SlideShare ist ein Scribd-Unternehmen logo
1 von 18
Top 5 things I
wish I knew
about SAST
While using a standard
Power Point Template
Florin Coada
That’s me
8-ish years in AppSec
Games development degree
Fluent in memes
 PM for SAST tool (boooo!)
1. SAST doesn’t find vulnerabilities
• Lack of context
• Unknown user code
• Mitigating factors
Finding Issue
The GREAT filter
• internal policy
• threat modelling
• industry standards
Vulnerability
everything the tool finds stuff you care about stuff that will hurt you
The human touch
WHY?
1. SAST doesn’t find vulnerabilities
• Enterprise customer
• Too many issues
• Mostly dealing with Java web
Finding Issue
The GREAT filter
• Internal policy
Vulnerability
A few Thousand A few tens/hundreds A handfull
Security Champion
Story time
2. Not all applications are born equal
“Secure applications do not exist” – me & others who tried
How much you should care
No. of apps
Understand acceptable risk
€£$
2. Not all applications are born equal
“Secure applications do not exist” – me & others who tried
How much you should care
No. of apps
Understand acceptable risk
€£$
2. Not all applications are born equal
“Secure applications do not exist” – me & others who tried
2.a – Shifting goes both ways
Code Build Test Security Release
“Shift left” – most marketing materials
2. Not all applications are born equal
“Secure applications do not exist” – me & others who tried
2.a – Shifting goes both ways
Story time
”ALL code must be
scanned”
If every developer
scans their code
All the code is
scanned
Deploy a SAST tool to all developer
IDEs:
- report metrics
- cofirm scans happened
- generate reports
3. Your code vs code you use
S A S T S C A
Static Application Security Testing Software Composition Aanalysis
Dangerous patterns in your code Dangerous libraries used by your application
Why not SCA:
3. Your code vs code you use
Your code 3rd Party Code
Infrastructure Code
Application Code
Why SAST: • Can explain context
• Know the code
• Have access to the code
Why not SAST: • Extremely high amounts of code
• No in depth code knowledge
Containers & stuff
App Dependencies
• Doesn’t really exist for your
own code
Why SCA: • Faster than SAST
• Information is specific to known
vulnerabilities in libraries
• Licensing information
• Constantly updated by researchers
Story time
4. Some effort up front goes a long way
From this To this
Vulnerabilities
• Define the things you care about
• Remove the ones you doubt about
• Find your friends (security champions)
• Educate & set expectations
• Find out about policies & security frameworks
4. Some effort up front goes a long way
Story time
”We want to
automate our SAST”
The tool can
integrate with CI
We’ll add a SAST
step
Tool was successfully deployed, but
developers complained:
- Too many findings
- False possitives
- Not enough time to review
- No knowledge on the topics
5. Try it on your stuff
1. When should I test a SATS tool on a real app?
2. When should I make a decission based on a benchmark?
Some other things
Benchmarks:
- Highest score: “If you ask us to scan this 1 application we're like super really good at it“
- Popular apps: It's never "out of the box”
“Most accurate on the market”: only finds a few things
There's always a cost
Some other things
CWE count != coverage or quality (Vulns can be represented by multiple CWEs. Just because a
CWE is ticket it doesn't mean it will have the right rule for your scenario)
The vendors are mean: but we do know the tool and we
can help
But…
Avoid technology bias (eg. some vendors will overplay the importance of SCA vs the
importance of SAST, etc)
JavaScript sucks It really does!
Quick recap
1. SAST doesn’t find vulnerabilities
2. Not all applications are born equal
3. Your code vs code you use
4. Some effort up front goes a long way
5. Try it on your stuff
Questions
I can’t promise any answes
What’s the difference between a
CVE and a CWE?

Weitere ähnliche Inhalte

Was ist angesagt?

Was ist angesagt? (19)

CyberSecurity Portfolio Management
CyberSecurity Portfolio ManagementCyberSecurity Portfolio Management
CyberSecurity Portfolio Management
 
Application Security
Application SecurityApplication Security
Application Security
 
When to Implement a Vulnerability Assessment or Pen Test | IT Security & Risk...
When to Implement a Vulnerability Assessment or Pen Test | IT Security & Risk...When to Implement a Vulnerability Assessment or Pen Test | IT Security & Risk...
When to Implement a Vulnerability Assessment or Pen Test | IT Security & Risk...
 
