It requires technical depth. You can pinpoint specific stages in the CI/CD pipeline where vulnerabilities might be introduced or overlooked by analyzing commit histories, integration tests, or deployment logs.\n\nTools that offer insights into code changes, such as [GitBlame](https://git-scm.com/docs/git-blame), can be invaluable. Integrating these tools with your metrics dashboard gives you a real-time view of potential security choke points.\n\n### **Making Data-Driven Decisions**\n\nMetrics offer the data you need to make informed and justifiable choices. They provide the evidence to back up your strategies and decisions.\n\nThis is crucial for getting buy-in from both your team and your leadership team. When you make data-driven decisions, you're improving security and building a stronger case for your initiatives.\n\n### **Integrating Security Metrics with Data Platforms**\n\nData analytics platforms such as Splunk or ELK Stack are common tools for modern organizations. They can help you monitor and optimize your business performance. By integrating your security metrics into these platforms, you will enhance your security posture and visibility for other stakeholders.\n\nBy feeding security metrics into these platforms, teams can set up real-time monitoring and alerts, providing immediate insights into potential security breaches or vulnerabilities.\n\nThis integration ensures that security isn't siloed but is part of the broader data-driven decision-making process.\n\n### **Building Trust with Stakeholders**\n\nConsistent, reliable metrics can be a big help in building trust. When you can show real numbers that prove you're managing risks effectively, people are more likely to trust you.\n\nAnd when people trust you, getting the resources and support you need to improve your security programs is much easier.\n\n### **Threat Modeling and Metrics Alignment**\n\nBefore diving deep into metrics, it's essential to understand the role of threat modeling. Threat modeling is a systematic approach to identifying potential security threats and designing countermeasures to mitigate them.\n\nBy aligning your threat modeling outcomes with metrics, you can prioritize the most relevant metrics. For instance, if threat modeling identifies SQL injection as a primary concern, metrics related to database access vulnerabilities should be at the forefront. This alignment ensures that your metrics are not just numbers tied directly to tangible security concerns.\n\n## **Must-Have Metrics for Any Application Security Program**\n\n### **The Triage Percentage Metric**\n\nThe Triage Percentage Metric reveals the proportion of identified vulnerabilities that have been evaluated within a given time frame. For instance, if you detected 100 vulnerabilities and assessed 80, your Triage Percentage is 80%. \nThis metric is essential because it showcases the responsiveness of your security process. Simply put, a higher percentage indicates a quicker reaction to potential threats, underscoring the agility of your security measures.\n\n#### **Automation in Vulnerability Triage**\n\nThe triage percentage represents the proportion of newly detected vulnerabilities that have been evaluated and categorized in a specific time frame. It's a central metric indicating how promptly and efficiently vulnerabilities are addressed.\n\nAutomation plays a pivotal role in managing this metric effectively. Tools that automatically categorize vulnerabilities upon discovery can be highly impactful. Dashboards help teams monitor the triage process in real time, ensuring that they are aware of new vulnerabilities as they emerge and can address them promptly. This systematic approach ensures that no threat is left behind.\n\nSo, how do you interpret this metric in practice? Let's say your triage percentage is low. That's a potential red flag, signaling that you need to allocate more resources to the initial stages of your security process.\n\nConversely, a high triage percentage indicates that your team is effectively sorting through new vulnerabilities, allowing you to focus on remediation.\n\n### **Vulnerability Burndown Chart**\n\n![](https://a.storyblok.com/f/168460/790x454/c85b7a7d86/vulnerability-burn-down-chart_2023-10-17.png)\n\n#### **Understanding the Burndown Chart**\n\nThe Vulnerability Burndown Chart is a measure of your security performance. It indicates how many vulnerabilities you have resolved and how many remain unresolved.\n\nInterpreting this chart is simple: the lower the number of unresolved vulnerabilities, the stronger your defence is.\n\n#### **Technical Setup of a Vulnerability Burndown Chart**\n\nSetting up an effective vulnerability burndown chart requires integration with tools like Kondukto or GitHub Issues.\n\nTeams can generate real-time burndown charts by tagging and tracking vulnerabilities in these platforms and then integrating them with visualization tools.\n\nThis setup provides a dynamic view of how vulnerabilities are addressed, ensuring that teams are always aware of their security posture.\n\n#### **Strategic Implications**\n\nIf you observe that the number of unresolved vulnerabilities is growing, it's time to rethink your strategy.\n\nYou might need more staff, or your current tools must be updated to the task. This chart gives you the insights you need to make **strategic adjustments**.\n\n### **Missed SLAs (Service Level Agreements)**\n\n#### **Variability in SLA Calculations**\n\nService Level Agreements (SLAs) can be tricky because different organizations measure them differently. Some start the clock when a vulnerability is discovered, while others start when the remediation process begins.\n\nService Level Agreements (SLAs) are essentially commitments between service providers and their clients or stakeholders about the level of service to be provided. These can vary significantly in detail and scope depending on the organization and the nature of the service.\n\nKnowing how your organization calculates SLAs is paramount. For example, some organizations might start the SLA timer when a vulnerability is first detected, while others might begin once the remediation process has been initiated. Understanding this distinction ensures that your security team is aligned with organizational expectations, reducing the risk of missing key deadlines.\n\nTo set realistic goals and adhere to best practices, it's beneficial to refer to industry standards. The [ITIL framework (Information Technology Infrastructure Library](https://www.axelos.com/certifications/itil-service-management)) offers guidelines on SLA formulation and management. \nFurthermore, organizations like [ISACA](https://www.isaca.org/) and [SANS Institute](https://www.sans.org/) often provide insights and training on IT governance and SLA best practices.\n\n#### **Technical Nuances of SLA Calculations**\n\nSLA tracking reflects the remediation process's efficiency. Integrating SLA tracking directly into issue tracking systems will keep the status of vulnerabilities up to date as they move through the remediation process.\n\nThis integration ensures that teams are always aware of how quickly vulnerabilities are being addressed, allowing for timely interventions when needed.\n\n### **Remediation Metrics**\n\nRemediation isn't just about fixing vulnerabilities. It's about doing it promptly. That's why tracking your remediation efforts is so important.\n\nIt's not enough to know that vulnerabilities are being addressed. You need to know how quickly and effectively they are resolved.\n\n## **Additional Metrics for a Robust Security Posture**\n\n### **Testing Coverage**\n\nTesting coverage measures how much of your code is checked for security issues. It's like a safety net that protects your application from hidden risks. If you're only testing a small part of your codebase, you're gambling with your security.\n\nYou need a high testing coverage to make sure you don't miss any possible vulnerabilities that could cause you significant problems. If your testing coverage is low, you have gaps in your security.\n\nBy increasing your testing coverage, you're closing those gaps and making your application more secure.\n\n### **Developer Training and Gamification**\n\nTraining can be tedious. But when it comes to security, it's essential. According to studies, developers who received security related training create up to 50% fewer vulnerabilities. That's where gamification can come in handy. Turning training into a game makes you more likely to engage your developers and make the learning stick.\n\nIt's a proven method for increasing engagement and retention in training programs.\n\nThe benefits of this approach are twofold:\n\n- **Enhanced Training Completion:** Developers are more motivated to finish the training.\n- **Improved Information Retention:** Developers learn and remember, boosting their efficiency in spotting and resolving vulnerabilities.\n\nCommercial developer training platforms like [Secure Code Warrior](https://www.securecodewarrior.com/) or [SecureFlag](https://www.secureflag.com/) make it easier to roll out secure coding courses and to leverage gamification for your certification programs. \nBy investing in training methods that engage and resonate with developers, organizations can significantly bolster their first line of defence against potential threats.\n\n## Strengthening Security with DevSecOps Collaboration\n\nSecurity is a team effort. It's not just the responsibility of your security team; it's a company-wide effort. That's why fostering a culture of collaboration between your security and development teams is so important.\n\nMerging development and security teams under the DevSecOps philosophy yields undeniable benefits:\n\n- **Early Detection:** Integrating security checks during development helps catch vulnerabilities at the outset.\n- **Efficient Remediation:** With unified teams, vulnerabilities are resolved faster.\n- **Shared Responsibility:** Security becomes everyone's duty, fostering a proactive culture.\n\n### Steps for Effective Collaboration:\n\n- **Training:** Offer security training to developers, leveraging resources like [OWASP](https://owasp.org/).\n- **Use Integrated Tools:** Incorporate security tools directly into the DevOps pipeline for automated checks.\n- **Open Communication:** Encourage dialogues between teams to address and prevent issues.\n- **Feedback Loops:** Enable security teams to give developers actionable feedback for quicker fixes.\n\nFor a deeper dive into DevSecOps best practices, check out the [DevSecOps Manifesto](https://www.devsecops.org/manifesto/).\n\n## **Leveraging Metrics to Engage Leadership**\n\n### **Compelling Visualizations**\n\nPresenting your data visually compellingly makes it easier for leadership to grasp the state of your application security.\n\nThe impact of effective data visualization can't be overstated. When leadership can easily understand your metrics, they're more likely to take the actions needed to improve security.\n\nWhether it's allocating more resources or green-lighting a new initiative, effective visualization can be the catalyst for meaningful change.\n\n### **Identifying and Prioritizing Key Metrics**\n\nWith a myriad of metrics available, pinpointing the right ones can be overwhelming. Here's a structured approach to ensure you're focusing on metrics that resonate with your organization's goals:\n\n\\[object Object\\]0. **Identify Organizational Goals:** Begin by clearly listing out your organization's top three security goals for the year. For instance, it could be reducing breach incidents, improving patch deployment speed, or enhancing developer security training.\n\\[object Object\\]1. **Map Metrics to Goals:** For each goal, identify specific metrics that directly measure its success. For instance, if the goal is to reduce breach incidents, a suitable metric might be the \"time to detect breaches.\"\n\\[object Object\\]2. **Prioritize:** Not all metrics carry the same weight. Assign a priority level to each metric based on its relevance to the respective goal.\n\\[object Object\\]3. **Allocate Resources:** Direct resources (tools, personnel, and budget) primarily towards high-priority metrics. This ensures that you're investing in areas that align with your main objectives.\n\\[object Object\\]4. **Review & Communicate:** Periodically review these metrics with your team and present findings to leadership. Utilize visual aids like dashboards or charts to effectively communicate progress and challenges.\n\\[object Object\\]5. **Iterate:** As your organization evolves, its goals might shift. Revisit this process annually or biannually to ensure alignment.\n\nBy following this structured approach, you ensure that your security program remains dynamic, actionable, and closely tied to organizational aspirations, making it easier to secure leadership buy-in.\n\n## **Conclusion**\n\nMetrics are essential for tracking the progress of your efforts and illustrating our organization's current status. Metrics go beyond mere numbers. They are the language that facilitates communication of your security posture to your leadership. From pinpointing bottlenecks to demonstrating return on investment (ROI), the appropriate metrics can be your strongest allies in garnering support.\n\nThe path to achieving robust application security resembles a marathon rather than a sprint. It demands continuous commitment, collaboration, and (above all) adaptability. Having the right tools in place can help make this process much more streamlined.","AppSec Metrics are essential to understand how effective your cybersecurity programs are and how to communicate their benefits to your leadership team. ","get-management-buy-in-with-appsec-metrics","blog/get-management-buy-in-with-appsec-metrics",-30,[247,33,34],"Secure Coding","6b9a3089-e777-4a2e-b632-40e1cb80d4e2","2023-10-17T12:38:36.278Z",[],{"name":252,"created_at":253,"published_at":254,"id":255,"uuid":256,"content":257,"slug":268,"full_slug":269,"sort_by_date":29,"position":270,"tag_list":271,"is_startpage":22,"parent_id":35,"meta_data":29,"group_id":272,"first_published_at":273,"release_id":29,"lang":38,"path":29,"alternates":274,"default_full_slug":29,"translated_slugs":29},"How to Streamline Vulnerability Management","2023-09-27T05:02:11.328Z","2023-09-27T05:41:26.493Z",377131031,"a15a9ff9-9c7f-4c25-8810-dc9bab447056",{"_uid":258,"image":259,"title":252,"author":125,"details":266,"component":25,"meta_description":267},"7bba87cf-a30d-45bb-8d2d-2e34856fb523",{"id":260,"alt":261,"name":17,"focus":17,"title":262,"source":17,"filename":263,"copyright":264,"fieldtype":20,"meta_data":265,"is_external_url":22},11319389,"process schematics showing the lifecycle of managing vulnerabilities","The Vulnerability Management Lifecycle","https://a.storyblok.com/f/168460/818x690/37b820bbf9/screenshot-2023-09-27-141554.jpg","copyright 2023 by Kondukto Inc. all rights reserved",{},"The current cyber world is a veritable minefield, with problems and dangers evolving at a rate that far outstrips the ability of most organizations to respond. More than merely a technical issue, an organization's security posture is determined by the quality of its vulnerability management.\n\n## **Overview of Vulnerability Management**\n\nWhen discussing vulnerabilities, we discuss the chinks in our digital armor. **The life cycle of vulnerability management isn't linear, it's cyclical** — starting with detection, then assessment, and ending with mitigation, only to loop back to detection.\n\n![process schematics of the vulnerability management lifecycle](https://a.storyblok.com/f/168460/1080x1080/06d9186aa9/vulnerability-management-lifecycle.png)\n\nUnderstanding vulnerabilities also means understanding the risks associated with them. Not all vulnerabilities are equal. Some pose a minuscule threat, while others can be catastrophic if exploited. Linking each vulnerability to its organizational risk helps shape an appropriate response strategy, ensuring that resources are effectively utilized.\n\n## **Measuring Success with Metrics and KPIs**\n\nEffective vulnerability management is about implementing strategies and ensuring those strategies deliver results. It's where Key Performance Indicators (KPIs) and metrics come into play, offering quantifiable insights into the effectiveness of implemented measures.\n\n### **Core Metrics to Monitor**\n\nThree KPIs which are crucial to the success of your vulnerability management are Time to Remediate, Vulnerability Recurrence Rates, and Fix Success Rate.\n\n**“Time-to-Remediate”** is pivotal as it provides insights into how quickly vulnerabilities are fixed. A shorter remediation time often correlates with a more efficient system, as it minimizes the window of opportunity for attackers. \n\nSimilarly, **“Vulnerability-Recurrence-Rates**” indicate the robustness of the patches applied. If vulnerabilities recur frequently, the mitigation efforts may only address surface-level symptoms rather than the root cause.\n\nOften-overlooked, the **“Fix-Success-Rate”** measures the percentage of patches successfully applied versus those attempted. A lower success rate may indicate lack of understanding of vulnerabilities development teams are trying to fix.