Introduction
In the ever-evolving world of cybersecurity, staying one step ahead of potential threats is paramount, especially in sectors as sensitive as finance. I was bestowed with the opportunity to contribute to such efforts while working as a software engineer in the cybersecurity team of a financial organization. Our team was entrusted with the launch of a new service, focusing on source code vulnerability detection to identify and mitigate vulnerabilities early in the Software Development Life Cycle (SDLC).
The Challenge: High Costs and Proprietary Limitations:
Our initial approach involved using Checkmarx, a well-known proprietary tool designed to detect vulnerabilities in the source code. While effective, the costs associated with Checkmarx were substantial, prompting us to explore more economical and equally efficient alternatives. The goal was not just to curb expenditure but also to enhance our vulnerability detection capabilities by leveraging a multifaceted approach through open-source tools.
Categorization of Vulnerabilities
To address the diverse spectrum of potential risks effectively, we categorized source code vulnerabilities into:
- Secrets Embedded in Source Code: For instance, AWS keys.
- Vulnerable Dependencies: Like Apache Struts.
- Source Code Vulnerabilities: Such as SQL Injection (SQLI).
This categorization helped streamline our search for suitable open-source tools, each to be tested for its effectiveness in its respective category.
The Toolbox
After extensive research and testing, we finalized the following tools for each category:
- Secrets Detection: TruffleHog
- Vulnerable Dependencies: Dependency Track
- Source Code Vulnerabilities:
- Bandit (Python)
- SonarQube (Multiple Languages)
- Semgrep
- SpotBugs (Java)
- KICS (Infrastructure as Code)
Building the Platform
With the tools in place, the next step was to automate the scanning process. I developed a web platform enabling cybersecurity analysts to input GitHub repositories and configure the scans. The platform, post-configuration, clones the repositories and creates multiple jobs in the job queue. Each job is associated with a worker that triggers the corresponding scans.
One of the pivotal features of our SAST platform was the consolidation of scan results into a single database. The platform assimilated the results in a structured format, incorporating details like vulnerability ID, name, description, repository name, file name, and line number. This meticulous consolidation enabled analysts to generate comprehensive reports in predefined formats, facilitating subsequent analysis and response strategies.
Conclusion
The journey to build a fully open-source SAST platform was challenging yet immensely rewarding. It not only showcased the potential of open-source tools in providing quality results comparable to proprietary ones but also emphasized the importance of innovating cybersecurity practices. This project highlighted the significance of detecting vulnerabilities early in the SDLC, allowing for more secure and resilient software development, especially in sectors where security is non-negotiable, such as finance.
The success of this project serves as a testament to the transformative power of combining diverse open-source tools and innovative solutions to elevate cybersecurity standards while keeping the costs in check. The hope is for more organizations to explore and embrace open-source solutions, fostering a collaborative and progressive approach to cybersecurity in the ever-evolving digital landscape.
Preetham Nagesh 
Leave a comment