Preetham Nagesh

Category: Secure Coding

  • Innovating Cybersecurity: Developing an Open-Source SAST Platform for Effective Vulnerability Detection

    Introduction

    In the ever-evolving world of cybersecurity, staying one step ahead of potential threats is paramount, especially in sectors as sensitive as finance. I was bestowed with the opportunity to contribute to such efforts while working as a software engineer in the cybersecurity team of a financial organization. Our team was entrusted with the launch of a new service, focusing on source code vulnerability detection to identify and mitigate vulnerabilities early in the Software Development Life Cycle (SDLC).

    The Challenge: High Costs and Proprietary Limitations:

    Our initial approach involved using Checkmarx, a well-known proprietary tool designed to detect vulnerabilities in the source code. While effective, the costs associated with Checkmarx were substantial, prompting us to explore more economical and equally efficient alternatives. The goal was not just to curb expenditure but also to enhance our vulnerability detection capabilities by leveraging a multifaceted approach through open-source tools.

    Categorization of Vulnerabilities

    To address the diverse spectrum of potential risks effectively, we categorized source code vulnerabilities into:

    1. Secrets Embedded in Source Code: For instance, AWS keys.
    2. Vulnerable Dependencies: Like Apache Struts.
    3. Source Code Vulnerabilities: Such as SQL Injection (SQLI).

    This categorization helped streamline our search for suitable open-source tools, each to be tested for its effectiveness in its respective category.

    The Toolbox

    After extensive research and testing, we finalized the following tools for each category:

    • Secrets Detection: TruffleHog
    • Vulnerable Dependencies: Dependency Track
    • Source Code Vulnerabilities:
      • Bandit (Python)
      • SonarQube (Multiple Languages)
      • Semgrep
      • SpotBugs (Java)
      • KICS (Infrastructure as Code)

    Building the Platform

    With the tools in place, the next step was to automate the scanning process. I developed a web platform enabling cybersecurity analysts to input GitHub repositories and configure the scans. The platform, post-configuration, clones the repositories and creates multiple jobs in the job queue. Each job is associated with a worker that triggers the corresponding scans.

    One of the pivotal features of our SAST platform was the consolidation of scan results into a single database. The platform assimilated the results in a structured format, incorporating details like vulnerability ID, name, description, repository name, file name, and line number. This meticulous consolidation enabled analysts to generate comprehensive reports in predefined formats, facilitating subsequent analysis and response strategies.

    Conclusion

    The journey to build a fully open-source SAST platform was challenging yet immensely rewarding. It not only showcased the potential of open-source tools in providing quality results comparable to proprietary ones but also emphasized the importance of innovating cybersecurity practices. This project highlighted the significance of detecting vulnerabilities early in the SDLC, allowing for more secure and resilient software development, especially in sectors where security is non-negotiable, such as finance.

    The success of this project serves as a testament to the transformative power of combining diverse open-source tools and innovative solutions to elevate cybersecurity standards while keeping the costs in check. The hope is for more organizations to explore and embrace open-source solutions, fostering a collaborative and progressive approach to cybersecurity in the ever-evolving digital landscape.

  • Dependencies: A potential liability in your software security

    Dependencies: A potential liability in your software security

    Vulnerabilities in dependencies can be a silent threat to the security of your software. Dependencies are external libraries, frameworks, and other software components that your code relies on to function. They can be included in your codebase through package managers, or added manually. While they can save developers time and effort by providing pre-built functionality, they can also introduce security risks if not properly managed.

    When a vulnerability is discovered in a dependency, attackers can exploit it to gain access to your system, steal sensitive data, or perform other malicious actions. This is especially concerning when the dependency is widely used, as attackers can target multiple systems with the same exploit.

    One example of this is the recent vulnerability discovered in the popular JavaScript library, jQuery. The vulnerability, known as jQuery-XSS, allows attackers to inject malicious code into web pages that use the library. This vulnerability was present in versions of jQuery prior to 3.0.0 and affected thousands of websites that used the library.

    Another example is the event-stream incident where a dependency was compromised by an attacker and a malicious version of the package was published to npm (node package manager) which was later being used by multiple projects.

    To protect your software from vulnerabilities in dependencies, it is important to keep them up to date and to monitor for security updates. Many package managers, such as npm and pip, have built-in functionality for automatically updating dependencies. Additionally, using tools like Snyk, OWASP Dependency-Check, or WhiteSource can help you identify and fix vulnerabilities in your dependencies.

    It is also important to keep track of which dependencies are being used in your codebase and to review their security track record. This can be done by keeping a list of dependencies and their versions, and regularly checking for known vulnerabilities. Additionally, it is a good practice to avoid using dependencies with known vulnerabilities or with a poor security track record.

    In addition to these best practices, it is also important to keep a close eye on the supply chain and make sure that the source code and the libraries you use are from trusted sources.

    In conclusion, vulnerabilities in dependencies can be a silent threat to the security of your software. By keeping dependencies up to date, monitoring for security updates, and keeping track of which dependencies are being used in your codebase, you can protect your software from these potential vulnerabilities. It is important to stay vigilant and to not overlook the security of your dependencies, as they can make or break the security of your entire system.