\n\n### **Tangible Benefits and Stakeholder Buy-in**\n\nMetrics translate the effectiveness of vulnerability management into tangible business benefits. \n\nFor instance, consistently low “Time-to-Remediate” and “Vulnerability-Recurrence-Rates” can translate to fewer disruptions in service and higher customer trust. It also gives stakeholders a clear return on investment (ROI) narrative. \n\nSecurity teams that demonstrate a direct link between improved metrics and business benefits can:\n\n- Secure support and resources\n- Further, strengthen vulnerability management\n- More easily launch new security initiatives\n\nOrganizations that adopt a metrics-driven approach transform vulnerability management from a nebulous concept into a concrete business process with clear benchmarks and objectives.  Optimizing the process strengthens the organization's overall security posture in the long run.\n\n## **Deep Dive into Challenges**\n\nThe sheer volume of emerging vulnerabilities can be overwhelming, making it difficult and time-consuming to stay updated. Complex IT architectures exacerbate this, including multi-cloud, hybrid systems, and IoT devices.\n\n![graphic showing the top 3 challenges in modern vulnerability management: large volume of vulnerabilities, it architectures and regulatory pressures.](https://a.storyblok.com/f/168460/1080x1080/b0a962ebdb/challenges-in-modern-vulnerability-management.png)\n\nRegulatory and compliance pressures further complicate the landscape. Regulations like [GDPR ](https://gdpr-info.eu/)or [CCPA](https://oag.ca.gov/privacy/ccpa) mandate strict data protection measures, and failure to comply due to vulnerabilities can result in severe penalties. Thus, vulnerability management is more than a technical or a legal imperative.\n\n## **Comprehensive Strategies for Streamlined Vulnerability Management**\n\n![schematics showing the 6 core components for streamlining vulnerability management: automation, risk prioritization, analytics, analytics, patching, education.](https://a.storyblok.com/f/168460/1080x1080/d599aa26ca/strategies-for-streamlined-vulnerability-management.png)\n\n**Enhanced Automation Techniques:** Embracing automation can drastically reduce the time taken to identify and fix vulnerabilities. AI-driven tools offer real-time monitoring and can predict potential weak spots in the system. A robust, interconnected defense strategy results when these tools are synced with other security tools.\n\n**Risk-Based Approach:** Traditional methods of addressing vulnerabilities often use a blanket approach, trying to fix everything. Instead, channel your efforts more effectively by segmenting vulnerabilities based on system importance and potential impact. This means high-risk vulnerabilities are addressed promptly, reducing potential damage.\n\n**Ongoing Education:** Knowledge is the most potent weapon in the world of cybersecurity. By continually updating your team's knowledge base, you're strengthening your defense capabilities and fostering a culture of vigilance. Workshops, seminars, and hands-on training are invaluable instruments.\n\n**Data-Driven Decision-Making:** Leveraging data analytics can provide insights into patterns, potential threats, and system health. A vulnerability data lake enriched with machine learning algorithms can predict threat vectors before they emerge, offering a significant strategic advantage.\n\n**A Structured and Iterative Approach to Patching:** Structured patching, backed by rigorous testing environments like canary releases, ensures patches are rolled out without disruptions. If vulnerabilities remain, automated rollbacks can restore system integrity.\n\n**Interdepartmental Collaboration for Holistic Security:** A siloed approach is the Achilles heel of many organizations. By encouraging cross-departmental collaboration, one can address vulnerabilities holistically, drawing from diverse expertise and insights.\n\n## **Tactical Blueprint for Implementing a Streamlined Process**\n\nTo transition from understanding vulnerabilities to effectively managing them, one needs a strategic blueprint: Audit your existing status, set objectives, allocate resources to your vulnerabilities, and collect feedback to measure progress agilely.\n\n![graphic that shows the tactical steps of vulnerability management: audit, objectives, resource allocation, feedback.](https://a.storyblok.com/f/168460/1080x1080/a99fa04e23/tactical-blueprint-steps.png)\n\n**Infrastructure Audit:** A thorough, objective audit helps map out existing vulnerabilities, clearly showing the current state. This is where red teams and penetration testers earn their keep, providing invaluable insights.\n\n**Objective Setting:** Setting clear, measurable goals provides direction. Your goals could be reducing vulnerability detection time or increasing patch efficiency. Benchmarked against industry standards, objectives help maintain competitive parity.\n\n**Resource Allocation:** This is the engine that drives the entire process. Assigning dedicated teams, allocating budgets, and optimizing these resources is vital. Consider this an investment—the costs of breaches far outweigh the expenditure on robust vulnerability management.\n\n**Feedback Loops:** A feedback-driven model ensures that the system remains dynamic. Regular feedback can highlight areas of improvement, ensuring that the vulnerability management system remains agile and adaptable.\n\n## **The Role of Leadership in Creating a Vulnerability-Resistant Culture**\n\nWhile systems and tools are crucial, the human element must be considered. Leadership's role is pivotal in shaping organizational culture. Leaders must understand cybersecurity's business implications, translating this into strategic decisions.\n\nPromoting a culture that prioritizes security, encourages continuous learning, and champions data-driven vulnerability management, ensures an organization-wide alignment towards a common goal — robust cybersecurity.\n\n## **Comprehensive Toolkit and Resources for Decision Makers**\n\nTo ensure efficient vulnerability management, decision-makers must arm themselves with a robust toolkit and a comprehensive set of resources. They enable informed decision-making and contribute to a proactive security culture.\n\n### **Vulnerability Scanners:**\n\nThese software applications automatically identify vulnerabilities in software, networks, and applications. Leading options include tools like [Veracode](https://www.veracode.com/), [Checkmarx](https://checkmarx.com/cxsast-source-code-scanning/), and [Invicti](https://www.invicti.com/product/).\n\n**When selecting a vulnerability scanner:**\n\n- Ensure its database is frequently updated.\n- Ensure it's compatible with your organization's systems.\n- Regularly review and update its configurations to match your organization's evolving infrastructure.\n- Once vulnerabilities are detected, run simulated attacks to assess their potential impact. This will offer real-world insights into the criticality of each vulnerability.\n\n### **Threat Intelligence Platforms**\n\nSuch platforms gather and analyze information about emerging threats, giving organizations a heads-up on potential future vulnerabilities. Solutions like [Mandiant](https://www.mandiant.com), Recorded Future, ThreatConnect, or AlienVault can be considered. \n\n**Tips for optimizing use:**\n\n- Integrate the platform with other security tools for real-time updates.\n- Allocate personnel to review intelligence and update organizational strategies accordingly regularly.\n\n### **Patch Management Software**\n\nThese tools assist in deploying and managing patches across an organization's digital infrastructure. Examples include SolarWinds Patch Manager and ManageEngine Patch Manager Plus. \n\n**To maximize efficacy:**\n\n- Schedule regular patching intervals.\n- Use software that provides reports on patch success rates and failures.\n\n### **AppSec Security Training Platforms:**\n\nSince human error significantly contributes to vulnerabilities, platforms like [Secure Flag](https://www.secureflag.com), Codebashing, [Secure Code Warrior](https://www.securecodewarrior.com) or Avatao can train employees to recognize and respond to threats. \n\n**Best practices include:**\n\n- Regularly updating training content to reflect current threat landscapes.\n- Hosting periodic refresher courses for all employees.\n- Create and monitor KPIs for security related code quality on a per-developer level.\n\n### **Security Forums and Communities:**\n\nEngaging in forums like [Stack Exchange's Information Security](https://security.stackexchange.com) community or the Spiceworks security section can be valuable. Here, professionals discuss emerging threats, share experiences, and provide recommendations. \n\n## **Centralizing Vulnerability Management with Kondukto**\n\nCentralizing vulnerability management can simplify what is otherwise a complex process. Using a Vulnerability Management platform like Kondukto may be crucial to realizing the full potential of this strategy. \n\n### **Simplified Vulnerability Tracking**\n\nInstead of logging into multiple tools to assess vulnerabilities, use Kondukto’s Vulnerability Management platform. It fetches vulnerabilities from all your security tools and deduplicates them. Spend less time on manual consolidation and focus more on devising remediation strategies, enabling you to respond to threats quicker.\n\n### **Optimize DevSecOps Workflow**\n\nUtilize Kondukto’s DevOps friendly approach to manage identified vulnerabilities. \nUse the Kondukto CLI to integrate all security tests into your CI/CD pipelines and let Kondukto take automated actions like creating tickets in Jira, alerts on Slack or breaking builds in Jenkins based on the rules you configure on the platform.\n\n### **Role-Based Data Access for Cohesive Collaboration**\n\nDefine user roles within Kondukto and allocate data access accordingly. This ensures that developers, security engineers, managers and other stakeholders see only what's relevant to them. Tailored data-views prevent information overload, leading to quicker decision-making and streamlined team communication.\n\n### **Preserve and Build upon Historical Data**\n\nIntegrate your existing tools with Kondukto as tools evolve or get replaced. Kondukto retains the security insights derived from them.\n\nBenefit: It ensures your team has a historical context, facilitating better-informed future decisions and strategies. This institutional memory can be pivotal in understanding long-term security trends and vulnerabilities.\n\n## **Conclusion**\n\nVulnerability management is more than a technical endeavor — it's an organizational imperative. As digital threats are omnipresent, having a streamlined and efficient vulnerability management process is non-negotiable. Streamlining vulnerability management translates to saved time and enhanced protection.","Metrics and KPIs can provide valuable feedback on how well the organization is identifying, prioritizing, and mitigating vulnerabilities.","how-to-streamline-vulnerability-management","blog/how-to-streamline-vulnerability-management",-370,[84,33],"02bb9243-5929-4852-989f-48f52c9e0342","2023-09-27T05:28:41.875Z",[],{"name":276,"created_at":277,"published_at":278,"id":279,"uuid":280,"content":281,"slug":293,"full_slug":294,"sort_by_date":29,"position":295,"tag_list":296,"is_startpage":22,"parent_id":35,"meta_data":29,"group_id":298,"first_published_at":299,"release_id":29,"lang":38,"path":29,"alternates":300,"default_full_slug":29,"translated_slugs":29},"AI Remediation, a massive time-saver","2023-09-06T13:06:51.628Z","2023-09-07T20:57:48.603Z",366532805,"0ef12ae1-96ec-4e0f-8fc9-0854a3c4f3d3",{"_uid":282,"image":283,"title":290,"author":101,"details":291,"component":25,"meta_description":292},"f5014628-a1a8-4483-9ed3-8583b609fef8",{"id":284,"alt":285,"name":17,"focus":17,"title":286,"source":17,"filename":287,"copyright":288,"fieldtype":20,"meta_data":289,"is_external_url":22},10986289,"A comment on GitHub that shows a suggestion made by Kondukto's AI Remediation feature on how to fix a security issue","Screenshot of an AI assisted recommendation by the Kondukto App","https://a.storyblok.com/f/168460/729x437/4945818841/kondukto_blog_ai-remediation_feature-image_2023-09-06.png","© all rights reserved",{},"AI Remediation: A massive time-saver","One of the biggest challenges that application security engineers are facing is the large amount of false positives from security scanners. False positives are results that indicate a vulnerability where there is none, or where the risk is negligible. Triaging these false positives wastes a lot of time.\n\n## Limitations of current approaches\n\nReducing false positives and managing them efficiently is challenging task. A common approach is to create customized rulesets for each application, but this demands a lot of time and skill, which is a major bottleneck for most AppSec teams.\n\nOver time, these rules can become hard to manage, understand and maintain. The complexity of the rules might then outweigh their benefits of reducing false positives. An overly complex ruleset will make you and your team less productive.\n\nThis is where our new AI Remediation feature comes into play. It makes suggestions for vulnerability fixes that developers themselves can quickly review and apply, without burden you to define complex rules. The AI assisted recommendations make easy for developers to fix vulnerabilities, before they hit the AppSec team in the first place, and facilitate the collaboration between AppSec and devs on triaging.\n\n## ![Screenshot of a GitHub comment made by Kondukto AI Remediation](https://a.storyblok.com/f/168460/909x666/514ae1672f/kundukto-ai-remediation_beta_comment-example.png \"GitHub comment made by Kondukto AI Remediation\")\n\n## Fine-tuned for AppSec\n\nWe originally started exploring the use of modern machine learning techniques, like recent Large Language Models, in 2022. Earlier this year, during Black Hat 2023, we announced the beta of our first AI related feature.\n\nAI Remediation has been fine-tuned with the unique insights into the many false positive alerts that the Kondukto Platform sees from dozens of the industry leading scanners (SAST, DAST, commercial and open-source). We have been working with select customers as we were developing this feature and received valuable feedback that we incorporated into this first release.\n\n## Using Kondukto AI Remediation\n\nThe suggestions for vulnerability fixes integrate seamlessly with your existing developer and application security workflows. You don’t need to adopt any new user interface paradigms.\n\nSuggestions are being made in the form of git comments, right in your repository. They are often fixing the vulnerability right away and are usually a good starting point for your own nuanced solution to the issue.\n\nYou and your team remain in full control, there is no autopilot messing with your established best practices and policies.\n\nEnabling our AI assisted remediation feature is easy and you can be up and running in just a few minutes.\n\nAssuming that you have already successfully onboarded your projects from GitHub, just follow these easy steps:\n\n1. Enable the AI Remediation feature from your account’s integration page.\n2. Add the Kondukto App to your repository (from your repo’s marketplace, just search for “Kondukto”).\n3. The Kondukto App will create a workflow on your CI/CD (alternatively, you can do this step manually).\n4. You will then get a custom configuration file for the Kondukto App that interacts with the repositories. Add that configuration file to your CI/CD provider.\n5. That’s it, you are good to go.\n\nNow, whenever a new vulnerability is discovered during a *pull* or *merge request*, you will see a description of the vulnerability and a suggestion on how to fix it by our AI assisted app. A summary table of the security posture is included in the comment and if you have an associated security policy configured, the Kondukto App can halt the CI/CD build accordingly.\n\n![](https://a.storyblok.com/f/168460/900x372/6f4dae36d1/screenshot-2023-09-07-142302.jpg \"Summary table of the security posture of the project's application\")\n\nYou also have the ability to configure your own rules to determine under which circumstances you want the comments to be generated. This way the feature can be further fine-tuned, for example to only make recommendation when a \"high\" or \"critical” vulnerability has been identified.\n\n## Reduce time-to-remediation...together\n\nWe believe the best way to triage vulnerabilities is by involving developers in this process without overwhelming them. Developers have the best understanding of their code. Providing them with the necessary information through a security vendor-agnostic approach.\n\nAI Remediation is accomplishing exactly that, making it easy for them to fix security issues, reducing your average time-to-remediation and improving the quality and security of your code.\n\nThe public beta of AI Remediation is part of our Autumn Release and will be available to Kondukto customers, cloud and on-premises, by end of October. Customers can enable the feature from the integrations section within the Kondukto Platform.