Threat Modeling to Reduce Software Security Risk
Threat Modeling to Reduce Software Security RiskThreat Modeling to Reduce Software Security Risk
Threat Modeling to Reduce Software Security Risk
 
Cyber security series Application Security
Cyber security series   Application SecurityCyber security series   Application Security
Cyber security series Application Security
 
VAPT - Vulnerability Assessment & Penetration Testing
VAPT - Vulnerability Assessment & Penetration Testing VAPT - Vulnerability Assessment & Penetration Testing
VAPT - Vulnerability Assessment & Penetration Testing
 
Wfh security risks - Ed Adams, President, Security Innovation
Wfh security risks  - Ed Adams, President, Security InnovationWfh security risks  - Ed Adams, President, Security Innovation
Wfh security risks - Ed Adams, President, Security Innovation
 
ATP Technology Pillars
ATP Technology PillarsATP Technology Pillars
ATP Technology Pillars
 
Understanding Penetration Testing & its Benefits for Organization
Understanding Penetration Testing & its Benefits for OrganizationUnderstanding Penetration Testing & its Benefits for Organization
Understanding Penetration Testing & its Benefits for Organization
 
Secure by design and secure software development
Secure by design and secure software developmentSecure by design and secure software development
Secure by design and secure software development
 
How to Detect a Cryptolocker Infection with AlienVault USM
How to Detect a Cryptolocker Infection with AlienVault USMHow to Detect a Cryptolocker Infection with AlienVault USM
How to Detect a Cryptolocker Infection with AlienVault USM
 
Application Security Testing(AST)
Application Security Testing(AST)Application Security Testing(AST)
Application Security Testing(AST)
 
How to Detect System Compromise & Data Exfiltration with AlienVault USM
How to Detect System Compromise & Data Exfiltration with AlienVault USMHow to Detect System Compromise & Data Exfiltration with AlienVault USM
How to Detect System Compromise & Data Exfiltration with AlienVault USM
 
Is Antivirus (AV) Dead or Just Missing in Action
Is Antivirus (AV) Dead or Just Missing in Action Is Antivirus (AV) Dead or Just Missing in Action
Is Antivirus (AV) Dead or Just Missing in Action
 
Alienvault threat alerts in spiceworks
Alienvault threat alerts in spiceworksAlienvault threat alerts in spiceworks
Alienvault threat alerts in spiceworks
 
Improve threat detection with hids and alien vault usm
Improve threat detection with hids and alien vault usmImprove threat detection with hids and alien vault usm
Improve threat detection with hids and alien vault usm
 
A successful application security program - Envision build and scale
A successful application security program - Envision build and scaleA successful application security program - Envision build and scale
A successful application security program - Envision build and scale
 
Vulnerability assessment & Penetration testing Basics
Vulnerability assessment & Penetration testing Basics Vulnerability assessment & Penetration testing Basics
Vulnerability assessment & Penetration testing Basics
 
Rapid Threat Modeling Techniques
Rapid Threat Modeling TechniquesRapid Threat Modeling Techniques
Rapid Threat Modeling Techniques
 

Ähnlich wie 5 things i wish i knew about sast (DSO-LG July 2021)

Something Fun About Using SIEM by Dr. Anton Chuvakin
Something Fun About Using SIEM by Dr. Anton ChuvakinSomething Fun About Using SIEM by Dr. Anton Chuvakin
Something Fun About Using SIEM by Dr. Anton Chuvakin
Anton Chuvakin
 
Security engineering 101 when good design & security work together
Security engineering 101  when good design & security work togetherSecurity engineering 101  when good design & security work together
Security engineering 101 when good design & security work together
Wendy Knox Everette
 
What Good is this Tool? A Guide to Choosing the Right Application Security Te...
What Good is this Tool? A Guide to Choosing the Right Application Security Te...What Good is this Tool? A Guide to Choosing the Right Application Security Te...
What Good is this Tool? A Guide to Choosing the Right Application Security Te...
Kevin Fealey
 
Building an AppSec Team Extended Cut
Building an AppSec Team Extended CutBuilding an AppSec Team Extended Cut
Building an AppSec Team Extended Cut
Mike Spaulding
 

Ähnlich wie 5 things i wish i knew about sast (DSO-LG July 2021) (20)

Гірка правда про безпеку програмного забезпечення, Володимир Стиран
Гірка правда про безпеку програмного забезпечення, Володимир СтиранГірка правда про безпеку програмного забезпечення, Володимир Стиран
Гірка правда про безпеку програмного забезпечення, Володимир Стиран
 
