A lot is changing due to assistive AI and agentic workflows, clearly affecting the state of Cybersecurity and AppSec. Today it is a real effort to find a tool without AI enhancements, even if that is done just to keep it relevant. Would you buy a tool without an AI assistant today?
Dynamic Application Security Testing (DAST) is a method to test a snapshot of your application for security issues. It differs from static code analysis in the sense that it focuses on functionality, or else how your application reacts to different input sent by the tool used to perform DAST. By definition it is an automated processs done by a tool that you point to the direction of your API or web interface. The tool then has payloads that will be used during test and depending on the application responses it can identify potential issues.
Every developer understands the critical role of comprehensive error logging. Having detailed logs is invaluable during an operational incident, enabling you to swiftly identify and address the source of issues. This principle holds true for security as well.
Let's imagine you are in the situation where you have secured budget to buy tools that analyze the security of your code base. Most probably you will look for a Static Application Security Testing (SAST) solution to scan source code and a Software Composition Analysis (SCA) tool, to create your SBOMs and analyze security/licenses of open-source dependencies.
In this series of blog posts I am aiming to share my view on how to start your own security champions program. This is by no means a step by step guide, but rather an attempt to share my own experiences and lessons with the world.
A common scenario when integrating security in development activities, such as SAST scans covered in my previous blog post, is to create a reusable template that can be referenced from pipelines.
If you are new to templates I suggest you take a look at this article from Microsoft before reading further.
In this blog post we will explore how to create a basic reusable Azure DevOps template to automate code analysis, using a popular SAST tool from Veracode. You would ideally want all development teams to have a way to enable SAST scans with minimum configuration, so that they focus their efforts on remediation instead of configuring tooling in their pipelines. That is where Azure DevOps pipelines come in handy, as they cover the reusability part and thus making it a bit easier for developers.
In February 2023 Sweden suffered a series of Distributed Denial-of-Service attacks (DDoS) and several Swedish websites were knocked down. A DoS is a type of attack that the attacker uses to make victim services unavailable, usually by sending large number of malicious requests. The number of incoming requests becomes so high that legitimate requests end up not being handled by the victim's services, thus the denial-of-service. DoS is also usually distributed in the sense that multiple bots (or zombies) and attacker-controlled machines take part in the attack to increase the probability of a successful attack. As reference, Cloudflare stated that it stopped a DDoS peaking 71 million requests per second in February 2023!
Dependabot is the way Github alerts you about security vulnerabilities in open source dependencies. The Github Advisory Database is where Dependabot draws it's knowledge from, meaning it is the database used by Dependabot to identify vulnerabilities in dependencies.
This blog post describes how to collect information from a popular DAST platform, create a simple report and share it with development teams using a popular collaboration platform like Slack.