\n\nNot a customer yet? [Request your free demo](https://kondukto.io/request-a-demo).","Our new AI Remediation feature makes suggestions for vulnerability fixes that developers themselves can quickly review and apply.","ai-remediation-a-massive-time-saver","blog/ai-remediation-a-massive-time-saver",-360,[297,247,34],"Machine Learning","27b52fd4-93b7-4817-8094-d26502f6d0d8","2023-09-07T11:30:43.663Z",[],{"name":302,"created_at":303,"published_at":304,"id":305,"uuid":306,"content":307,"slug":316,"full_slug":317,"sort_by_date":29,"position":318,"tag_list":319,"is_startpage":22,"parent_id":35,"meta_data":29,"group_id":320,"first_published_at":321,"release_id":29,"lang":38,"path":29,"alternates":322,"default_full_slug":29,"translated_slugs":29},"How to Shift-Left Better with Git Hooks","2023-08-04T11:34:07.143Z","2023-08-25T06:51:52.231Z",350742079,"d4c12fb2-23e9-4d1e-aada-42e03a61a2ae",{"_uid":308,"image":309,"title":302,"author":101,"details":314,"component":25,"meta_description":315},"8f2bdb91-3eea-4ee5-8063-5d5591db43a7",{"id":310,"alt":311,"name":17,"focus":17,"title":17,"source":17,"filename":312,"copyright":17,"fieldtype":20,"meta_data":313,"is_external_url":22},10597543,"software engineer sitting in front of her laptop with GitHub Octocat stickers","https://a.storyblok.com/f/168460/1920x1282/c6f404864e/shift-left-with-git-hooks.jpg",{},"## **Introduction**\n\nThe philosophy of \"[shifting left](https://en.wikipedia.org/wiki/Shift-left_testing)\" in software development is transforming the way we approach error and resolution. By moving the focus of error detection to earlier stages in the development cycle, teams can address issues when they are more accessible and less expensive to fix. Integral to this shift-left approach are Git hooks, powerful tools that allow us to enforce quality control right from the code-commit stage.\n\n## **Understanding the Shift-Left Approach**\n\nThe shift-left approach and [Git hooks](https://git-scm.com/book/en/v2/Customizing-Git-Git-Hooks) are transformative forces in software development, revolutionizing how we detect errors and maintain code quality. This article offers an in-depth look into these two interconnected strategies. Here's a summarized overview:\n\n- The shift-left approach signifies a paradigm shift in error detection, advocating for early-stage detection and resolution during the software development lifecycle (SDLC).\n- Git hooks provide a mechanism for automating workflows, ensuring quality control, and promoting consistency in a project's codebase.\n\n### **Decoding the Shift-Left Approach**\n\nThe shift-left approach brings this process closer to the development stage rather than the traditional method of addressing errors towards the end of the SDLC. The strategy is simple: catch and fix mistakes at the earliest stages, making them more accessible and less costly.\n\nThis approach aligns well with Agile and DevOps principles, promoting iterative development, frequent feedback, a development environment, and increased collaboration. The result is a smooth, streamlined development process with reduced chances of issues propagating downstream.\n\n## **Git Hooks: An In-depth Overview**\n\nGit hooks are essential for automating and customizing the Git workflow, ensuring the quality of version control systems and consistency. These hooks reside in the **.git/hooks** directory of each Git repository and are executed before or after events like commit, push, and receive.\n\nDevelopers can validate and modify commit messages and content with client-side hooks to enforce coding standards. On the other hand, server-side hooks enable policy enforcement and additional checks before accepting changes in the project's official history. By leveraging these hooks, teams can streamline their development process, maintain code quality, and implement and enforce project-specific security guidelines.\n\n## **Installation and Initial Setup of Git Hooks for Shift-Left Approach**\n\nGit hooks are instrumental tools for facilitating automation and enforcing standards in your development tool and process. These hooks often utilize scripting languages such as bash, underscoring the importance of having at least a basic understanding of these languages. With that knowledge in hand, we can then focus on how to install and configure these pre-commit hooks initially, setting the stage for more advanced uses down the line.\n\n### **Establishing Executable Scripts in the .git/hooks Directory**\n\nSetting up Git hooks begins with the creation of executable scripts inside the **.git/hooks** directory of your repository. The file's name for each script should correspond to the hook you're implementing, such as pre-commit, pre-push, etc. These scripts can be written in any scripting language (as long as the appropriate interpreter is available on the system) and executed each time the repository, corresponding repository, or Git event happens.\n\nFor instance, to create a pre-commit hook, you would make a new file named **'pre-commit'** within the **.git/hooks** directory. For example, the file pre commit' could be a bash script running specific checks each time a commit is prepared to a remote repository.\n\nHere's a basic example of a pre-commit hook script that prevents commits with 'TODO' comments:\n\n~~~\n#!/bin/sh\n\n# Redirect output to stderr.\nexec 1>&2\n\n# Check for 'TODO' comments in staged files.\nif git diff --cached --name-only -z | xargs -0 grep -i 'TODO'; then\n  echo 'Commit contains TODO comments. Please remove them and try again.'\n  exit 1\nfi\n~~~\n\nRemember to make the script executable:\n\n~~~\nchmod +x .git/hooks/pre-commit\n~~~\n\n### **Surpassing Local Hooks Limitations with Shared Hooks**\n\nGit hooks, though powerful, are local to each repository and do not get cloned along with it. This limits their effectiveness in enforcing rules across a team. A way around this is to use shared hooks. These hooks are stored in a shared directory and linked to the repo using Git's core.hooksPath configuration variable.\n\nTo configure shared hooks, you can use the following command:\n\n~~~\n# Setting up shared hooks\ngit config --global core.hooksPath /path/to/your/shared/hooks\n~~~\n\nThis command instructs Git to look for hooks in files in the specified directory instead of the default files in the default .git/hooks directory.\n\n## **Client-Side vs. Server-Side Hooks**\n\nGit hooks are broadly categorized into client-side and server-side hooks. While client-side git hooks are designed to validate the content of Git commit commands and commit messages and enforce coding standards before committing changes, server-side git hooks validate access rights and enforce custom rules before accepting pushed changes.\n\nHere's a look at some key client-side and server-side hooks:\n\n### **Client-side hooks:**\n\n**pre-commit:** Check the entire post-commit below. For example, verify that the code doesn't contain debug statements before a commit.\n\n~~~\n#!/bin/sh\n\nif git diff --cached | grep -q 'console.log'\nthen\n  echo \"Code contains console.log statement. Please remove them before committing.\"\n  exit 1\nfi\n~~~\n\n**prepare-commit-msg:** Allows certain points of the commits default message to be edited before the commit message author sees it. This hook could prepend a specific pattern to the commit message.\n\n~~~\n#!/bin/sh\n\nCOMMIT_MSG_FILE=$1\n\necho \"TASK-1234: $(cat ${COMMIT_MSG_FILE})\" > ${COMMIT_MSG_FILE}\n~~~\n\n**commit-msg:** Checks the final commit message. For example, it can test or enforce a commit message standard.\n\n~~~\n#!/bin/sh\n\nCOMMIT_MSG_FILE=$1\nCOMMIT_MSG=$(cat $COMMIT_MSG_FILE)\n\nif [[ ! ${COMMIT_MSG} =~ ^TASK-[0-9]+:\\ .+ ]]\nthen\n  echo \"Commit message does not follow the standard (TASK-XXXX: \u003Cmessage>).\"\n  exit 1\nfi\n~~~\n\n**pre-rebase:** Can be used to prevent rebasing of files in certain branches.\n\n~~~\n#!/bin/sh\n\nif [ $(git rev-parse --abbrev-ref HEAD) == \"main\" ]; then\n  echo \"You can't rebase the main branch!\"\n  exit 1\nfi\n~~~\n\n### **Server-side hooks:**\n\n**pre-receive:** Invoked when updates are received on the server side.\n\n~~~\n#!/bin/sh\n\nwhile read oldrev newrev refname\ndo\n  if [[ $refname = \"refs/heads/main\" ]]; then\n    echo \"Direct push to the main branch is not allowed.\"\n    exit 1\n  fi \ndone\n~~~\n\n**update:** Invoked for each ref to be updated.\n\n~~~\n#!/bin/sh\n\nrefname=\"$1\"\n\nif [[ $refname = \"refs/heads/main\" ]]; then\n  echo \"Direct updates to the main branch are not allowed.\"\n  exit 1\nfi\n~~~\n\n**post-receive:** Invoked after updates are accepted on the server side.\n\n~~~\n#!/bin/sh\n\necho \"Push was successful. Notifying stakeholders...\"\n\n# Your notification logic here\n~~~\n\n## **Git Hooks and Shift-Left Approach: A Dynamic Duo**\n\nActing as the skeletal structure of a robust shift-left strategy, Git hooks are tools that developers can effectively use to automate code reviews, standardize coding practices, and perform tests at the point of committing code.\n\n### **Git Hooks: The Heart of a Shift-Left Strategy**\n\nBeing a memorable part of a resilient shift-left strategy, Git pre-commit hooks are crucial in ensuring high-quality code and barricading bugs from infiltrating subsequent stages of the development lifecycle. These pre-commit hooks are scripts that Git triggers before or after events like a git commit command, git push call, or receive. Integrating these hooks into a shift-left strategy enables developers to spot and rectify issues early in the development trajectory, thus significantly conserving both time and resources.\n\n### **Automating Code Reviews, Standardizing Coding Practices, and Enhancing Testing with Git Hooks**\n\nGit hooks are a powerful medium to automate several components of the development process, including code reviews, the standardization of coding practices, package name, configuration, and testing.\n\nFor example, the pre-commit hook can review code automatically before each commit. This code review can be done by deploying static code analysis tools like ESLint for JavaScript or Pylint for Python. This ensures that the committed code aligns with the team's coding norms.\n\nTo demonstrate, here's a pre-commit hook script configured for ESLint:\n\n~~~\n#!/bin/sh \n\n# pre-commit hook enforcing code standards \nESLINT=\"node_modules/.bin/eslint\" \n\ngit diff --cached --name-only --diff-filter=d | xargs $ESLINT \n\nif [ $? -ne 0 ]; then \necho \"ESLint checks failed, fix them before committing.\" \nexit 1 \nfi\n~~~\n\nGit “pre-” hooks can also be leveraged to automate testing procedures before commits. Unit tests or integration tests can be performed before every commit using the pre-commit hook command, or before every push using the pre-push hook. This empowers developers to detect and mend any failing tests early in the development lifecycle.\n\nTo illustrate, here's a pre-push hook script that runs unit tests using Jest:\n\n~~~\n#!/bin/sh\n\n# pre-push hook running unit tests\njest\n\nif [ $? -ne 0 ]; then\necho \"Unit tests failed, fix them before pushing.\"\nexit 1\nfi\n~~~\n\n### **Embracing Example Scripts for ESLint and Jest Integration**\n\nIncorporating ESLint and Jest into your pre-commit and pre-push hooks adds a new dimension of automation and validation to your development workflow. While ESLint helps the developer uphold coding standards, Jest ensures all unit tests get a green signal before passing the code further down the pipeline.\n\nThe scripts are practical illustrations of how ESLint and Jest can merge with Git hooks to become an integral part of a shift-left merge strategy. They aid in automated code analysis, standardization of coding practices, and unit testing, thus ensuring high-quality code.\n\n## **Best Practices for Implementing Git Hooks in a Shift-Left Strategy**\n\nGit hooks are powerful tools for automating tasks in your development process, but they must be used thoughtfully and efficiently to prevent disruption to the developer's workflow. The following are some best practices to consider when using Git hooks in a shift-left strategy. \n\\*\\* \nUse Hooks To Reduce Repetitive Tasks\\*\\*\n\nLet's use the example of how to reduce repetive tasks using a pre-commit hook to scan for accidentally committed secrets using [TruffleHog](https://github.com/trufflesecurity/trufflehog), a Python tool that searches for high entropy strings, which are typically secrets like API keys:\n\nFirst, install TruffleHog globally (or within a virtual environment): \npip install truffleHog\n\nThen create a .git/hooks/pre-commit file and add the following content:\n\n~~~\n#!/bin/sh\n\n# Get list of staged files\nSTAGED_FILES=$(git diff --cached --name-only --diff-filter=ACM)\n\n# Check each file for secrets with TruffleHog\nfor FILE in $STAGED_FILES\ndo\n truffleHog --regex --entropy=False $FILE\n if [ $? -ne 0 ]\n then\n echo \"TruffleHog found potential secrets in staged file '$FILE':\"\n echo \"Please remove any sensitive data and commit again.\"\n exit 1 # prevent commit\n fi\ndone\n\n# If no secrets were found, allow the commit\nexit 0\n~~~\n\nThe script runs TruffleHog on each staged file, checking for potential secrets. If TruffleHog detects any, it blocks the commit and prompts the developer to remove the sensitive data. While TruffleHog is a great open source solution we highly recommend [GitGuardian](https://www.gitguardian.com/) as a more extensive solution for finding secrets in your repos.\n\n**Optimization to Ensure Rapid Hook Execution**\n\nOne of the crucial aspects to consider when creating your Git pre-commit hooks is speed. A slow hook execution can potentially disrupt the developer's workflow, and therefore, it's essential to optimize your scripts to run only the necessary checks. Long-running operations like launching a full test suite or extensive linter might not be suitable for hooks that run on each commit like pre-commit install after-commit.\n\nHere's an example file of a simple and optimized pre-commit hook that only checks staged files for any Python syntax errors:\n\n~~~\n#!/bin/sh\n\n# Check for python syntax errors in staged files\ngit diff --cached --name-only | \\\n\ngrep '\\.py$' | \\\n\nxargs -I {} python -m py_compile {}\n\nif [ $? -ne 0 ]; then\n echo \"Python syntax check failed, fix errors before committing.\"\n exit 1\nfi\n~~~\n\n### **Keeping Hooks Simple and Understandable**\n\nGit hooks should be kept simple and readable. A hook with complex logic can be difficult to understand, maintain, and modify in the future. If a check requires complex logic, consider creating a separate script or tool that the hook can call. This will keep the hook code clean and straightforward.\n\nHere's an example of keeping things simple where a pre-push hook calls an external script for running unit tests:\n\n~~~\n#!/bin/sh\n\n# pre-push hook running unit tests via external script\n\n./scripts/run_unit_tests.sh\n\nif [ $? -ne 0 ]; then\n echo \"Unit tests failed, fix them before pushing.\"\n exit 1\nfi\n~~~\n\n### **Providing Informative Rejection Explanations**\n\nAn essential aspect of creating a useful Git commit hook is making sure it provides informative feedback. If a new commit hook rejects a commit message or a push, it should explain why clearly. Developers should understand what caused the failure and how they can rectify it.\n\nFor instance, consider a pre-commit hook that checks for TODO comments in the code and rejects the commit if it finds any:\n\n~~~\n#!/bin/sh\n\n# pre-commit hook checking for 'TODO' comments\nif git diff --cached -G'TODO'; then\n echo \"Commit rejected. Found 'TODO' comments in your changes:\"\n git diff --cached -G'TODO'\n exit 1\nfi\n~~~\n\nIn this example, if the hook finds any 'TODO' comments in the staged file changes, it prints out those changes to help the developer quickly locate and address the issue.\n\nIt's important to remember that hooks can be bypassed using the --no-verify option. When designing your shift-left strategy, you should consider this and possibly incorporate checks at later stages of your Software Development Life Cycle (SDLC) to handle cases where critical hooks may be bypassed.\n\n## **Conclusion**\n\nI particularly like Git hooks because they help developers adopt a security culture in a straightforward and effective manner. With Git hooks in place, the development team can focus more on writing secure code and addressing security concerns earlier in the development lifecycle. It is a proactive approach that minimises the risk of security breaches and also saves time.\n\nGit hooks not only facilitate the integration of security practices but also foster a security-conscious culture within the development teams."," Learn how Git hooks can help you enforce quality standards and prevent bad code from hitting repositories or being pushed to production environments.","how-to-shift-left-better-with-git-hooks","blog/how-to-shift-left-better-with-git-hooks",-350,[33,34],"c2eef6eb-67bf-452e-ae99-784ef8cbd99d","2023-08-22T08:13:18.349Z",[],{"name":324,"created_at":325,"published_at":326,"id":327,"uuid":328,"content":329,"slug":339,"full_slug":340,"sort_by_date":29,"position":341,"tag_list":342,"is_startpage":22,"parent_id":35,"meta_data":29,"group_id":343,"first_published_at":344,"release_id":29,"lang":38,"path":29,"alternates":345,"default_full_slug":29,"translated_slugs":29},"Getting Started: A Guide to Becoming a Product Security Engineer","2023-08-04T09:45:16.087Z","2023-08-25T06:52:33.689Z",350576275,"d3fdc509-d7b4-470b-a78e-699be50d13d6",{"_uid":330,"image":331,"title":336,"author":101,"details":337,"component":25,"meta_description":338},"1a87b9b6-a86c-440d-939b-106065ed7148",{"id":332,"alt":333,"name":17,"focus":17,"title":17,"source":17,"filename":334,"copyright":17,"fieldtype":20,"meta_data":335,"is_external_url":22},10597492,"two security engineers collaborating","https://a.storyblok.com/f/168460/1920x1282/ede52d0272/how-to-become-a-security-engineer.jpg",{},"A Guide to Becoming a Product Security Engineer","As companies increasingly digitalized, the necessity for cybersecurity has never been more vital. Product security engineers are in great demand since they are responsible for securing software products, operating systems, and the underlying infrastructure against potential attacks. Assuming you're interested in cybersecurity and want to work in it, this article will provide the information you need to begin your own career path as a product and application security engineer.