Open Source Supply Chain Security Testing
THIS IS A PLACEHOLDER
- EU Cyber Resilience Act
- https://www.congress.gov/bill/117th-congress/senate-bill/4913
- https://openssf.org/blog/2022/09/27/the-united-states-securing-open-source-software-act-what-you-need-to-know/ (govt sector)
- find the UK act that also does this.
tbd: break into incoming and outgoing
include:
- Vulnerability Testing
- keeping dependencies up-to-date https://openssf.org/resources/guides/
KPIs around dependencies?
code reviews (GGI)
Security testing is a broad term that encompasses various techniques for evaluating the security of software systems and applications. The main types of security testing include:
- Software Composition Analysis (SCA) or Vulnerability Scanning: Vulnerability scanning involves automatically searching for known security weaknesses in software systems and applications. This type of testing can help identify potential security risks, but does not guarantee that all vulnerabilities have been found.
- Static Application Security Testing (SAST): SAST involves analyzing the source code of an application for potential security vulnerabilities without executing the code. This type of testing can help identify potential security risks early in the development process, before the code is deployed.
- Dynamic Application Security Testing (DAST): DAST involves executing the code of an application and examining its behavior for potential security vulnerabilities. This type of testing can help identify potential security risks that may not be apparent from examining the code alone.
- Penetration Testing: Penetration testing involves attempting to actively exploit vulnerabilities in a software system or application to determine its security weaknesses. This type of testing is usually conducted by security experts who use manual and automated techniques to simulate real-world attacks.
- Web Application Security Testing: Web application security testing focuses on identifying security vulnerabilities in web applications, such as SQL injection, cross-site scripting (XSS), and cross-site request forgery (CSRF).
- Infrastructure Security Testing: Infrastructure security testing involves evaluating the security of the underlying infrastructure that supports a software system or application, such as networks, servers, and databases.
- Mobile Application Security Testing: Mobile application security testing focuses on identifying security vulnerabilities in mobile applications, such as those running on iOS or Android platforms.
Software Composition Analysis
According to https://en.wikipedia.org/wiki/Software_Composition_Analysis:
Software Composition Analysis (SCA) is a practice in the fields of Information technology and software engineering for analyzing custom-built software applications to detect embedded open-source software and detect if they are up-to-date, contain security flaws, or have licensing requirements.
Many SCA tools produce SBOMs which can then be checked for vulnerabilities. A long list is provided here: https://todogroup.org/guides/management-tools/#tools-for-managing-source-code
Static Application Security Testing
See: https://snyk.io/learn/application-security/static-application-security-testing/
SAST, or Static Application Security Testing, is a type of software security testing that analyzes the source code of an application for potential security vulnerabilities without executing the code. The leading SAST tools are:
- Checkmarx: Checkmarx is a commercial SAST tool that provides a comprehensive solution for finding security vulnerabilities in source code. It supports a wide range of programming languages and provides detailed analysis of potential security issues.
- Veracode: Veracode is a commercial SAST tool that provides a cloud-based solution for finding security vulnerabilities in source code. It integrates with a variety of development tools and provides a range of reporting and remediation options.
- SonarQube: SonarQube is an open source platform for continuous inspection of code quality and security. It provides a range of tools for code analysis, including SAST capabilities, and supports a wide range of programming languages.
- Fortify: Fortify is a commercial SAST tool that provides a comprehensive solution for finding security vulnerabilities in source code. It supports a wide range of programming languages and provides detailed analysis of potential security issues.
- Coverity: Coverity is a commercial SAST tool that provides a comprehensive solution for finding security vulnerabilities in source code. It supports a wide range of programming languages and provides detailed analysis of potential security issues.
tbd.
Dynamic Application Security Testing
tbd.