Sigma Open Tech Week: Bitter Truth About Software Security
Sigma Open Tech Week: Bitter Truth About Software SecuritySigma Open Tech Week: Bitter Truth About Software Security
Sigma Open Tech Week: Bitter Truth About Software Security
 
Myths and Misperceptions of Open Source Security
Myths and Misperceptions of Open Source Security Myths and Misperceptions of Open Source Security
Myths and Misperceptions of Open Source Security
 
Something Fun About Using SIEM by Dr. Anton Chuvakin
Something Fun About Using SIEM by Dr. Anton ChuvakinSomething Fun About Using SIEM by Dr. Anton Chuvakin
Something Fun About Using SIEM by Dr. Anton Chuvakin
 
Can You Really Automate Yourself Secure
Can You Really Automate Yourself SecureCan You Really Automate Yourself Secure
Can You Really Automate Yourself Secure
 
Jason Kent - AppSec Without Additional Tools
Jason Kent - AppSec Without Additional ToolsJason Kent - AppSec Without Additional Tools
Jason Kent - AppSec Without Additional Tools
 
Survey Presentation About Application Security
Survey Presentation About Application SecuritySurvey Presentation About Application Security
Survey Presentation About Application Security
 
Cinci ug-january2011-anti-patterns
Cinci ug-january2011-anti-patternsCinci ug-january2011-anti-patterns
Cinci ug-january2011-anti-patterns
 
Application security in a hurry webinar
Application security in a hurry webinarApplication security in a hurry webinar
Application security in a hurry webinar
 
How to Get the Most Out of Security Tools
How to Get the Most Out of Security ToolsHow to Get the Most Out of Security Tools
How to Get the Most Out of Security Tools
 
Zen and the art of Security Testing
Zen and the art of Security TestingZen and the art of Security Testing
Zen and the art of Security Testing
 
Just4Meeting 2012 - How to protect your web applications
Just4Meeting 2012 -  How to protect your web applicationsJust4Meeting 2012 -  How to protect your web applications
Just4Meeting 2012 - How to protect your web applications
 
Security engineering 101 when good design & security work together
Security engineering 101  when good design & security work togetherSecurity engineering 101  when good design & security work together
Security engineering 101 when good design & security work together
 
Hacker vs tools
Hacker vs toolsHacker vs tools
Hacker vs tools
 
Hacker vs Tools: Which to Choose?
Hacker vs Tools: Which to Choose?Hacker vs Tools: Which to Choose?
Hacker vs Tools: Which to Choose?
 
What Good is this Tool? A Guide to Choosing the Right Application Security Te...
What Good is this Tool? A Guide to Choosing the Right Application Security Te...What Good is this Tool? A Guide to Choosing the Right Application Security Te...
What Good is this Tool? A Guide to Choosing the Right Application Security Te...
 
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
 
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
 
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
 
Building an AppSec Team Extended Cut
Building an AppSec Team Extended CutBuilding an AppSec Team Extended Cut
Building an AppSec Team Extended Cut
 

Mehr von Michael Man

Mehr von Michael Man (20)

K8S Certifications - Exam Cram
K8S Certifications - Exam CramK8S Certifications - Exam Cram
K8S Certifications - Exam Cram
 
DSO-LG 2021 Reboot: Policy As Code (Anders Eknert)
DSO-LG 2021 Reboot: Policy As Code (Anders Eknert)DSO-LG 2021 Reboot: Policy As Code (Anders Eknert)
DSO-LG 2021 Reboot: Policy As Code (Anders Eknert)
 
DSO-LG March 2018: The mechanics behind how attackers exploit simple programm...
DSO-LG March 2018: The mechanics behind how attackers exploit simple programm...DSO-LG March 2018: The mechanics behind how attackers exploit simple programm...
DSO-LG March 2018: The mechanics behind how attackers exploit simple programm...
 
DSO-LG Oct 2019: Modern Software Delivery: Supply Chain Security Critical (Ch...
DSO-LG Oct 2019: Modern Software Delivery: Supply Chain Security Critical (Ch...DSO-LG Oct 2019: Modern Software Delivery: Supply Chain Security Critical (Ch...
DSO-LG Oct 2019: Modern Software Delivery: Supply Chain Security Critical (Ch...
 