\n\n## **The Role of a Product Security Engineer**\n\n### **A Day in the Life of a Product Security Engineer**\n\nA product security engineer is analogous to the guardian of a software product. These experts protect a product throughout its life cycle, from the initial design phase through the subsequent development and maintenance stages. Their duties as product security engineers extend beyond reducing risks and addressing vulnerabilities to provide more secure products and software solutions. They must also have their finger on the pulse of the industry, staying up to date on new trends and potential threats in cybersecurity.\n\nBut it's not just about the technology. Communication skills are essential. These experts must be able to convey complicated security concepts, systems and threat scenarios to individuals outside of their company, organization, or technical realm regularly. Thus, they must be able to do it quickly.\n\n## **Laying the Foundation in Product Security Engineering**\n\n### **The ABCs of Security Concepts and Principles**\n\nAs you embark on this exciting career journey, laying a solid foundation is crucial to understanding basic security concepts programming tools, skills required, and principles. Begin by familiarizing the engineering team and yourself with the [CIA triad](https://www.coursera.org/articles/cia-triad) — Confidentiality, Integrity, and Availability. These are the core tenets of information security, forming the basis of any secure system.\n\n**Confidentiality** entails utilizing security tools and measures to guarantee that only authorized people can access sensitive information. It's like maintaining a secret among close friends: no one outside the circle should know. In the digital realm, this often entails using encryption to keep prying eyes away from our sensitive data.\n\n**Integrity** ensures that data stays unchanged throughout its lifespan unless modified by an authorized person. This idea is analogous to ensuring the authenticity of a work closely related to an artist's original artwork. In cybersecurity, this might include methods such as hashing and digital signatures in programming secure software.\n\n**Availability** ensures that information and resources are available when they are required. Consider it as maintaining a city's public services operational around the clock. Maintaining high uptime, adopting security policies, establishing robust disaster recovery processes and practices, and ensuring system resilience all contribute to availability in the digital domain.\n\nOnce you've got a good handle on these security concepts, it's time to delve deeper. Encryption, authentication, and authorization.\n\n### **Navigating Encryption, Authentication, and Authorization**\n\nWith a solid understanding of these security controls, you'll have a solid foundation to build on as you advance in your cybersecurity journey.\n\n**Encryption** converts readable data (plaintext) into an unreadable format (ciphertext) to prevent unauthorized access. It's like a secret language known only to the sender and recipient. Standard encryption algorithms include [RSA](https://en.wikipedia.org/wiki/RSA\\_(cryptosystem)), [AES](https://en.wikipedia.org/wiki/Advanced_Encryption_Standard), and [DES](https://en.wikipedia.org/wiki/Data_Encryption_Standard).\n\n**Authentication** validates an individual's identity before providing access to resources. Think of it as a bouncer checking IDs at a nightclub - only verified individuals can enter.\n\n**Authorization** goes further by determining what a verified user can do within the system. Like a museum guide directing visitors — some may only view exhibits, while others, like security engineer or staff, have permission to access restricted areas.\n\n### **The Programming Arsenal for Security Engineers**\n\nOne of the distinguishing characteristics of a product security engineer is the need for a hands-on approach to coding. You're not simply safeguarding a product; you're going under the hood and are interacting with the source code. This implies you must be proficient in the programming languages often used in applications, such as Python, Java, C++, or GoLang.\n\nThese languages were not randomly picked; each has its benefits and disadvantages. Python, for example, is admired for its ease of use and automation features. Simultaneously, Java is well-known for its cross-platform portability and infrastructure security, making it a popular choice for enterprise-level applications.\n\n## **Must-Have Technical Skills for Product Security Engineers**\n\n### **Web Application Security**\n\nAs a product security engineer, you must be familiar with typical security vulnerabilities such as [SQL injection](https://www.w3schools.com/sql/sql_injection.asp),[ Cross-Site Scripting (XSS)](https://owasp.org/www-community/attacks/xss/), and [Cross-Site Request Forgery (CSRF)](https://owasp.org/www-community/attacks/csrf). These vulnerabilities represent some of the most common and severe cyber risks.\n\nHowever, being aware of these hazards is just half the fight. You'll also need to arm your security teams and yourself with tools like [OWASP ZAP](https://www.zaproxy.org/) or [Burp Suite](https://portswigger.net/burp/communitydownload) to assist you in finding and mitigating these vulnerabilities in real-world scenarios.\n\n### **Navigating Network Security**\n\nAnother area you'll need to able to navigate is network security. A network's integrity is vital for software development or product safety. Therefore, familiarity with network protocols, programming, vulnerability management tools, and security mechanisms can be a significant advantage in ensuring a product's security. You might want to consider getting the [CompTIA Network+ certification](https://www.comptia.org/certifications/network) which will give you a good grounding in fundamental networking principles.\n\nBut how do you secure a network? Familiarize yourself with network penetration [testing tools and best practices](https://www.zaproxy.org/). When used correctly, these tools can help you uncover potential weaknesses in your network's security, allowing you to address these issues before they become significant threats.\n\n### **Cracking the Code with Cryptography**\n\nAs a product security engineer, you must grasp various encryption algorithms, vulnerability technologies, and protocols, as well as how to assess their resilience using cryptanalysis methods.\n\n## **A Glimpse into the Daily Life of a Product Security Engineer**\n\n### **Typical Tasks and Challenges**\n\nEach day in the life of a product security engineer presents unique challenges. A product security engineer's work is diverse and engaging, from threat modeling and security code reviews to security guidance to penetration testing, detection, and incident response support. Regular collaboration with senior leadership, various product teams, and team members is also part of the job, emphasizing the importance of working effectively in a group.\n\nWhile the scope of what your day-to-day might look like as a product security engineer, here are some of the main tasks you will be working on each day:\n\n1. **Threat Modeling:** Identifying potential threats and risks to the product, often by creating models or diagrams that outline potential attack vectors. You can dive deeper into the threat modeling process at [OWASP Threat Modeling community](https://owasp.org/www-community/Threat_Modeling). \n2. **Vulnerability Assessment:** Regularly assessing the product for vulnerabilities manually or using automated tools. This proactive approach can help prevent security issues before they occur. The EC-Council offers certifications on ethical hacking and [vulnerability analysis](https://www.eccouncil.org/cybersecurity-exchange/ethical-hacking/conduct-a-vulnerability-analysis/).\n3. **Penetration Testing:** Attempting to exploit potential vulnerabilities in a controlled setting to verify their existence and understand their impact. This helps to ensure that defences are as robust as possible. [Cloudflare’s introduction](https://www.cloudflare.com/learning/security/glossary/what-is-penetration-testing) is a good starting point to learn more about pen testing.\n4. **Security Architecture Design:** Working with product and engineering teams to design and implement security controls and protections within the product. This task ensures the product is built [with security in mind from the ground up](https://www.techopedia.com/definition/72/security-architecture).\n5. **Incident Response:** Responding to security incidents, such as data breaches or successful cyberattacks. This could involve conducting forensic analysis, determining the impact of the incident, and recommending/implementing measures to prevent recurrence. [IBM’s introduction to incident response](https://www.ibm.com/topics/incident-response) is a good starting point to learn more.\n\n## **Growth and Advancement in Product Security Engineering**\n\n### **The Career Ladder in Sight**\n\nEmbarking on a serious career path in product security software engineering doesn't mean you'll always be in the same role. As you acquire more experience and broaden your skill set, opportunities for growth and progression related technical field will emerge. You might start as a junior product security engineer. Still, with dedication and continuous learning, you could eventually take on roles like an architect or even Chief Information Security Officer (CISO).\n\n### **Exploring Career Opportunities and Specializations**\n\nWith technology's relentless evolution comes an expanding realm of career opportunities in software engineering, product development, and security engineering. As digital security becomes more complex, specializations in areas like cloud security, Internet of Things (IoT) security, or Artificial Intelligence (AI) security are increasingly sought after. These specialized fields offer fascinating pathways to explore as you advance your cybersecurity and career.\n\n## **Putting Theory into Practice: Gaining Experience in Product Security**\n\n### **Learning through Capture the Flag (CTF) Competitions**\n\nWhile theoretical knowledge of systems is crucial in product security, hands-on experience is equally vital to in-depth understanding. Participating in [Capture the Flag (CTF) competitions](https://ctftime.org/event/list/) is an excellent way to gain such experience. These competitions involve solving security puzzles in a controlled environment, allowing you to apply your theoretical knowledge in real-world contexts.\n\n### **Contributing to Open-Source Security Projects**\n\nAnother great way to the security community and hone your security skills is by contributing to [open-source security projects](https://owasp.org/projects/). These projects provide opportunities to engage with security communities and learn from the challenges and solutions to security risks that emerge in these environments.\n\n## **Don't Underestimate the Power of Soft Skills in Product Security Engineering**\n\n### **The Art of Communication and Teamwork**\n\nSoft skills, particularly communication and teamwork, are invaluable in product security engineering. You'll often find yourself explaining complex product security issues to stakeholders who may not have a technical background. Being able to articulate these security issues clearly and concisely is critical. Furthermore, cybersecurity is a team effort. You'll frequently collaborate with different engineering teams, making effective teamwork crucial.\n\n### **Cultivating a Resilient and Curious Mindset**\n\nIn the face of ever-evolving cyber threats, having a resilient and curious mindset is essential. You will encounter setbacks—maybe a solution you thought would work fails, or a threat you didn't anticipate causes problems. Resilience will help you learn from these setbacks and keep going.\n\nCuriosity will drive you to keep learning and keep asking questions. It will prompt you to click on that article about the latest cybersecurity trend or experiment with a new security tool. In a constantly changing field, continuous learning isn't just an advantage—it's a necessity.\n\n## **Conclusion**\n\nProduct security engineers are expected to own and focus on all the security-related tasks of certain products, not the entire organization. However, having an understanding of the business context and how the product and the code work is crucial. Product security engineering should be involved in the design phase and help developers overcome possible security concerns.\n\nThis challenging job requires a wider perspective and a diverse set of skills. Being a part of a product team, building something while simultaneously solving security problems, provides an excellent opportunity for personal development. It allows these engineers to contribute not only to the security of the product but also to its overall success and growth, making it a rewarding and fulfilling career path.","An overview of what the role of a Product Security Engineer entails, what skills and qualifications you need, and how to start your career journey.","getting-started-a-guide-to-becoming-a-product-security-engineer","blog/getting-started-a-guide-to-becoming-a-product-security-engineer",-340,[34],"35fa71f7-8814-437f-887f-86e231c84339","2023-07-10T11:01:00.000Z",[],{"name":347,"created_at":348,"published_at":349,"id":350,"uuid":351,"content":352,"slug":360,"full_slug":361,"sort_by_date":29,"position":362,"tag_list":363,"is_startpage":22,"parent_id":35,"meta_data":29,"group_id":364,"first_published_at":365,"release_id":29,"lang":38,"path":29,"alternates":366,"default_full_slug":29,"translated_slugs":29},"Top 10 Reasons To Implement An ASPM Right Now!","2023-05-31T11:57:27.027Z","2023-05-31T12:53:17.744Z",316395341,"9e694d90-0197-4370-adf8-f0e7c43907cd",{"_uid":353,"image":354,"title":347,"author":125,"details":358,"component":25,"meta_description":359},"9eb600ae-5935-4802-935f-fd28961dcbd1",{"id":355,"alt":17,"name":17,"focus":17,"title":17,"source":17,"filename":356,"copyright":17,"fieldtype":20,"meta_data":357,"is_external_url":22},9548809,"https://a.storyblok.com/f/168460/3500x1943/731aa861c7/shutterstock_2121396761.jpg",{},"In today's interconnected and technology-driven world, cyber threats have become a significant concern for businesses. With the rise of advanced cyber attacks, data breaches, and cybercriminals, it has become imperative for organizations to implement strong security measures to protect their applications and data.\n\nAutomated testing tools are the number one go-to solution for security teams trying to scale the discovery of vulnerabilities in their applications. However, as modern software development practices evolve, new attack surfaces emerge and so do new security testing tools that cover different attack surfaces.\n\nWith so many different security tools, understaffed security teams get bogged down by vulnerabilities discovered at an increasing pace throughout the software development life cycle. In addition, even though vulnerabilities are discovered, managing those vulnerabilities and making sure the relevant ones get fixed remains as a big challenge for most security teams.\n\nApplication Security Posture Management (ASPM) is a proposed solution gaining traction to address this challenge. ASPM tools connect with various security tools and offer automation and vulnerability management capabilities to help security teams create scalable security programs.\n\nASPM uses discovery technologies to catalog an organization's application portfolio and apply risk-scoring metrics to determine an application's business criticality. It includes them as a component of the overall risk assessment.\n\nBy providing intelligent insights, application security posture management tools can assist in documenting an organization's present security profile, compliance status, and identifying areas for improvement, thereby enabling proper resource allocation.\n\n## The top 10 reasons\n\n### \n\n**1\\. Visibility:** ASPM tools consolidate vulnerabilities discovered by various testing tools and provide a single-view dashboard. Better visibility into the organization's security posture enables to better manage risks and role-based access allows to isolate data for each stakeholder.\n\n![](https://a.storyblok.com/f/168460/1523x906/a4f273b171/screenshot-2023-05-31-153312.jpg)\n\n**2\\. Metrics:** With an ASPM integrating and collecting data from your applications and different security tools, security teams can measure the performance of their security program with key metrics and identify bottlenecks in their processes.\n\n**3\\. Policy enforcement with automation:** An ASPM can help with enforcing organization-wide or project-based security policies on applications. Based on the rules created, ASPM tools can automatically break builds in CI/CD pipelines, send notifications or create tickets on issue managers.\n\n**4\\. Corporate memory:** ASPM tools can provide continuity of security programs regardless of the changes in tools or people. They act as the single source of truth in an organization and prevent the loss of historical data.\n\n![](https://a.storyblok.com/f/168460/1533x897/a4647266ad/screenshot-2023-05-31-153732.jpg)\n\n**5\\. Collaboration:** Integrations enable better cooperation between security and development teams which can lead to better coordination and alignment in implementing security measures and addressing vulnerabilities.