Vulnerability Scanning and Threat Modeling
First, what is vulnerability scanning? Vulnerability scanning is the search for security vulnerabilities from within the code and from the outside of an application. Vulnerability scanners search in a variety of code languages such as C or C++, Java, Python, and PHP. Some common coding vulnerabilities to scan for include structured query language (or SQL)
injection, cross-site scripting and path traversal of files and directories in web applications.
Next, what are some guidelines for performing vulnerability scanning?
To develop a secure design, you need to base
vulnerability scans on the specific platform configuration, the
patch levels, or the application composition. For a web application, vulnerability scans may require access to user credentials to scan the flow of an application according to how users interact with the application. Vulnerability scans should span the entire application flow, across the whole application, the stack, and all supporting platforms. Let’s look at some tools that are available for vulnerability scanning. Four of the most popular tools are Coverity, CodeSonar, Snyk Code, and Static Reviewer.
They are examples of static application security testing (or SAST)
tools. Coverity is an incremental analysis scanner for programming languages such as C, C++, Java, and Python. CodeSonar uses abstraction to model the code and find any weaknesses in paths and program variables. Snyk Code is an integrated development tool that performs semantic analysis to discover coding and security bugs throughout the development
phase. And Static Reviewer eliminates well-known vulnerabilities. A component within the Security Reviewer suite, it is compliant with frameworks including Open Web Application Security Project (or OWASP), Common Vulnerabilities and Exposures (or CVEs), and the National Institute of Standards and Technology (or NIST). Now, what is threat modeling? Threat modeling is identifying, categorizing, and enumerating security threats.
Threat modeling provides a process to analyze ongoing threats and eliminate the potential for software coding weaknesses and vulnerabilities. Threat models use diagrams to represent data flows within software applications. Where does threat modeling belong in the software development lifecycle (or SDLC)? The best time is during the design phase. By developing threat models early, you can lessen the potential for software vulnerabilities and eliminate weaknesses in the application. Three popular threat models that you can use are: Process for Attack Simulation and Threat Analysis (or PASTA), Visual, Agile, and Simple Threat (or VAST), and finally, STRIDE. PASTA is a risk-based model that connects to business objectives and technical requirements. VAST is an agile methodology with application threat models and operational threat models. VAST uses process-flow diagrams to represent the architectural perspective. And STRIDE gets its name from Spoofing identity, Tampering with data, Repudiation, Information disclosure, Denial of service, and Elevation of privileges. STRIDE, which came from Microsoft, evaluates applications and systems to find threats and vulnerabilities. In this video, you learned that: Vulnerability scanning is the search for security vulnerabilities from within the code and from the outside of an application. Threat modeling is identifying, categorizing, and enumerating security threats. Vulnerability scans should span the entire application flow. And threat modeling early in the SDLC eliminates weaknesses in your application.
Threat monitoring is scanning code repositories and containers to find security issues. Password mishandling, protocol insecurities, and incorrect permissions are examples of issues that you can discover with threat monitoring. Where does threat modeling belong in the software development lifecycle (or SDLC)? Actually, you integrate threat modeling in three stages of the SDLC. So, it takes place during the Develop stage,
the Test stage, and the Deploy stage. Using code scanning in integrated development environments (or IDEs) and source control management (or SCM) tools supports the SDLC by integrating security checks from development to deployment. Code scanning tools reference databases that
store security threats and vulnerabilities such as the Open Web Application
Security Project (or OWASP) Top 10. To perform threat monitoring, you can use code checker tools. A code checker scans source code for any security issues and vulnerabilities, which will alert you to coding problems.
Code checkers analyze code to find issues in attributes like coding
syntax, style, and documentation. Code checkers provide insights into
where to fix issues in the code. So, using a code checker helps you develop secure code and improve quality in your application. You can integrate threat monitoring into your code repositories. Because repositories are often collaborative and open source, they carry a significant risk of security threats and vulnerabilities.
Integrating threat monitoring with code repositories enables code scanning of source code management tools such as GitHub. You can leverage code project monitoring that can generate automatic “fix” pull requests while scanning code repositories. Code scanners provide vulnerability reporting and insights after they scan code in your repositories. They also scan and test every pull request for security vulnerabilities. And sign commits with a public encryption or pretty good privacy (PGP) key as verification of trusted sources. Another type of threat monitoring is container scanning, which is the process of scanning container images that contain code. Containers are packages of application code and their packaged library dependencies. Because containers have dependencies, they are exposed to security vulnerabilities from external sources. Container scanning scans code deployed to containers, which may contain vulnerabilities and security threats. Because container images are usually built from other container images that may have vulnerabilities, container scanning must include not only the base image but all other layered container images as well. Monitoring all container images
helps reduce security risks.
Threat monitoring is scanning code repositories and containers to find security issues. Threat monitoring occurs in the Develop, Test, and Deploy stages of the SDLC.A code checker scans source code for security issues.
And integrating threat monitoring with repositories enables code scanning with SCM tools.