Extract Oct 2019: DSO-LG Rolling Slides
Extract Oct 2019: DSO-LG Rolling SlidesExtract Oct 2019: DSO-LG Rolling Slides
Extract Oct 2019: DSO-LG Rolling Slides
 
Sept 2019 - DSO-LG Tooling Examples
Sept 2019 - DSO-LG Tooling ExamplesSept 2019 - DSO-LG Tooling Examples
Sept 2019 - DSO-LG Tooling Examples
 
DevSecOps Manchester - May 2019
DevSecOps Manchester - May 2019DevSecOps Manchester - May 2019
DevSecOps Manchester - May 2019
 
Chris Rutter: Avoiding The Security Brick
Chris Rutter: Avoiding The Security BrickChris Rutter: Avoiding The Security Brick
Chris Rutter: Avoiding The Security Brick
 
Extract: DevSecOps - London Gathering (March 2019)
Extract: DevSecOps - London Gathering (March 2019)Extract: DevSecOps - London Gathering (March 2019)
Extract: DevSecOps - London Gathering (March 2019)
 
Control Plane: Security Rationale for Istio (DevSecOps - London Gathering, Ja...
Control Plane: Security Rationale for Istio (DevSecOps - London Gathering, Ja...Control Plane: Security Rationale for Istio (DevSecOps - London Gathering, Ja...
Control Plane: Security Rationale for Istio (DevSecOps - London Gathering, Ja...
 
Matt Turner: Istio, The Packet's-Eye View (DevSecOps - London Gathering, Janu...
Matt Turner: Istio, The Packet's-Eye View (DevSecOps - London Gathering, Janu...Matt Turner: Istio, The Packet's-Eye View (DevSecOps - London Gathering, Janu...
Matt Turner: Istio, The Packet's-Eye View (DevSecOps - London Gathering, Janu...
 
Control Plane: Continuous Kubernetes Security (DevSecOps - London Gathering, ...
Control Plane: Continuous Kubernetes Security (DevSecOps - London Gathering, ...Control Plane: Continuous Kubernetes Security (DevSecOps - London Gathering, ...
Control Plane: Continuous Kubernetes Security (DevSecOps - London Gathering, ...
 
August 2018: DevSecOps - London Gathering
August 2018: DevSecOps - London GatheringAugust 2018: DevSecOps - London Gathering
August 2018: DevSecOps - London Gathering
 
DevSecOps - London Gathering : June 2018
DevSecOps - London Gathering : June 2018DevSecOps - London Gathering : June 2018
DevSecOps - London Gathering : June 2018
 
Continuous Security: From tins to containers - now what!
Continuous Security: From tins to containers - now what!Continuous Security: From tins to containers - now what!
Continuous Security: From tins to containers - now what!
 
The mechanics behind how attackers exploit simple programming mistakes ...
The mechanics behind how attackers exploit simple programming mistakes ...The mechanics behind how attackers exploit simple programming mistakes ...
The mechanics behind how attackers exploit simple programming mistakes ...
 
Secret Management Journey - Here Be Dragons aka Secret Dragons
Secret Management Journey - Here Be Dragons aka Secret DragonsSecret Management Journey - Here Be Dragons aka Secret Dragons
Secret Management Journey - Here Be Dragons aka Secret Dragons
 
DevSecOps March 2018 - Extract
DevSecOps March 2018 - ExtractDevSecOps March 2018 - Extract
DevSecOps March 2018 - Extract
 
DevSecOps The Evolution of DevOps
DevSecOps The Evolution of DevOpsDevSecOps The Evolution of DevOps
DevSecOps The Evolution of DevOps
 
Dynaminet -DevSecOps
Dynaminet -DevSecOpsDynaminet -DevSecOps
Dynaminet -DevSecOps
 

Kürzlich hochgeladen

+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
?#DUbAI#??##{{(☎️+971_581248768%)**%*]'#abortion pills for sale in dubai@
 
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Victor Rentea
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
WSO2
 

Kürzlich hochgeladen (20)

+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
 
FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024
 
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
 
CNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In PakistanCNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In Pakistan
 
Vector Search -An Introduction in Oracle Database 23ai.pptx
Vector Search -An Introduction in Oracle Database 23ai.pptxVector Search -An Introduction in Oracle Database 23ai.pptx
Vector Search -An Introduction in Oracle Database 23ai.pptx
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : Uncertainty
 