\n\n**6\\. Continuous Testing:** One of the reasons to implement an ASPM is to protect your applications and improve their overall security posture. By integrating all security tests with CI/CD pipelines, continuous testing helps identify vulnerabilities and potential risks in your apps throughout the software development life cycle.\n\n**7\\. Continuous Compliance:** Many businesses are subject to regulations such as GDPR, HIPAA, PCI-DSS, and others, which mandate data protection and security measures. An ASPM constantly monitors and assesses the organization's security posture and that the organization complies with the latest regulations and industry standards.\n\n![](https://a.storyblok.com/f/168460/1545x898/3ddbaa1ff3/screenshot-2023-05-31-153501.jpg)\n\n**8\\. Agile security operations:** With understaffedd security teams, vulnerabilities can wait a long time until they are triaged which increases business risk. Developers can also take a long time before starting to work on vulnerabilities. By allowing risk-based prioritization and automating manual tasks involved in vulnerability management, ASPM tools can accelerate the triage and remediation processes.\n\n**9\\. Reduced business risk:** ASPM tools help organizations take risk-driven decisions and allocate resources where more risk lies. By accelerating triage and remediation efforts, they also help shorten the lifespan of vulnerabilities and minimize business risk in the organization.\n\n**10\\. Reputation:** By demonstrating a data protection and security commitment, an ASPM can attract more customers and increase the trust and confidence of stakeholders. Also, with the latest discussions around supply chain attacks and SBOMs, it has become imperative to understand what your applications are made of and their risk for trusting these third-party dependencies.\n\n## Conclusion\n\nAn ASPM tool can provide several benefits, including improved visibility through centralizing vulnerabilities, increased efficiency by automation, compliance with regulations, better risk management through effective prioritization, and enhanced reputation by building confidence in customers and stakeholders.\n\nKondukto Platform is the ultimate ASPM tool for application security teams, allowing them to transform vulnerability management effortlessly and giving back the time, focus, and insight they need to succeed. Check out more on [this link!](https://kondukto.io/platform-tour)","Application Security Posture Management encompasses a broad range of capabilities that empower organizations to assess and manage their security posture.","top-10-reasons-to-implement-an-aspm-right-now","blog/top-10-reasons-to-implement-an-aspm-right-now",-320,[33,34],"af047fe7-6cf2-4447-b939-cbba8fe04f54","2023-05-30T11:59:00.000Z",[],{"name":368,"created_at":369,"published_at":370,"id":371,"uuid":372,"content":373,"slug":380,"full_slug":381,"sort_by_date":29,"position":382,"tag_list":383,"is_startpage":22,"parent_id":35,"meta_data":29,"group_id":385,"first_published_at":386,"release_id":29,"lang":38,"path":29,"alternates":387,"default_full_slug":29,"translated_slugs":29},"Demo Hub launched for Kondukto Technology Partners","2023-04-15T05:54:05.470Z","2023-09-27T05:42:40.955Z",292407186,"56923c3e-3978-441f-9bf1-d2c4d125ac5a",{"_uid":374,"image":375,"title":368,"author":23,"details":378,"component":25,"meta_description":379},"ac85fa31-d394-47d8-b3ec-deacc9fdb15d",{"id":376,"alt":17,"name":17,"focus":17,"title":17,"filename":377,"copyright":17,"fieldtype":20,"is_external_url":22},8609501,"https://a.storyblok.com/f/168460/284x283/0c9ddfe041/kondukto_demo-hub_blog_launch_thumbnail_2023-04-25.jpg","For quite a time we have been thinking about ways to make it easier for Kondukto users to try out the integrations of our Technology Partners. At this year’s RSA in San Francisco we are now happy to announce the first release of our Demo Hub.\n\nThis industry-first feature, integrated right into the Kondukto platform, makes it easier for customers to evaluate and benchmark different solutions from the growing number of Kondukto’s Technology Partners. The Demo Hub allows our customers to easily browse, search, and request demos for integrations of leading security software vendors like Mend.io, GitGuardian or Secure Code Warriors with as little as 2 clicks.\n\n> “The launch of our Demo Hub as a native feature of the Kondukto Platform marks an important first step for our 2023 Partner Program. This innovative feature, directly integrated within our platform, makes it easy for customers to find the right partner technologies. It also shows our commitment to further deepening the collaboration with our Technology Partners.”\n\n- Cenk, CEO & Co-founder of Kondukto\n\n## Launch Partners\n\nThe initial release will be available to every Kondukto customer starting April 27th 2023. The Demo Hub Launch Partner integrations span across multiple types of security solutions:\n\n- [**GitGuardian**](https://www.gitguardian.com/): Secures software development lifecycles with enterprise-grade secrets detection. Scan, detect, remediate, and eliminate blind spots with GitGuardian’s automated, battle-tested detection engine.\n- [**Secure Code Warrior**](https://www.securecodewarrior.com/): Secure code learning for today’s developers. Equips developers to be security-driven by teaching them the skills needed to defend their organization through secure code.\n- [**Mend.io**](http://Mend.io): Finds and fixes vulnerable open source dependencies, enforces compliance with license policies, and prevents malicious open source software from entering your code base.\n\n> “We're excited to be among the first Launch Partners of the Kondukto Demo Hub. This first-of-its-kind initiative will allow more security and DevOps teams to experience the power of GitGuardian's secrets detection right inside Kondukto’s ASOC platform. We're also grateful for this opportunity to work with a forward-thinking player like Kondukto and expect our partnership to have a significant impact on the security and productivity of software-driven organizations.” \n\n- Eric Fourrier, CEO and Co-founder, GitGuardian\n\nWith the Demo Hub our Technology Partners can now showcase their integrations with our ASOC Platform. Our users on the other hand get a quick overview of the capabilities of an integration and helpful links to the partner’s websites. We are intending to expand the functionality of the Demo Hub over the course of the next 18 months and will work on getting all current and future Technology Partners onboarded.\n\n![](https://a.storyblok.com/f/168460/938x938/2db1272cf3/kondukto_demo-hub_blog_launch_screenshot-profile_2023-04-25.jpg)\n\n> “We are excited to join the Kondukto Demo Hub as an integration partner. For Kondukto customers, the Secure Code Warrior integration pays for itself. We help organizations save hours that are typically spent on code remediation and rework by avoiding them altogether with a secure code learning platform that teaches developers in-context and just-in-time. The combination of Kondukto and Secure Code Warrior allows developers to build and innovate new software with the confidence that their code is secure.”\n\n- Stephen Allor, VP of Worldwide Channels & Partners, Secure Code Warrior\n\n## Security is a Team effort\n\nKondukto was founded by Cenk Kalpakoglu & Can Bilgin after witnessing the frustration of application security teams first hand while working at a Managed Security Service Provider (MSSP). With our two founders coming from an MSSP, understanding the importance of partners has been part of Kondukto’s DNA from its inception. \n\nThe Demo Hub is going to corroborate a strong collaboration between Kondukto and the participating Technology Partners to help customers close gaps in their AppSec stack.\n\nCompanies interested in joining the Demo Hub and becoming a Technology Partner can reach out to our partner team to learn more: [partners@kondukto.io](mailto:partners@kondukto.io)","This industry-first feature, integrated right into the Kondukto platform, makes it easier for customers to evaluate and benchmark different solutions from ","demo-hub-launched-for-kondukto-technology-partners","blog/demo-hub-launched-for-kondukto-technology-partners",-330,[384,34,84],"Partnerships","dfcad6c9-f4c5-43ac-a605-1045c558014b","2023-04-25T15:17:22.733Z",[],{"name":389,"created_at":390,"published_at":391,"id":392,"uuid":393,"content":394,"slug":401,"full_slug":402,"sort_by_date":29,"position":362,"tag_list":403,"is_startpage":22,"parent_id":35,"meta_data":29,"group_id":404,"first_published_at":405,"release_id":29,"lang":38,"path":29,"alternates":406,"default_full_slug":29,"translated_slugs":29},"Winning Management Support as an AppSec Leader: Strategies and Metrics","2023-04-18T07:42:10.958Z","2023-04-18T09:31:22.590Z",293660189,"54d5f02b-737c-485a-ad02-3bf9809b9bdc",{"_uid":353,"image":395,"title":398,"author":125,"details":399,"component":25,"meta_description":400},{"id":396,"alt":17,"name":17,"focus":17,"title":17,"filename":397,"copyright":17,"fieldtype":20,"is_external_url":22},8279054,"https://a.storyblok.com/f/168460/6009x4160/46a5116103/shutterstock_1290353356.jpg","Winning Management Support as an AppSec Leader"," \nAs an Application Security (AppSec) leader, one of the most significant challenges you might face is securing management support for your program. This lack of support often results in under-resourced AppSec teams feeling frustrated and unable to make a meaningful impact. \n \nTo foster an environment where your team feels valued and prevents burnout, AppSec leaders must prioritize gaining additional resources. \n \nIn many organizations, security tends to climb the priority ladder slowly, requiring AppSec leaders to put in extra effort to secure the necessary approvals. Here are three strategies that can help you win management buy-in and create a better environment for your team.\n\n \n \n**1\\. Implement Metrics in Your Security Program** \n![](https://a.storyblok.com/f/168460/6009x4160/f8b10cac48/shutterstock_1290353356-1.png) \nIn the lack of metrics, it becomes challenging to identify inefficiencies and tie them to numerically defined risks. \n \nAs a first step, metrics can be built off vulnerabilities discovered by security testing tools or pen tests. False negatives will always happen, but since you do not know what you do not know, let’s leave them aside for now. \n \nSome metrics we could use to identify bottlenecks are listed below. Once a bottleneck that leads to increased risk is identified, there is no silver bullet solution. Depending on the internal structure, the solution might be lying in better processes, new tools or more headcount or all of them. \n \nIn any case, once metrics are in hand, they provide a firm ground to justify the resources needed to decrease business risk while gaining the trust of management with a data-driven ask that speaks their language.\n\n- **Triage Percentage:** This metric is helpful for identifying potential bottlenecks in the triage process. If 10% of new vulnerabilities can be triaged each month, 90% of reported vulnerabilities are not assessed to be real threats or not. If the problem is not solved, either the backlog will grow, which will deteriorate security posture over time or developers will need to deal with untriaged vulnerabilities in the remediation stage, which will most likely create more friction with development teams.\n- **Missed SLAs:** SLAs determine the acceptable time frame to fix true-positive vulnerabilities and serve as a grace period after discovering vulnerabilities. Calculation of SLA starts at the remediation stage in some organizations whereas it starts at the discovery of a vulnerability in others. \n Depending on how SLA is calculated in the organization, a deteriorated metric can be a sign of extra resources needed in the triage or remediation stages.\n- **Burn-down:** Burndown metric helps understand how many new true-positive vulnerabilities are introduced vs. how many of them are getting closed. \n If the gap is growing, it is worth digging deeper to understand if it is a resource or process problem. \n- **Time to first response:** Time to first response indicates how long it takes to assess whether a reported vulnerability is a real threat or not. If the metric is higher than you’d expect, you might potentially have a resource problem in the triage team or a productivity problem. If developers are actively involved in the triage process, you might also want to investigate deeper.\n- **Time to first action:** Time to first action indicates how long it takes for a developer to start working on a vulnerability assigned to them. If the metric is higher than you’d expect, there might be a problem with planning the inclusion of vulnerabilities in development sprints.\n- **Time to resolution:** Time to first action indicates the average time developers spend on vulnerabilities between starting to work on a vulnerability and closing it. If the metric is higher than you’d expect, the reason might be the lack of security know-how on how to fix vulnerabilities. Breaking down the metric to vulnerability categories would give you a good idea about what type of vulnerabilities your next training session should focus on.\n\n**2\\. Leverage Metrics to Demonstrate ROI** \n![](https://a.storyblok.com/f/168460/1451x774/3d4a2b3c49/shutterstock_427955782-5.png)Metrics point to the root cause of the problems and make it easier to quantify the risks that will be mitigated by extra resources. To build trust with the management team, AppSec leaders should convert problems to risks expressed in dollar values and make sure all of their asks are backed by numbers. \n \nFollow these steps to better leverage metrics:\n\n- **Assign a dollar value to each vulnerability:** The cost of a data breach is estimated to be around $4m these days (\u003Chttps://www.ibm.com/reports/data-breach>). \n Dividing the total risk of a data breach ($4m) by the number of true positive vulnerabilities will yield the risk associated with each vulnerability in dollars.\n- **Calculate the risk:** If 1.000 new true-positive vulnerabilities arise each month and if we can close only 100 of them with current resources, that means our backlog will grow by 900 vulnerabilities every month. Multiply 900 by the dollar value we attach to a single vulnerability on average and we will be able to calculate the increasing business risk each month in dollars. This is a simplistic model just to give a rough idea but the calculation can be altered to factor in different severity categories or other inputs such as vulnerabilities in internet-facing applications.\n- No matter how complex the calculation is, this amount will help figure out how much resources make sense to mitigate that risk. If we are asking for a new hire that will cost $10K to address a risk of $1K, we will be able to tell it just does not make sense and adjust our demand accordingly. \n \n This approach will go a long way to gain the trust of management and to ensure anything you ask for is taken seriously.\n\n**3\\. Collaborate with Other Departments** \n![](https://a.storyblok.com/f/168460/3000x1886/e70ac05eab/shutterstock_1390292588.png) \nMost security teams are criticized for being blockers for creativity and progress. \n \nTo change this perception and have support from multiple teams, AppSec leaders need to build rapport with the leaders of other teams in the organization. This is easier said than done but the more we understand their concerns and speak their language, the more support we will have when we raise our voice.\n\nAs an example, marketing teams constantly publish landing pages of new campaigns or lead forms which potentially expand the attack surface but also present a good opportunity. Would it not be nice for them to know that those pages and the brand image they worked so hard to build are impenetrable by attackers? \n \nThis way of thinking helps dig out potential collaboration areas and offers an excellent opportunity to get support for more resources.While this is a representative example, AppSec leaders need to get creative with finding ways to help other teams in the organization so they can achieve their goals. \n\nIn conclusion, gaining management buy-in as an AppSec leader requires a combination of implementing metrics, demonstrating ROI, and collaborating with other departments. By employing these strategies, you can secure the resources your team needs and create a fulfilling work environment.","Securing management support for application security programs is difficult.","winning-management-support-as-an-appsec-leader","blog/winning-management-support-as-an-appsec-leader",[33,34],"ac09c949-27c0-42f9-b861-cddd0fd1aff7","2023-04-18T11:59:00.000Z",[],{"name":408,"created_at":409,"published_at":410,"id":411,"uuid":412,"content":413,"slug":419,"full_slug":420,"sort_by_date":29,"position":362,"tag_list":421,"is_startpage":22,"parent_id":35,"meta_data":29,"group_id":422,"first_published_at":423,"release_id":29,"lang":38,"path":29,"alternates":424,"default_full_slug":29,"translated_slugs":29},"How To Get Developer Buy-In For AppSec Programs","2023-03-09T07:57:50.801Z","2023-03-09T09:00:42.102Z",273100720,"8ad99744-296e-4d13-b93c-28548f3030d7",{"_uid":353,"image":414,"title":408,"author":125,"details":417,"component":25,"meta_description":418},{"id":415,"alt":17,"name":17,"focus":17,"title":17,"filename":416,"copyright":17,"fieldtype":20,"is_external_url":22},7441769,"https://a.storyblok.com/f/168460/1024x1024/8bd4683d7f/shutterstock_2272394691.jpg","Anyone who works on application security knows developers are inseparable from AppSec programs. Even so, the hardest part is figuring out how to get security on their agenda and actively involve them in preventing and managing vulnerabilities.