Table of Content

1. Web Security
2. Cryptography
3. Authentication
4. API
5. Cross-site scripting (XSS)
6. SQL Injections
7. Content Security Policy
8. Same-Origin Policy
9. XPATH Injection
10. HTTP Security
11. Unicode Normalisation Vulnerability

• Typosquatting

Minimum Viable Security (MVS):

• Start early
• Shift-left
• Iterative work

Security Categories:

1. Secret Detection: Your data

   • To detect secrets in various formats:

     • Passwords
     • Access keys
     • API tokens
     • Credit card numbers

   • Secret detection can prevent fraudulent use of credentials that were committed accidentally

   • Tools:

     • gitleaks by Zachary Rice
     • git-secrets by AWS
     • detect-secrets by Yelp

2. Dependency Check (SCA): Your libraries

   • To detect open source components with known vulnerabilities

   • Tools for Python:

     • OWASP dependency-check
     • Safety by Pyup.io
     • Jake by Sonatype

3. Infrastructure Misconfiguration: Your infrastructure

   • To detect security misconfigurations in your infrastructure-as-code, before they reach the cloud

     • Missing encryption
     • Broad Permissions
     • No logging
     • Default Port

   • Tools:

     • KICS by Checkmarx
     • TFSEC by Aqua Security
     • checkov by Bridgecrew (Palo Alto)

4. Container Scanning: Your packaging

   • To detect vulnerabilities and configuration issues in container images

   • Tools:

     • Trivy by Aqua Security
     • Clair by Quay.io
     • Anchore

5. Runtime Scanning: Your runtime

   • To detect vulnerabilities in web applications (and API) while they are running

   • DAST (Dynamic Application Security Testing)

   • Tools:

     • ZAP by OWASP
     • Nikto
     • Arachni

-5 Security Tools All Developers Should Know About

• Example project

• JIT - Security Platform

XPATH Injection

Static Analysis Security Testing (SAST)

Static Code Analysis

1. What is Static Code Analysis?

   • Predicting defects in code without running it

2. How Static Code Analysis tools work?

   • At the core of most popular static analysis libraries is the concept of an Abstract Syntax Tree, or AST for short. An AST is a representation of source code as a tree structure: each source file is a root node, and root-level constructs declared in the file are child nodes of that node. Those child nodes can each have child nodes within them

3. Some of the Static Code Analyses are:

   • There are many Static Code Analyses for different languages

   • As JavaScript is a dynamically typed language, we can use ESLint (linter) and Prettier (formatter) to catch most of the errors

   • Flow from Facebook is a Static type checker. It can be used alongside linters and formatters to catch more bugs

   • TypeScript extends JavaScript by adding types

   • Checkmarx, JFROG XRAY are some of the other tools

4. What are the other techniques to find bugs?

   • Code Coverage Tools - Code coverage provides information about whether, and optionally how often certain parts of an application have been executed. It's commonly used to determine how thoroughly a test suite exercises a particular codebase. JestJS is a testing framework for JavaScript with code coverage

   • Software Composition Analysis - Identify Vulnerabilities In Open Source Libraries used as dependencies in the project. RetireJS is one such tool for JavaScript

Software Composition Analysis (SCA)

• Artifactory X-ray
• SonarCube
• Snyk

References

• Different Vulnerability Payloads

• OWASP API Security

• CheatSheet

• Stanford - CS 253 Web Security

• Insecure apps for testing:

  • Juice Shop
  • WebGoat: A Java based deliberately insecure application and companion app WebWolf

Books:

• The Web Application Hacker's Handbook: Finding and Exploiting Security Flaws (ISBN-13: 978-1118026472) (2011)

• Alice and Bob Learn Application Security by Tanya Janca (ISBN-13: 978-1119687351) (2020)