[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
MS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectorsMS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectors
 
Platformless Horizons for Digital Adaptability
Platformless Horizons for Digital AdaptabilityPlatformless Horizons for Digital Adaptability
Platformless Horizons for Digital Adaptability
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
 
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamDEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
 
ICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesICT role in 21st century education and its challenges
ICT role in 21st century education and its challenges
 
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ..."I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
Introduction to Multilingual Retrieval Augmented Generation (RAG)
Introduction to Multilingual Retrieval Augmented Generation (RAG)Introduction to Multilingual Retrieval Augmented Generation (RAG)
Introduction to Multilingual Retrieval Augmented Generation (RAG)
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
 
Exploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with MilvusExploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with Milvus
 

5 things i wish i knew about sast (DSO-LG July 2021)

  • 1. Top 5 things I wish I knew about SAST While using a standard Power Point Template
  • 2. Florin Coada That’s me 8-ish years in AppSec Games development degree Fluent in memes  PM for SAST tool (boooo!)
  • 3.
  • 4. 1. SAST doesn’t find vulnerabilities • Lack of context • Unknown user code • Mitigating factors Finding Issue The GREAT filter • internal policy • threat modelling • industry standards Vulnerability everything the tool finds stuff you care about stuff that will hurt you The human touch WHY?
  • 5. 1. SAST doesn’t find vulnerabilities • Enterprise customer • Too many issues • Mostly dealing with Java web Finding Issue The GREAT filter • Internal policy Vulnerability A few Thousand A few tens/hundreds A handfull Security Champion Story time
  • 6. 2. Not all applications are born equal “Secure applications do not exist” – me & others who tried How much you should care No. of apps Understand acceptable risk €£$
  • 7. 2. Not all applications are born equal “Secure applications do not exist” – me & others who tried How much you should care No. of apps Understand acceptable risk €£$
  • 8. 2. Not all applications are born equal “Secure applications do not exist” – me & others who tried 2.a – Shifting goes both ways Code Build Test Security Release “Shift left” – most marketing materials
  • 9. 2. Not all applications are born equal “Secure applications do not exist” – me & others who tried 2.a – Shifting goes both ways Story time ”ALL code must be scanned” If every developer scans their code All the code is scanned Deploy a SAST tool to all developer IDEs: - report metrics - cofirm scans happened - generate reports
  • 10. 3. Your code vs code you use S A S T S C A Static Application Security Testing Software Composition Aanalysis Dangerous patterns in your code Dangerous libraries used by your application
  • 11. Why not SCA: 3. Your code vs code you use Your code 3rd Party Code Infrastructure Code Application Code Why SAST: • Can explain context • Know the code • Have access to the code Why not SAST: • Extremely high amounts of code • No in depth code knowledge Containers & stuff App Dependencies • Doesn’t really exist for your own code Why SCA: • Faster than SAST • Information is specific to known vulnerabilities in libraries • Licensing information • Constantly updated by researchers Story time
  • 12. 4. Some effort up front goes a long way From this To this Vulnerabilities • Define the things you care about • Remove the ones you doubt about • Find your friends (security champions) • Educate & set expectations • Find out about policies & security frameworks
  • 13. 4. Some effort up front goes a long way Story time ”We want to automate our SAST” The tool can integrate with CI We’ll add a SAST step Tool was successfully deployed, but developers complained: - Too many findings - False possitives - Not enough time to review - No knowledge on the topics
  • 14. 5. Try it on your stuff 1. When should I test a SATS tool on a real app? 2. When should I make a decission based on a benchmark?
  • 15. Some other things Benchmarks: - Highest score: “If you ask us to scan this 1 application we're like super really good at it“ - Popular apps: It's never "out of the box” “Most accurate on the market”: only finds a few things There's always a cost
  • 16. Some other things CWE count != coverage or quality (Vulns can be represented by multiple CWEs. Just because a CWE is ticket it doesn't mean it will have the right rule for your scenario) The vendors are mean: but we do know the tool and we can help But… Avoid technology bias (eg. some vendors will overplay the importance of SCA vs the importance of SAST, etc) JavaScript sucks It really does!
  • 17. Quick recap 1. SAST doesn’t find vulnerabilities 2. Not all applications are born equal 3. Your code vs code you use 4. Some effort up front goes a long way 5. Try it on your stuff
  • 18. Questions I can’t promise any answes What’s the difference between a CVE and a CWE?