\n\nOnly with their buy-in and active involvement, it is possible to scale an application security program to the level desired by AppSec teams, especially in large enterprises where developers way outnumber security engineers.\n\nWe have seen many customer scenarios over the five years we have worked on Kondukto. Hearing the same complaints from various AppSec teams that developers do not react to vulnerabilities on time or do not consider security when they build new applications made us think about the root cause of the problem.\n\nWhen we looked at the way developers work in those organizations, we realized that security is an afterthought for development teams simply because they do not see anything in it for them.\n\nAlmost every job posting for software developers lists writing clean, readable, reusable, bug-free code as a requirement, whereas security is hardly ever mentioned.\n\nIt is not a part of their job description, KPI, or differentiator, so why care about it?\n\n![](https://a.storyblok.com/f/168460/2000x2000/8785680113/shutterstock_1835075338.jpg)\n\nSo the solution lies mainly in human resources as a change management topic.\n\nTo initiate the change, we do not need another tool or a process but a different headspace where developers know they are expected and encouraged to code securely. Creating this culture paves the way for raising security awareness in the development teams more than any tool we’d think of.\n\nFor this purpose, just like bridging the gaps between security and development teams, AppSec teams also need to cooperate with human resources teams, CTOs and VPs of Engineering to make sure security is at least an expectation phrased in job descriptions, more favorably a KPI to distinguish good performers from the bad ones.\n\nBringing in security as a KPI for developers may be alarming for organizations where developers have the final say in most internal decisions. Change management is always challenging, but proper communication and creative solutions can facilitate the process.\n\nIf you help them see this as a change in their favor, things will be much easier. So let’s take a look at some arguments we can use.\n\n**1\\. Security is becoming a distinguishing factor that sets a good developer apart from the rest.**\n\n![](https://a.storyblok.com/f/168460/1000x667/9018a9ae7b/shutterstock_447218884.jpg)\n\nIt is easy to forget how rapidly roles evolve in the tech world. Just look at the requirements listed in job postings five years ago and now.\n\nAll you need is to remind them how the expectations from a developer keep changing over time. Any developer who wants to stay up-to-date in the market needs to start thinking about security.\n\nTo encourage them to do so, tracking and measuring secure coding performance in a gamified way helps to create a competitive but friendly atmosphere.\n\nIt would be naive to expect companies not to reward developers coding with security in mind to prevent vulnerabilities for the discovery of which they spend significant budgets.\n\nIn some cases, the programming languages are replaced with new ones to prevent certain vulnerabilities. This clearly indicates that the developers' capabilities also need to change accordingly. Below is a blog post on how Google eliminated memory-related vulnerabilities in Android by switching from C++ to Rust.\n\n\u003Chttps://security.googleblog.com/2022/12/memory-safe-languages-in-android-13.html>\n\n**2\\. Developers prefer to deal with fewer vulnerabilities if not none.**\n\nVulnerabilities popping up at the latest stages of the software development life cycle is the most annoying for developers since it impedes their workflow.\n\nAlmost all developers would prefer not to have any vulnerabilities in their sprint, especially ones they did not create in the first place.\n\nAs a crucial part of a successful application security program, threat modeling helps prevent vulnerabilities in advance and frees up time for more innovative work. It also helps improve the security awareness of developers and encourages them to think in a security-friendly way when building applications.\n\nAnother benefit of an AppSec program for developers is the ability to discover vulnerabilities earlier in the software development life cycle, allowing for on-the-spot fixes that take much less time than in the later stages of development.\n\n**3\\. Having a metric-based program helps developers to justify their contribution.**\n\n![](https://a.storyblok.com/f/168460/3000x2000/de5c27b6b0/shutterstock_1528876025.jpg)\n\nEvery developer wants to work in an environment where expectations are clear and their effort is appreciated.\n\nFrom a security perspective, developers are usual suspects for all application vulnerabilities and they can benefit from an AppSec program that lays out how they contribute to the program either by not creating vulnerabilities or by fixing them on time.\n\nWith a proper AppSec program that helps create and convey expectations with metrics and SLAs, it is easier for developers to determine if they are living up to the expectations and prevent alleged accusations that they do not do their part in the AppSec program.","Developers are inseparable from AppSec programs and their buy-in is essential for a sustainable security program","how-to-get-developer-buy-in-for-appsec-programs","blog/how-to-get-developer-buy-in-for-appsec-programs",[34,33],"67acff12-a40a-4d8a-9e63-e5c0b7568716","2023-03-08T11:00:00.000Z",[],{"name":426,"created_at":427,"published_at":428,"id":429,"uuid":430,"content":431,"slug":437,"full_slug":438,"sort_by_date":29,"position":362,"tag_list":439,"is_startpage":22,"parent_id":35,"meta_data":29,"group_id":440,"first_published_at":441,"release_id":29,"lang":38,"path":29,"alternates":442,"default_full_slug":29,"translated_slugs":29},"How to integrate continuous API fuzzing into the CI/CD?","2023-01-12T06:59:12.539Z","2023-01-24T10:29:45.585Z",245439827,"92bb4d24-1de2-45e2-90d3-bfb9c96c767a",{"_uid":353,"image":432,"title":426,"author":101,"details":435,"component":25,"meta_description":436},{"id":433,"alt":17,"name":17,"focus":17,"title":17,"filename":434,"copyright":17,"fieldtype":20,"is_external_url":22},6870481,"https://a.storyblok.com/f/168460/1024x1024/5cbd1962d6/dall-e-2023-01-12-10-33-03-a-computer-from-90s-opens-a-command-prompt-and-getting-fuzzed-by-random-inputs-cartoon-style.png","API security is a growing concern for businesses that offer or consume APIs. APIs, or application programming interfaces, allow different software systems to communicate and exchange data. They allow businesses to build integrations and connect with partners, customers, and other stakeholders.\n\nHowever, as more sensitive data is being shared through APIs, it is essential to ensure that these interfaces are secure and protected from unauthorized access or manipulation.\n\nIn this blog post, we’ll discuss how continuous fuzzing can be a powerful tool to secure APIs and how developers can adopt a “secure by default” approach by integrating continuous fuzzing into SDLC processes.\n\nFuzzing can be applied to any function but for this blog post, we will discover how we can fuzz REST API payloads using [Golang’s fuzzing](https://go.dev/security/fuzz/) library.\n\n#### What is Fuzzing?\n\nFuzzing, also known as fuzz testing, is a type of software testing that involves feeding invalid, unexpected, or random data to a program and observing how it responds. The goal of fuzz testing is to identify vulnerabilities in a program that attackers could potentially exploit.\n\nFuzzing is a powerful method for finding security vulnerabilities because it can simulate attacks that hackers might use to exploit a program. By sending a large number of different inputs to the program, fuzz testing can uncover vulnerabilities that other testing methods might not detect.\n\nThere are many ways to fuzz your code in a staging environment but we want the fuzzing process to become a part of our Software Development Life Cycle. To achieve this, we’ll use the Go programming language. In Go 1.8, fuzzing was introduced as a part of the standard testing library, and it’s straightforward to implement some fuzzer functions as a part of unit tests, and we can “fuzz” our code without any external tool or a library.\n\nPlease note that you don’t need to have unit tests for fuzzing. Nevertheless, having unit tests will help us as a base for our fuzz test.\n\nLet’s start with a simple fuzzing example which should look like the following snippet. First, we need to feed the fuzzer with some seed corpus (sample input), and the fuzzing library will call the target function (Reverse) with some random input generated from the seed data, and if the function fails at some point, we will catch it.\n\n~~~\nfunc Reverse(s string) (string, error) {\n        if !utf8.ValidString(s) {\n                return s, errors.New(\"input is not valid UTF-8\")\n        }\n        r := []rune(s)\n        for i, j := 0, len(r)-1; i \u003C len(r)/2; i, j = i+1, j-1 {\n                r[i], r[j] = r[j], r[i]\n        }\n        return string(r), nil\n}\n~~~\n\n~~~\npackage main\n\nimport (\n        \"testing\"\n        \"unicode/utf8\"\n)\n\nfunc FuzzReverse(f testing.F) {\n        testcases := []string{\"Hello, world\", \" \", \"!12345\"}\n        for _, tc := range testcases {\n                f.Add(tc) // Use f.Add to provide a seed corpus\n        }\n        f.Fuzz(func(t testing.T, orig string) {\n                rev, err1 := Reverse(orig)\n                if err1 != nil {\n                        return\n                }\n                doubleRev, err2 := Reverse(rev)\n                if err2 != nil {\n                        return\n                }\n                if orig != doubleRev {\n                        t.Errorf(\"Before: %q, after: %q\", orig, doubleRev)\n                }\n                if utf8.ValidString(orig) && !utf8.ValidString(rev) {\n                        t.Errorf(\"Reverse produced invalid UTF-8 string %q\", rev)\n                }\n        })\n}\n~~~\n\nWe need to keep in mind that fuzzing is an expensive operation, and it ends only if there is a crash., That’s the downside, so we should decide how frequently the function should be fuzzed according to the criticality. Many critical applications (like google-chrome) are being fuzzed constantly. In this example, we’ll fuzz frequently (in each build) but for a very short time.\n\nLuckily, go tools support this option as well.\n\n~~~\n└> go test -v -fuzz . --fuzztime=30s\n=== FUZZ FuzzReverse\nfuzz: elapsed: 0s, gathering baseline coverage: 0/47 completed\nfuzz: elapsed: 0s, gathering baseline coverage: 47/47 completed, now fuzzing with 12 workers\nfuzz: elapsed: 3s, execs: 697351 (232449/sec), new interesting: 0 (total: 47)\nfuzz: elapsed: 6s, execs: 1448115 (250179/sec), new interesting: 0 (total: 47)\nfuzz: elapsed: 9s, execs: 2151568 (234515/sec), new interesting: 0 (total: 47)\nfuzz: elapsed: 12s, execs: 2837852 (228799/sec), new interesting: 0 (total: 47)\nfuzz: elapsed: 15s, execs: 3516539 (226187/sec), new interesting: 1 (total: 48)\nfuzz: elapsed: 18s, execs: 4197205 (226882/sec), new interesting: 1 (total: 48)\nfuzz: elapsed: 21s, execs: 4859241 (220710/sec), new interesting: 1 (total: 48)\nfuzz: elapsed: 24s, execs: 5493189 (211323/sec), new interesting: 1 (total: 48)\nfuzz: elapsed: 27s, execs: 6156103 (220938/sec), new interesting: 2 (total: 49)\nfuzz: elapsed: 30s, execs: 6827045 (223682/sec), new interesting: 3 (total: 50)\nfuzz: elapsed: 30s, execs: 6827045 (0/sec), new interesting: 3 (total: 50)\n--- PASS: FuzzReverse (30.09s)\nPASS\nok github.com/ckalpakoglu/fuzzing 30.094s\n~~~\n\nAs the example above shows, fuzzing enables developers to test for the unexpected. It does not replace the need for other types of tests but rather complements them. It is a great way to increase test coverage and identify test cases.\n\nFrom a security perspective, fuzzing continuously is essential for several reasons.\n\n- **Identifying input validation vulnerabilities:** APIs often rely on input validation to ensure that only valid data is accepted. Fuzz testing can help identify input validation vulnerabilities by sending many input values to the API and observing how it responds.\n- **Testing for robustness:** Fuzz testing can help developers determine whether their API is robust enough to handle various inputs, including invalid, unexpected, or malicious data. This can help ensure that the API is secure and can withstand attacks.\n- **Uncovering hidden/logic vulnerabilities:** Fuzz testing can help identify hidden/logic vulnerabilities in a program that might not be immediately apparent. By sending a large number of different inputs to the program, fuzz testing can uncover vulnerabilities that other testing methods might not detect.\n\nLet’s use this approach to fuzz our REST endpoints and add fuzz tests into the DevOps pipeline to run it on every build.\n\nThe example API can be found at \u003Chttps://github.com/kondukto-io/simple-fuzzing>. The project layout is simple as follows and self-explanatory:\n\n~~~\n\n├── cmd\n│ └── server.go\n├── handlers\n│ ├── db.go\n│ ├── handlers.go\n│ ├── user.go\n│ └── user_test.go\n├── main.go\n└── util\n └── util.go\n~~~\n\nFor the sake of this blog post, we will focus on the `/handlers` directory but first, let’s investigate the “server.go”.\n\nThe code is pretty straightforward, and to keep it even simpler, we have two handlers: `CreateUser` and `GetUserByID`.\n\n~~~\npackage cmd\n\nimport (\n\t\"database/sql\"\n\n\t\"github.com/labstack/echo/v4\"\n\t\"github.com/labstack/echo/v4/middleware\"\n\t_ \"github.com/mattn/go-sqlite3\"\n\n\t\"github.com/kondukto-io/simple-fuzzing/handlers\"\n)\n\nconst (\n\tport = \":8888\"\n)\n\nfunc Execute() error {\n\t// setup the database\n\tdb, err := sql.Open(\"sqlite3\", \"file::memory:?cache=shared\")\n\tif err != nil {\n\t\tpanic(err)\n\t}\n\tdefer db.Close()\n\n\te := echo.New()\n\t// middlewares\n\te.Use(middleware.Logger())\n\n\n\t// run the db migration. This should run once \n\terr = handlers.MigrateDB(db)\n\tif err != nil {\n\t\tpanic(err)\n\t}\n\n\t// Initialize the handlers\n\th := handlers.NewHandler(db)\n\n\t// Routes\n\te.POST(\"/create\", h.CreateUser)\n\te.GET(\"/user/:id\", h.GetUserByID)\n\n\treturn e.Start(port)\n}\n~~~\n\nThe idea is to write a fuzz test for each endpoint, and to do that, we need to look at the handler function.\n\n~~~\nimport (\n \"net/http\"\n\n \"github.com/labstack/echo/v4\"\n\n \"github.com/kondukto-io/simple-fuzzing/util\"\n)\n\ntype User struct {\n ID string `json:\"id\"`\n Name string `json:\"name\"`\n Email string `json:\"email\"`\n}\n\nfunc (h *Handler) CreateUser(c echo.Context) error {\n u := new(User)\n if err := c.Bind(u); err != nil {\n / in the production you should not dump the error message directly\n return &echo.HTTPError{Code: http.StatusBadRequest, Message: err.Error()}\n }\n\n stmt, err := h.db.Prepare(\"INSERT INTO users(id, name, email) values (?, ?, ?)\")\n if err != nil {\n // in ,the production you should not dump the error message directly\n return &echo.HTTPError{Code: http.StatusBadRequest, Message: err.Error()}\n }\n\n defer stmt.Close()\n\n _, err = stmt.Exec(u.ID, u.Name, u.Email)\n if err != nil {\n // in the production you should not dump all the error message\n return &echo.HTTPError{Code: http.StatusBadRequest, Message: err.Error()}\n }\n return c.JSON(http.StatusOK, u)\n}\n\n\n//...\u003Csnipped>... \n~~~\n\nThe handler does the following:\n\n1. There is a `User` model (struct) with three fields.\n2. The handler expects a JSON request and maps the data with the `User` model.\n3. The given `User` input is inserted into the “USERS” table in the database.\n4. If an error occurs, the function returns a HTTP status code  “400 - BadRequest” with the error message.\n\nAs you can see, there is no data validation in the handler, but the INSERT operation uses a parameterized query.\n\n~~~\npackage handlers\n\nimport (\n\t\"bytes\"\n\t\"encoding/json\"\n\t\"fmt\"\n\t\"net/http\"\n\t\"net/http/httptest\"\n\t\"regexp\"\n\t\"testing\"\n\t\"unicode/utf8\"\n\n\t\"github.com/DATA-DOG/go-sqlmock\"\n\t\"github.com/labstack/echo/v4\"\n\n\t\"github.com/kondukto-io/simple-fuzzing/util\"\n)\n\nvar (\n\t// we use test cases for the unit tests\n\t// and for fuzz test as a seed corpus\n\ttests = []struct {\n\t\tname string\n\t\targs User\n\t\twantErr bool\n\t}{\n\t\t{\n\t\t\tname: \"success\",\n\t\t\targs: User{\n\t\t\t\tID: \"1111\",\n\t\t\t\tName: \"kondukto\",\n\t\t\t\tEmail: \"helo@kondukto.io\",\n\t\t\t},\n\t\t\twantErr: false,\n\t\t},\n\t\t{\n\t\t\tname: \"fail\",\n\t\t\targs: User{\n\t\t\t\tID: \"1212121212121212121212121111\",\n\t\t\t\tName: \"kondukto\",\n\t\t\t\tEmail: \"helo@kondukto.io\",\n\t\t\t},\n\t\t\twantErr: true,\n\t\t},\n\t\t{\n\t\t\tname: \"fail\",\n\t\t\targs: User{\n\t\t\t\tID: \"s1111\", // not a valid ID\n\t\t\t\tName: \"kondukto\",\n\t\t\t\tEmail: \"helo@kondukto.io\",\n\t\t\t},\n\t\t\twantErr: true,\n\t\t},\n\t}\n)\n\nfunc FuzzCreateUser(f *testing.F) {\n\t// setup the db\n\tdb, mock, err := sqlmock.New()\n\tif err != nil {\n\t\tf.Fatalf(\"an error '%s' was not expected when opening a mock db conn\", err)\n\t}\n\tdefer db.Close()\n\n\tfor _, tt := range tests {\n\t\tf.Add(tt.args.ID, tt.args.Name, tt.args.Email)\n\t}\n\n\tf.Fuzz(func(t *testing.T, id, name, email string) {\n\t\tif !util.VaildID(id) || !utf8.ValidString(name) || !utf8.ValidString(email) {\n\t\t\treturn\n\t\t}\n\n\t\tmock.ExpectPrepare(regexp.QuoteMeta(\"INTO users(id, name, email) values (?, ?, ?)