TL;DR
Before software goes into a repository (repo), it needs several security checks to find and fix problems. These include code reviews, vulnerability scanning, static analysis, dependency checking, penetration testing, and ensuring compliance with security standards. This guide explains each step.
Security Checks: A Step-by-Step Guide
- Code Review
- What it is: Experienced developers examine the code for errors, bugs, and potential security flaws (like SQL injection or cross-site scripting).
- How it works: Usually done using tools like GitHub pull requests or GitLab merge requests. Reviewers comment on issues directly in the code.
- Tools: GitHub, GitLab, Bitbucket, Crucible
- Static Application Security Testing (SAST)
- What it is: SAST tools analyze the source code *without* running it. They look for patterns that indicate security vulnerabilities.
- How it works: The tool scans the codebase and reports potential issues, like buffer overflows or insecure API usage.
- Tools: SonarQube, Checkmarx, Veracode, Fortify
- Example (SonarQube): Run a scan from the command line:
sonar-scanner
- Dynamic Application Security Testing (DAST)
- What it is: DAST tools test the running application for vulnerabilities. They simulate attacks to see how the software responds.
- How it works: The tool sends various inputs to the application and monitors its behaviour. It identifies issues like cross-site scripting, SQL injection, and authentication problems.
- Tools: OWASP ZAP, Burp Suite, Acunetix
- Software Composition Analysis (SCA)
- What it is: SCA tools identify the open-source components used in your software and check for known vulnerabilities in those components.
- How it works: The tool creates a bill of materials (BOM) listing all dependencies, then compares them to vulnerability databases.
- Tools: Snyk, WhiteSource, Black Duck Hub
- Example (Snyk): Scan your project:
snyk test
- Dependency Checking
- What it is: Similar to SCA, but often focuses on specific package managers. Ensures dependencies are up-to-date and don’t have known security issues.
- How it works: Tools check against public repositories for vulnerable versions of packages.
- Tools: npm audit (for Node.js), pipenv check (for Python), Maven Dependency Plugin (for Java)
- Example (npm): Run an audit:
npm audit
- Penetration Testing (Pentest)
- What it is: Security experts attempt to hack into the application to find vulnerabilities. This simulates a real-world attack.
- How it works: Pentests can be black box (testers have no prior knowledge of the system), grey box (some knowledge), or white box (full access).
- Tools: Metasploit, Nmap, Wireshark
- Security Standards Compliance
- What it is: Ensure the software meets relevant security standards and regulations (e.g., GDPR, PCI DSS).
- How it works: Checklists, audits, and documentation are used to verify compliance.
- Standards: OWASP Top 10, NIST Cybersecurity Framework, ISO 27001
After these checks, any identified vulnerabilities should be fixed before the software is approved for inclusion in a repository. Regular re-testing is also important to ensure ongoing cyber security.