10. DAST , SCA
• Dynamic Analysis and Security Testing (DAST)
• Dynamic application security testing (DAST) is a
type of black-box security testing in which tests are
performed by attacking an application from the
outside.
• Pros
• #1 Technology independent
• #2 Low false positives
• #3 Identifies configuration issues
• Cons
• #1 Not highly scalable
• #2 No code visibility
• #3 Slow scans
11. IAST
• IAST typically is implemented by deploying agents
and sensors in the application post build. The agent
observes the application’s operation and analyzes
traffic flow to identify security vulnerabilities. It
does this by mapping external signatures or
patterns to source code, which allows it to identify
more complex vulnerabilities.
• IAST test results are usually reported in real time via
a web browser, dashboard, or customized report
without adding extra time to the CI/CD pipeline.
IAST results can also be combined with other issues
tracking tools.
Pros
• #1 Low Number of False Positives
• #2 Instant Feedback
• #3 Highly Scalable
Cons
• #1 Limited Language Coverage
• #2 Requires a Mature Test Environment
• #3 Not Widely Adopted
12. Configuration Drift
• configuration drift occurs whenever someone
makes a change to the production environment
without recording those changes and without
ensuring complete parity between staging and
production. And, although it’s unintentional, it can
end in unanticipated bugs and the resulting flurry of
pleas for rapid incident response.
• Critical package updates are made at breakneck
speeds to address a security vulnerability or
incident and often ignore procedure in favor of
speed.
• When testing servers, a developer may make a
manual configuration change to better document
or track a bug, which could help define that issue,
but if the configuration change isn’t changed
back, it will cause drift.
• Adding more resources to bolster server
configuration can help systems cope with peak
load times but are often unplanned or
undocumented, eventually leading to
configuration drift.
13. RASP
• RASP is a technology that runs on a server and kicks
in when an application runs. It's designed to detect
attacks on an application in real time
14. Secret Management
• Often credentials are store in config files
• Leakage can result in abuse scenario
• Secrets management allows you to tokenize the
information
15. Infrastructure as code
• Infrastructure as a code allows you to document &
version control the infra
• It also allows you to perform audit on the
infrastructure
• Docker / K8s infra relies on base images
• Environment is as secure as the base images
• Base images need to be minimal in nature & need to
be assessed to identify inherited vulnerabilities
16. Cloud Native Security approach to security
• Different Service Providers Approach Security
Differently
• All of them provide some of the ingredient In-house
• Irrespective of cloud providers some tools will need
to be sourced
• Static code analysis tool
• Dynamic Code Analysis Tool
• Software Composition Analysis
• Vulnerability Management Tool
17. Terrascan
• Terrascan detects security vulnerabilities and
compliance violations across your Infrastructure as
Code. Mitigate risks before provisioning cloud
native infrastructure. Run locally or integrate with
your CICD.
• Documentation: https://docs.accurics.com/projects
/accurics-terrascan
• Discuss: https://community.accurics.com
Features
• 500+ Policies for security best practices
• Scanning of Terraform (HCL2)
• Scanning of Kubernetes (JSON/YAML), Helm v3,
and Kustomize v3
• Support for AWS, Azure, GCP, Kubernetes and
GitHub
• Accurics Discord Server ! Join Community
• https://discord.gg/G6EyMg4kCP