\"))\n\n\t\th := NewHandler(db)\n\t\tinput := User{\n\t\t\tID: id,\n\t\t\tName: name,\n\t\t\tEmail: email,\n\t\t}\n\n\t\tt.Log(input)\n\n\t\tbody, err := json.Marshal(input)\n\t\tif err != nil {\n\t\t\tt.Fatalf(\"error %v\", err)\n\t\t}\n\n\t\te := echo.New()\n\t\treq := httptest.NewRequest(http.MethodPost, \"/\", bytes.NewReader(body))\n\t\treq.Header.Set(echo.HeaderContentType, echo.MIMEApplicationJSON)\n\t\trec := httptest.NewRecorder()\n\t\tc := e.NewContext(req, rec)\n\t\tc.SetPath(\"/create\")\n\n\t\tmock.ExpectExec(regexp.QuoteMeta(\"INSERT INTO users(id, name, email) values (?, ?, ?)\")).\n\t\t\tWithArgs(input.ID, input.Name, input.Email).WillReturnResult(sqlmock.NewResult(1, 1))\n\n\t\t// testing the function\n\t\tif err := h.CreateUser(c); err != nil {\n\t\t\tt.Errorf(\"CreateUser() err = %v\", err)\n\t\t}\n\n\t\t// ensure all expectations have been met\n\t\tif err = mock.ExpectationsWereMet(); err != nil {\n\t\t\tfmt.Printf(\"unmet expectation error: %s\", err)\n\t\t}\n\t})\n}\n~~~\n\nIdeally, we prefer to derive our fuzz tests from unit tests to maintain the structure as is. It is easier, and adding more test cases will increase the fuzzer’s seed corpus.\n\nFinally, we run a fuzz test and wait for the crash. Go’s fuzzing library will store all the crash cases in the `testdata` directory. So, whenever a crash occurs, the fuzzer will test this parameter again.\n\nAs we discussed previously, fuzzing is a never-ending process, that’s why fuzzing only \"critical\" endpoints can be a good option.\n\n~~~\n└> go test -v -fuzz=FuzzCreateUser --fuzztime=10s .\n=== RUN TestCreateUser\n=== RUN TestCreateUser/success\n=== RUN TestCreateUser/fail\n=== RUN TestCreateUser/fail#01\n--- PASS: TestCreateUser (0.00s)\n --- PASS: TestCreateUser/success (0.00s)\n --- PASS: TestCreateUser/fail (0.00s)\n --- PASS: TestCreateUser/fail#01 (0.00s)\n=== RUN TestGetUserByID\n=== RUN TestGetUserByID/success\n=== PAUSE TestGetUserByID/success\n=== RUN TestGetUserByID/fail\n=== PAUSE TestGetUserByID/fail\n=== RUN TestGetUserByID/fail#01\n=== PAUSE TestGetUserByID/fail#01\n=== CONT TestGetUserByID/success\n=== CONT TestGetUserByID/fail#01\n=== CONT TestGetUserByID/fail\n--- PASS: TestGetUserByID (0.00s)\n --- PASS: TestGetUserByID/fail#01 (0.00s)\n --- PASS: TestGetUserByID/fail (0.00s)\n --- PASS: TestGetUserByID/success (0.00s)\n=== RUN FuzzGetUserByID\n=== RUN FuzzGetUserByID/seed#0\n user_test.go:179: ==== value is: 1111\n=== RUN FuzzGetUserByID/seed#1\n=== RUN FuzzGetUserByID/seed#2\n--- PASS: FuzzGetUserByID (0.00s)\n --- PASS: FuzzGetUserByID/seed#0 (0.00s)\n --- PASS: FuzzGetUserByID/seed#1 (0.00s)\n --- PASS: FuzzGetUserByID/seed#2 (0.00s)\n=== FUZZ FuzzCreateUser\nfuzz: elapsed: 0s, gathering baseline coverage: 0/168 completed\nfuzz: elapsed: 0s, gathering baseline coverage: 168/168 completed, now fuzzing with 12 workers\nfuzz: elapsed: 3s, execs: 66723 (22240/sec), new interesting: 6 (total: 174)\nfuzz: elapsed: 6s, execs: 112971 (15416/sec), new interesting: 7 (total: 175)\nfuzz: elapsed: 9s, execs: 134377 (7133/sec), new interesting: 7 (total: 175)\nfuzz: elapsed: 11s, execs: 141507 (3532/sec), new interesting: 7 (total: 175)\n--- PASS: FuzzCreateUser (11.03s)\nPASS\nok github.com/kondukto-io/simple-fuzzing/handlers 11.036s\n~~~\n\nFinally, we can add these fuzz tests to our CI/CD pipeline to **continuously fuzz** our endpoints on each build or each PR.\n\nThe go tools do not support multiple fuzzing at the moment. We can fuzz each handler separately.\n\n~~~\nname: My workflow\n\n# Controls when the action will run. \non:\n push:\n branches: [ master ]\n\n# A workflow run is made up of one or more jobs that can run sequentially or in parallel\njobs:\n build:\n runs-on: ubuntu-latest\n steps:\n - name: Check out the repo\n uses: actions/checkout@v3\n\n - uses: actions/setup-go@v3\n with:\n go-version: '1.19'\n\n - name: Build\n run: go build -v ./...\n\n - name: Test\n run: go test -v ./...\n\n - name: Fuzz Create User handler\n run: go test -v -fuzz=FuzzCreateUser --fuzztime=20s ./handlers\n\n - name: Fuzz GetUserByID handler\n run: go test -v -fuzz=FuzzGetUserByID --fuzztime=20s ./handlers\n~~~\n\n### Conclusion\n\nTesting is crucial to increase the quality of the software we develop and fuzzing is an effective and proven method to find bugs in software.\n\nFrom a security engineering perspective, fuzz testing can be an effective way to achieve a “secure by default” approach in development.\n\nIn this blog post, we wanted to show you an alternative approach to improve the “security culture” among developers and how continuous fuzzing in the pipeline can be used as a security measure in (API) development.\n\nNext time we will introduce some vulnerabilities in the API and hope to find them with fuzz testing.\n\nFeel free to reach out to us if you have any questions about how to implement a DevSecOps pipeline from scratch.\n\n### Resources:\n\n- \u003Chttps://go.dev/security/fuzz/>\n- [Golang Fuzz Tutorial With Examples | GoLinuxCloud](https://www.golinuxcloud.com/golang-fuzz/)\n- [Fuzzing Go APIs for SQL Injection](https://blog.fuzzbuzz.io/fuzzing-go-apis-for-sql-injection/)\n- \u003Chttps://betterprogramming.pub/fuzzing-in-go-40796a54dc8b>\n- [Go Fuzz Testing - The Basics](https://blog.fuzzbuzz.io/go-fuzzing-basics/)\n- \u003Chttps://security.googleblog.com/2016/12/announcing-oss-fuzz-continuous-fuzzing.html>","Integrate continuous fuzzing into the pipeline - an automated alternative method to identify and fix vulnerabilities in SDLC before they become a problem","how-to-integrate-continuous-api-fuzzing-into-cicd","blog/how-to-integrate-continuous-api-fuzzing-into-cicd",[33,34],"40ff71cc-26da-4af2-92ef-c7821a186110","2023-01-17T07:59:10.394Z",[],{"name":444,"created_at":445,"published_at":446,"id":447,"uuid":448,"content":449,"slug":459,"full_slug":460,"sort_by_date":29,"position":461,"tag_list":462,"is_startpage":22,"parent_id":35,"meta_data":29,"group_id":463,"first_published_at":464,"release_id":29,"lang":38,"path":29,"alternates":465,"default_full_slug":29,"translated_slugs":29},"Kondukto & OpenAI (ChatGPT) Remediation Concept Work","2022-12-13T09:38:26.262Z","2023-01-23T18:07:46.086Z",233330257,"d1f83d22-1a9c-4338-99c0-836c36c6917e",{"_uid":450,"image":451,"title":455,"video":17,"author":456,"details":457,"component":25,"meta_description":458},"98d8e4a9-abbb-4381-8f69-eca666260362",{"id":452,"alt":17,"name":17,"focus":17,"title":17,"source":17,"filename":453,"copyright":454,"fieldtype":20,"is_external_url":22},6671111,"https://a.storyblok.com/f/168460/1024x1024/d928cec9ad/kondukto-openai.png","generated by OpenAI","OpenAI (ChatGPT) Vulnerability Remediation Concept Work","Suphi Cankurt","## **What's in OpenAI?**\n\n**OpenAI** is an artificial intelligence research laboratory that surprised the world with [ChatGPT](https://openai.com/blog/chatgpt/). It was founded in San Francisco in late 2015 by Sam Altman and Elon Musk, and many others.\n\nChatGPT grabbed 1M people's attention in the first six days, and unbelievable AI & Human conversations screenshots are still getting shared.\n\nWe couldn't resist more to see how OpenAI can help developers and application security teams by sharing remediation guidance.\n\nMany application security teams manage millions of security issues on Kondukto, which would eventually save them hundreds of hours.\n\n### **Kondukto & OpenAI Concept Work**\n\nWe have a great place to test this concept; [CandyShop](/resources/candyshop-devsecops).\n\nIt is our community project where we are scanning vulnerable applications with the most popular open-source SAST, DAST, SCA and container scanners.\n\n\u003Ciframe width=\"740\" height=\"416\" src=\"https://www.youtube.com/embed/7RpdHWffWVU\" title=\"OpenAI (ChatGPT) Vulnerability Remediation Concept Work\" frameborder=\"0\" allow=\"accelerometer; autoplay; clipboard-write; encrypted-media; gyroscope; picture-in-picture\" allowfullscreen>\u003C/iframe>\n\n### CandyShop Dashboard\n\n![](https://a.storyblok.com/f/168460/1280x692/bdbd7ad75b/candyshop-dashboard.png)\n\n### A SAST vulnerability on OWASP JuiceShop\n\n![](https://a.storyblok.com/f/168460/3420x1718/c2be80a7db/owasp-juiceshop-semgrep.png)\n\n***Semgrep description***\n\nDetected a request using 'http://'. This request will be unencrypted. Use 'https://' instead.\n\n### Remediation advice from OpenAI\n\n![](https://a.storyblok.com/f/168460/3420x1832/345cf26eef/owasp-juiceshop-openai.png)\n\n***OpenAI Description***\n\nThe best way to fix this vulnerability is to use HTTPS instead of HTTP for the request. This can be done by changing the URL in line 22 to use the HTTPS protocol instead of HTTP.\n\nFor example, response = requests.post('https://example.com/URL', data = {'username': username, 'password': password})\n\nRemediation advice:\n\n1\\. Always use HTTPS when sending sensitive data over the internet.\n\n2\\. Use secure authentication protocols such as OAuth or OpenID Connect.\n\n3\\. Use secure encryption algorithms such as AES or RSA.\n\n4\\. Use secure protocols such as TLS or SSL.\n\n5\\. Use secure authentication methods such as two-factor authentication.\n\n6\\. Monitor your network for suspicious activity.\n\n7\\. Implement regular security audits and patch any vulnerabilities.\n\n### A container security vulnerability discovered by Trivy\n\n![](https://a.storyblok.com/f/168460/3390x1832/c5a663fa39/owasp-juiceshop-trivy.png)\n\n***Trivy description***\\*:\\*\n\n**DISPUTED** GNU Libc current is affected by: Mitigation bypass. The impact is: Attacker may guess the heap addresses of pthread_created thread. The component is: glibc. NOTE: the vendor's position is \"ASLR bypass itself is not a vulnerability.\"\n\n### Remediation advice from OpenAI for [CVE-2019-1010025](https://cert.civis.net/en/index.php?action=alert¶m=CVE-2019-1010025)\n\n![OWASP JuiceShop OpenAI remediation](https://a.storyblok.com/f/168460/3390x1718/9ec6a42246/owasp-juiceshop-openai-remediation.png \"OWASP JuiceShop OpenAI remediation\")\n\n***OpenAI description:***\n\nThe best way to fix the CVE-2019-1010025 vulnerability in libc6 is to upgrade to the latest version of the library. This can be done by running the following command:\n\nsudo apt-get update && sudo apt-get upgrade libc6\n\nOnce the upgrade is complete, you should also ensure that all applications that use libc6 are restarted to ensure that the new version is being used.\n\nAs for remediation advice, it is important to keep all software and libraries up to date with the latest security patches. This can be done by regularly checking for updates and applying them as soon as they become available. Additionally, it is important to ensure that all applications that use vulnerable libraries are regularly monitored for any security issues.\n\n### Conclusion\n\nThe first results are pretty promising, and we continue to improve our questions and discover new ways of using OpenAI to benefit application security teams.\n\nMeanwhile, if you want to test OpenAI remediation advice concept, please mention it in the notes section.","Kondukto integrates with OpenAI and gets vulnerability remediation advice for all your security testing results on this concept work.","kondukto-openai-chatgpt","blog/kondukto-openai-chatgpt",-310,[247,34],"bc1ac823-1e69-4cb8-a1ae-9f5541cc1277","2022-12-13T13:55:00.000Z",[],{"name":467,"created_at":468,"published_at":469,"id":470,"uuid":471,"content":472,"slug":478,"full_slug":479,"sort_by_date":29,"position":461,"tag_list":480,"is_startpage":22,"parent_id":35,"meta_data":29,"group_id":482,"first_published_at":483,"release_id":29,"lang":38,"path":29,"alternates":484,"default_full_slug":29,"translated_slugs":29},"OWASP ASVS with your security testing tools​","2022-11-25T08:07:00.036Z","2022-11-28T12:15:45.999Z",225073266,"5df9e5e6-150c-42a8-a181-ab502ebb9eca",{"_uid":450,"image":473,"title":467,"author":456,"details":476,"component":25,"meta_description":477},{"id":474,"alt":17,"name":17,"focus":17,"title":17,"filename":475,"copyright":17,"fieldtype":20,"is_external_url":22},6516240,"https://a.storyblok.com/f/168460/318x159/9723356d3c/owasp-asvs.png","[**OWASP ASVS**](https://owasp.org/www-project-application-security-verification-standard/) is a great project to provide a framework of security controls for design and define the basis of secure development.\n\nBut the problem is when you decide to use these checks in your organization, you end up with a [**71-page pdf file**](https://github.com/OWASP/ASVS/raw/v4.0.3/4.0/OWASP%20Application%20Security%20Verification%20Standard%204.0.3-en.pdf) or an OWASP ASVS checklist (excel sheet).\n\n![OWASP ASVS Checklist](https://a.storyblok.com/f/168460/1346x610/8cd1287195/owasp-asvs-checklist.png \"OWASP ASVS Checklist\")\n\nIt is incredibly hard for organizations to adapt and spread the word within the company.\n\nThis is why we decided to implement a feature that gets all the security testing tools results (by CWE) and maps them into OWASP ASVS automatically so you can use it in every aspect of your application security program.\n\n![OWASP ASVS Mapping](https://a.storyblok.com/f/168460/2324x1168/2a5837897e/kondukto-asvs-mapped.png \"OWASP ASVS Mapping\")\n\n## **How to use OWASP ASVS with Kondukto?**\n\nYou can use this self-guided demo to see exactly how you can map all your security testing tool results into OWASP ASVS in Kondukto.\n\n[![OWASP ASVS Demo](https://a.storyblok.com/f/168460/1548x822/6d8d4fff6c/owasp-asvs-kondukto-demo.png \"OWASP ASVS Demo\")](https://app.storylane.io/demo/uvuz3tsfxm1n)\n\n## **What's in OWASP ASVS?**\n\n[**OWASP ASVS**](https://owasp.org/www-project-application-security-verification-standard/) (Application Security Verification Standard) is a great framework for developers to follow secure development practices and have technical security controls.\n\nThe latest version ([OWASP ASVS 4.0.3](https://github.com/OWASP/ASVS/raw/v4.0.3/4.0/OWASP%20Application%20Security%20Verification%20Standard%204.0.3-en.pdf)) was released on October 2021.\n\n![OWASP ASVS Chart](https://a.storyblok.com/f/168460/1610x822/a3bcf21016/kondukto-owasp-asvs-chart.png \"OWASP ASVS Chart\")\n\n## **How OWASP ASVS works?**\n\nIt starts with the assessment of the business criticality of applications, and there are three security verification levels in OWASP ASVS 4:\n\n- **ASVS Level 1** is for low assurance levels and is completely penetration testable.\n- **ASVS Level 2** is for applications that contain sensitive data, which requires protection and is the recommended level for most apps.\n- **ASVS Level 3** is for the most critical applications – applications that perform high-value transactions, contain sensitive medical data, or any application that requires the highest level of trust.\n\nEach ASVS level contains a list of security requirements mapped to security-specific features and capabilities.\n\n![OWASP ASVS Plan](https://a.storyblok.com/f/168460/2426x656/76a005ab1b/owasp-asvs-plan.png \"OWASP ASVS Plan\")\n\n## **What is the benefit of using OWASP ASVS?**\n\nLet us dive into the details of the benefits of OWASP ASVS Framework for organizations:\n\n### **1- A baseline to measure your security posture**\n\nOWASP ASVS has great coverage with each aspect of application security; It will make it clear where you are at the moment. You will have a baseline for each project, which gives you enough data to see the trends and benchmarks in time.\n\n### **2- A guide for your security roadmap**\n\nNow you know what is missing, and you will have a pretty good idea of where to start.\n\nThis framework will categorize all the security issues in your applications, and you will start to catch patterns to improve security practices in your organization.\n\n### **3- Help you to be more proactive**\n\nIn general, actions you take in application security are more about finding the existing vulnerabilities and how to solve them. However, with OWASP ASVS, you can start doing it right before, even before the first line of code.\n\nYou will have clear guidelines of what to do and not do, so you will be prepared.\n\n### ","How to get all your security testing tools results mapped into OWASP ASVS with Kondukto? ","owasp-asvs","blog/owasp-asvs",[481,34],"ASVS","8974cc35-4a6e-498e-ac72-04f83ad6e153","2022-11-28T13:55:00.000Z",[],{"name":486,"created_at":487,"published_at":488,"id":489,"uuid":490,"content":491,"slug":498,"full_slug":499,"sort_by_date":29,"position":461,"tag_list":500,"is_startpage":22,"parent_id":35,"meta_data":29,"group_id":501,"first_published_at":502,"release_id":29,"lang":38,"path":29,"alternates":503,"default_full_slug":29,"translated_slugs":29},"Application Security Engineer: Salary, Skills and Requirements","2022-10-10T08:12:17.732Z","2022-10-10T16:43:27.001Z",200529948,"7c42967e-4b9b-47e0-8477-457c4598467d",{"_uid":450,"image":492,"title":495,"author":456,"details":496,"component":25,"meta_description":497},{"id":493,"alt":17,"name":17,"focus":17,"title":17,"filename":494,"copyright":17,"fieldtype":20,"is_external_url":22},6056448,"https://a.storyblok.com/f/168460/700x394/4075cd2b02/application-security-engineer-role.jpg","Application Security Engineer: Salary, Skills, Requirements","A recent [report](https://www.isc2.org/Research/Workforce-Study) suggests that 700,000 new cybersecurity professionals have joined the market since 2020. But still, we are nowhere near closing the talent gap.\n\nLinkedIn shows only about +3k people with the \"Application Security Engineer\" job title.\n\n![LinkedIn Application Security Engineer](https://a.storyblok.com/f/168460/1920x936/d34e8c7ce8/linkedin-appsec-engineer-marked.png \"LinkedIn Application Security Engineer\")\n\nLet's dive into the world of application security:\n\n## **What does an Application Security Engineer do? ​**\n\n![Application Security Engineer Role](https://a.storyblok.com/f/168460/700x394/7d2d3488dd/application-security-engineer-role.png \"Application Security Engineer Role\")\n\nApplication security engineers ensure that your development team follows best security practices in each step of the software development life-cycle.\n\nSome of the responsibilities of an application security engineer can be:\n\n- running/managing automated vulnerability scans\n- performing security focused code-reviews\n- helping with secure system design and architecture\n- prioritize vulnerabilities based on the security risk posed to the organization\n- assisting developers with triage and remediation tasks\n- supporting bug bounty program\n\n## **How to become an application security engineer?​**\n\nThere are some universities where you can study application security; however, it is more likely to depend on your efforts in training, certifications or bug bounties.\n\nYou'll be expected to be fluent in at least one programming language, and some companies are asking you to develop a small application.\n\n[![Institute for Application Security](https://a.storyblok.com/f/168460/1488x280/f0c37d4993/appsec-institute.png \"Institute for Application Security\")](https://www.tu-braunschweig.de/en/ias)\n\nYou can start by joining [**OWASP**](https://owasp.org/projects/) communities and projects and also enrol many free courses:\n\n![Introduction to Application Security](https://a.storyblok.com/f/168460/1482x462/1690c5d815/introduction-to-appsec.png \"Introduction to Application Security\")\n\n![Application Security Training](https://a.storyblok.com/f/168460/1494x944/28b70453ed/appsec-training.png \"Application Security Training\")\n\nThere are also many certification programs related to application security:\n\n- [Certified Application Security Engineer (CASE) by EC-Council](https://www.eccouncil.org/programs/application-security-training/)\n- [Certified Secure Software Lifecycle Professional by (ISC)²](https://www.isc2.org/Certifications/CSSLP)\n- [Web Application Defender (GWEB) by GIAC](https://www.giac.org/certifications/certified-web-application-defender-gweb/)\n- [SEC522: Application Security by SANS](https://www.sans.org/cyber-security-courses/application-security-securing-web-apps-api-microservices/)\n\n## **Application security engineer salary and job requirements ​**\n\nAccording to [Talent.com](http://Talent.com), the average salary of an application security engineer is around $136k annually in the United States.\n\nLet's look at the required qualifications in the application security engineer jobs posted by some of the top companies:\n\n### **1- Chances of getting a job at Tesla in 2022 are only 0.5%​**\n\n**Tesla** is looking for someone to work on embedded firmware with a modern tech stack of C/C++ and Rust. All Teslas have a Chromium-based browser, so no surprise that JavaScript experience is a requirement.\n\nSomeone with experience in security automation (SAST, DAST, Fuzzing...) and Threat Modelling will be a right fit for this role.\n\n![Tesla Application Security Engineer Job Requirement](https://a.storyblok.com/f/168460/1472x412/beb3b01dac/tesla-appsec-engineer-job.png \"Tesla Application Security Engineer Job Requirement\")\n\n### **2- Let the game begin!**\n\nGaming giant **Electonic Arts** wants to hire someone to secure client systems (PC, mobile) and cloud infrastructure.\n\nSomeone with a security researcher background who has built vulnerability management programs and is experienced in OS internals would be successful in this role.\n\n![Electronic Arts Application Security Engineer Job Requirement](https://a.storyblok.com/f/168460/1456x506/a4df2075cf/electronic-arts-appsec-engineer.png \"Electronic Arts Application Security Engineer Job Requirement\")\n\n### **3- Are you ready to secure %33 of all cloud infrastructure?**\n\n**Amazon** is looking for someone strong in the communication department in this role. You may need to explain issues to developers or even less technical persons.\n\nSomeone with a consultant background would be a good fit. A hands-on appsec experience and threat modelling experience will make your way into AWS.\n\n![AWS Application Security Engineer Job Requirement](https://a.storyblok.com/f/168460/1452x772/d1fc0e8d9d/amazon-appsec-engineer.png \"AWS Application Security Engineer Job Requirement\")\n\nAs you can see, Application Security Engineer is a multi-disciplinary role. There are multi-roads to take, and in addition to technical skills, it requires effective communication skills.\n\nDon't forget to subscribe to Kondukto Blog and get the latest tips and tools to build a mature AppSec Program.","A detailed analysis of the application security engineer job market includes salary details, job requirements and how to become an AppSec engineer.","application-security-engineer","blog/application-security-engineer",[34],"fa4fad1d-6754-4cd0-bd85-f4516fde2ac0","2022-10-10T13:55:00.000Z",[504,510],{"id":505,"name":506,"slug":507,"published":508,"full_slug":509,"is_folder":22,"parent_id":35},195360234,"The Economics of ASOC","the-economics-of-asoc",true,"blog/the-economics-of-asoc",{"id":511,"name":512,"slug":513,"published":508,"full_slug":514,"is_folder":22,"parent_id":35},180238140,"Dockerfile Security Best Practices with Semgrep","docker-security-best-practices-with-semgrep","blog/docker-security-best-practices-with-semgrep",{"name":506,"created_at":516,"published_at":517,"id":505,"uuid":518,"content":519,"slug":507,"full_slug":509,"sort_by_date":29,"position":461,"tag_list":525,"is_startpage":22,"parent_id":35,"meta_data":29,"group_id":501,"first_published_at":526,"release_id":29,"lang":38,"path":29,"alternates":527,"default_full_slug":29,"translated_slugs":29},"2022-09-27T14:58:09.950Z","2022-09-27T15:51:57.128Z","316f1c77-e3dc-4d11-9c31-7a102e79466c",{"_uid":450,"image":520,"title":506,"author":125,"details":523,"component":25,"meta_description":524},{"id":521,"alt":17,"name":17,"focus":17,"title":17,"filename":522,"copyright":17,"fieldtype":20,"is_external_url":22},5948633,"https://a.storyblok.com/f/168460/3000x2000/dbf590ee76/shutterstock_2000349251.jpg","“Are we paying a fair price for this tool?” is the question every decision-maker asks themselves before making a significant purchase decision.\n\nAs one of the nascent categories in the application security space, one of the significant challenges ASOC category is likely to face is the value it creates.\n\nWhile it is hard to quantify the benefits of a platform that claims to bring visibility into what was unseen before and speed up processes that involve multiple stakeholders, we have attempted to formulate the savings that an ASOC tool can create and came up with a [savings calculator](https://kondukto.io/resources/cost-savings-calculator).\n\nWe have identified three main outcomes of using an ASOC tool and have tried to tie down each economic benefit to these buckets.\n\n**1\\. Faster Triage:** Using the automation capabilities of ASOC tools, security teams can create playbooks for certain types of low-hanging vulnerabilities and either get them out of the way or immediately escalate them without manual reviews.\n\nASOC tools also help security teams gain centralized visibility into their vulnerabilities without having to toggle between different interfaces.\n\n**2\\. Faster Remediation:** The biggest obstacles for quick remediation of vulnerabilities by software developers is the lack of knowledge about vulnerabilities and the lack of smooth collaboration with security teams.\n\nASOC tools can provide knowledge bases or training videos on how to remediate vulnerabilities and speed up the remediation process. To verify the fix, they can also run automated validation scans without requiring any involvement of the security team.\n\n**3\\. Higher number of triaged vulnerabilities:** Having a security team large enough to triage all reported vulnerabilities is great. But we know that is not the case most of the time.\n\nASOC tools can act as a force multiplier for your security teams, allowing them to review a higher number of vulnerabilities.\n\nEach extra vulnerability your security team can triage thanks to an ASOC tool is a reduced risk for you.\n\n**Reasoning Behind Our Calculation**\n\n![](https://a.storyblok.com/f/168460/500x334/c85ddef000/shutterstock_1932591758.jpg) \nAs software is at the center of application security, we started with the average lines of code a software developer can write in one year.\n\nBased on the number of developers in an organization, we tried to converge on the lines of code that these developers can write in a given year.\n\nUsing an assumption on the average number of security vulnerabilities in 1000 lines of code, we extrapolated the number of vulnerabilities that are likely to arise in the software in one year.\n\nFor the sake of simplicity, we left out the potential vulnerabilities in the backlog discovered previously in the existing source code.\n\nWe also ignored false negatives assuming that our security testing tools successfully caught all these vulnerabilities and reported 25% false positives.\n\nThe more security testing tools we have, the more likely it is to have overlapping vulnerabilities across different tools. That is why we included those possible duplicate vulnerabilities in our calculation.\n\nOnce we have all these vulnerabilities discovered by our security testing tools, typically, our security engineers should triage them before they are sent to development teams for remediation.\n\nHowever, no security team is big enough to review all reported vulnerabilities. They need a filtering mechanism even before they start to triage vulnerabilities. Some just look at critical or high severity vulnerabilities, while others only care about OWASP Top-10 or SANS 25 etc.\n\nFrom our experience in the field, we know that organizations with a higher maturity level can afford the luxury of spending more time triaging vulnerabilities, whereas smaller companies with resource constraints have less time to decide if the reported vulnerability is real or not.\n\nAt the same time, they are also able to triage a higher number of vulnerabilities compared to other organizations at the earlier stages.\n\nTo locate your maturity level, you can take a look at the [Software Assurance Maturity Model](https://owaspsamm.org/) by OWASP which is a framework to analyze and improve the software security posture.\n\nTaking into account the centralization and automation capabilities of ASOC tools, faster triage translates to two things.\n\nFirst, there is a time saving for security engineers which can easily be converted to USD taking into consideration the average daily rate of a security engineer.\n\nSecond, the time saved can be used to triage a higher number of vulnerabilities which reduces the risk that the organization is exposed to. This can also be quantified by taking into consideration the size of the organization for which the annual revenue is mostly a good proxy.\n\nSince the regulatory fines are mostly based on a fraction of the annual revenue, this can be seen as the risk that the organization is facing as a result of the vulnerabilities that arise in the code.\n\nPlease bear in mind that the damage of a security breach can be in numerous ways like loss of customers or a deteriorated brand image which might be even more detrimental for the company.\n\nFor the sake of simplicity, we did not include these risks and merely focused on the risk exposure from a regulatory fine.\n\nFrom a remediation perspective, ASOC tools bring visibility into the remediation process and security engineers can promptly take action on vulnerabilities that are past their SLAs or track their metrics to identify bottlenecks in the process.\n\nThis leads to a drop in the time a developer spends on remediating a vulnerability with proper guidance coming from the ASOC tool.\n\nThe time saved in the remediation process can also be monetized using the average daily rate of a software developer.\n\nYou can find our calculator [here](https://kondukto.io/resources/cost-savings-calculator) and if you have questions about the assumptions used in our calculation or would like to know more about the details, we’d love to chat with you to improve our model.","As one of the nascent categories in the application security space, ASOC needs to prove its worth financially.",[34],"2022-09-27T20:55:00.000Z",[528,529],{"id":489,"name":486,"slug":498,"published":508,"full_slug":499,"is_folder":22,"parent_id":35},{"id":511,"name":512,"slug":513,"published":508,"full_slug":514,"is_folder":22,"parent_id":35},{"name":531,"created_at":532,"published_at":533,"id":534,"uuid":535,"content":536,"slug":543,"full_slug":544,"sort_by_date":29,"position":461,"tag_list":545,"is_startpage":22,"parent_id":35,"meta_data":29,"group_id":546,"first_published_at":547,"release_id":29,"lang":38,"path":29,"alternates":548,"default_full_slug":29,"translated_slugs":29},"Announcing Our Seed Round ","2022-09-02T11:36:25.009Z","2022-09-06T15:17:54.928Z",183973329,"2dd3b5cf-faa7-47df-9ac4-25d3674865ee",{"_uid":450,"image":537,"title":540,"author":125,"details":541,"component":25,"meta_description":542},{"id":538,"alt":17,"name":17,"focus":17,"title":17,"filename":539,"copyright":17,"fieldtype":20,"is_external_url":22},5744243,"https://a.storyblok.com/f/168460/1200x630/b35477be3b/announcing-our-seed-round.jpg","Announcing Our Seed Round","We are thrilled to announce our seed round by ScaleX Ventures. With this investment, we welcome [Dilek Dayınlarlı](https://www.linkedin.com/in/dilekdayinlarli/) to our board of directors and [Berkay Mollamustafaoğlu](https://www.linkedin.com/in/berkay/) to our advisory board.\n\n## \n\n## What We Do at Kondukto\n\nWe founded Kondukto with a clear focus on the tool sprawl problem in application security. \n\nWith different security testing tools targeting different stages of the software development life cycle, we built Kondukto to bring visibility into the security posture in a single platform and to help understaffed application security teams with orchestration and automation capabilities.\n\nComing from a managed services background, we personally experienced how difficult it is to scale the effort of security teams when software development keeps accelerating and new security tools keep popping up each day.\n\nBeing in the field allowed us to closely observe the gap between security and development teams and the problems it brings about. That is why we designed Kondukto to respond to the needs of security teams while having a development-friendly approach from day one.\n\nBy offering built-in integrations with many commercial and open-source security tools, Kondukto offers a holistic view of vulnerabilities discovered in different stages of the SDLC. With its 2-way integration with issue trackers, Kondukto also sheds light on the remediation process to make sure vulnerabilities are not only discovered but are also closely monitored during remediation.\n\nWe strive to make the lives of security teams easier by providing them with a single platform where they can manage vulnerabilities at scale through automation. They can easily automate processes such as creating tickets, notifications or security checks within pipelines. Centralizing vulnerabilities and automating tedious tasks gives time back to security engineers to focus on more value-added tasks.\n\nWe invite anyone concerned with security to our [free trial](https://kondukto.io/start-free-trial) to see how Kondukto facilitates things that were once considered too time-consuming.\n\n## What Is Next\n\nWith this investment, we are growing our team to accelerate our global expansion, and you can check out open positions on [our careers page](https://kondukto.io/careers).\n\nWe strongly believe this investment round will fuel our global traction and help us strengthen our position in our emerging field of AppSec orchestration.\n\nIf you’d like to hear from us, make sure to follow us on [Linkedin](https://www.linkedin.com/company/kondukto) and [Twitter](https://twitter.com/kondukto), and sign up to our [newsletter.](https://kondukto.io/blog)","At Kondukto, we are thrilled to announce our seed round.","announcing-our-seed-round","blog/announcing-our-seed-round",[],"d3384d2d-3bd6-4342-aac5-4d8bc278f79b","2022-09-05T11:28:00.000Z",[],1706093922,[],[],{"age":553,"cache-control":554,"connection":555,"content-encoding":556,"content-type":557,"date":558,"etag":559,"per-page":560,"referrer-policy":561,"sb-be-version":562,"server":563,"total":564,"transfer-encoding":565,"vary":566,"via":567,"x-amz-cf-id":568,"x-amz-cf-pop":569,"x-cache":570,"x-content-type-options":571,"x-download-options":572,"x-frame-options":573,"x-permitted-cross-domain-policies":574,"x-request-id":575,"x-runtime":576,"x-xss-protection":577},"86068","max-age=0, public, s-maxage=604800","keep-alive","gzip","application/json; charset=utf-8","Thu, 25 Jan 2024 02:14:26 GMT","W/\"f8f176176b2b297b014a9064dc187063\"","24","strict-origin-when-cross-origin","1.99.1.D","nginx/1.23.3","56","chunked","Accept-Encoding,Origin","1.1 7db19e3781edb64ef4f7023d2c25783e.cloudfront.net (CloudFront)","mCCtuOm3yFEuOxqPVrSIS2o5nNNHPx4KBHJfbiTUS3BbWirFKyFw7A==","IAD12-P1","Hit from cloudfront","nosniff","noopen","SAMEORIGIN","none","4321ef39-697c-4a84-b0da-017c7b2e56ad","0.169488","1; mode=block",24,56,1706234934085]