vulnerability-scanning
Installation
SKILL.md
Vulnerability Scanning
Static Application Security Testing (SAST)
SAST Overview
SAST analyzes source code, bytecode, or binaries without executing the application to identify security vulnerabilities.
SAST Techniques
- Pattern Matching: Match code against known vulnerability patterns
- Data Flow Analysis: Track data flow through the application to identify tainted data
- Control Flow Analysis: Analyze execution paths to identify potential issues
- Taint Analysis: Track user input through the application to identify injection points
- Semantic Analysis: Understand code semantics to identify complex vulnerabilities
Common SAST Vulnerabilities
- Injection Flaws: SQL injection, command injection, LDAP injection
- Cross-Site Scripting (XSS): Reflected, stored, and DOM-based XSS
- Authentication Issues: Weak authentication, session management flaws
- Authorization Issues: Broken access controls, privilege escalation
- Cryptographic Issues: Weak algorithms, improper key management
- Input Validation: Missing or insufficient input validation
- Error Handling: Information leakage through error messages
SAST Tools
- SonarQube: Code quality and security analysis with extensive rule sets
- Checkmarx: Enterprise SAST solution with deep code analysis
- Fortify Static Code Analyzer: Comprehensive SAST from Micro Focus
- Semgrep: Fast, open-source static analysis with custom rules
- CodeQL: Semantic code analysis from GitHub
- Bandit: Python security linter
- ESLint: JavaScript security plugins (eslint-plugin-security)
- SpotBugs: Java static analysis with security rules
Dynamic Application Security Testing (DAST)
DAST Overview
DAST analyzes running applications to identify security vulnerabilities through external testing.
DAST Techniques
- Crawling and Spidering: Discover application endpoints and functionality
- Fuzzing: Send malformed or unexpected input to identify vulnerabilities
- Authentication Testing: Test authentication mechanisms for weaknesses
- Session Management: Analyze session handling for security issues
- Input Validation: Test input fields for injection vulnerabilities
- Business Logic: Test business logic flaws and authorization bypasses
Common DAST Vulnerabilities
- Injection Attacks: SQL injection, command injection, XSS
- Authentication Flaws: Weak passwords, session fixation
- Authorization Issues: IDOR, privilege escalation
- Session Management: Session hijacking, fixation
- Cryptographic Issues: Weak SSL/TLS, insecure cookies
- Information Disclosure: Sensitive data in responses, error messages
DAST Tools
- OWASP ZAP: Free, open-source web application security scanner
- Burp Suite: Comprehensive web security testing platform
- AppScan: Enterprise DAST solution from IBM
- Nessus: Vulnerability scanner with web application testing
- Arachni: Open-source web application security scanner
- SQLMap: Automated SQL injection tool
- Nikto: Web server scanner
Software Composition Analysis (SCA)
SCA Overview
SCA identifies and analyzes third-party components and dependencies for known vulnerabilities.
SCA Techniques
- Dependency Analysis: Identify all direct and transitive dependencies
- Vulnerability Matching: Match dependencies against vulnerability databases
- License Compliance: Check for license compliance issues
- Version Analysis: Track dependency versions and updates
- Risk Scoring: Assess risk based on vulnerability severity and usage
SCA Vulnerability Databases
- NVD (National Vulnerability Database): US government vulnerability database
- CVE (Common Vulnerabilities and Exposures): Standardized vulnerability identifiers
- GitHub Advisory Database: GitHub's vulnerability database
- Snyk Vulnerability Database: Snyk's curated vulnerability database
- OSS Index: Sonatype's open-source vulnerability database
SCA Tools
- Snyk: Developer-first security platform with SCA, SAST, and container scanning
- Trivy: Comprehensive vulnerability scanner for containers, files, and dependencies
- Dependabot: GitHub's automated dependency updates and vulnerability alerts
- WhiteSource: Enterprise SCA with comprehensive vulnerability database
- Black Duck: Enterprise SCA with license compliance
- OWASP Dependency-Check: Open-source SCA tool
- npm audit: Node.js package manager's built-in SCA
- pip-audit: Python package manager's security audit tool
Container Security Scanning
Container Vulnerabilities
- Base Image Vulnerabilities: Vulnerabilities in the base OS image
- Application Dependencies: Vulnerabilities in application dependencies
- Configuration Issues: Insecure container configurations
- Secrets in Images: Hardcoded secrets or credentials
- Outdated Packages: Outdated packages with known vulnerabilities
Container Scanning Tools
- Trivy: Comprehensive vulnerability scanner for containers
- Clair: Open-source vulnerability static analysis for containers
- Anchore: Container inspection and vulnerability analysis
- Aqua Security: Enterprise container security platform
- Twistlock: Container security from Prisma Cloud
- Docker Scout: Docker's built-in vulnerability scanner
- Grype: Vulnerability scanner for container images
Container Security Best Practices
- Use Minimal Base Images: Use minimal base images like Alpine or distroless
- Scan Images: Scan images at build time and runtime
- Patch Regularly: Keep base images and dependencies updated
- Scan Dependencies: Include SCA for application dependencies
- Run as Non-Root: Run containers as non-root users
- Read-Only Filesystems: Use read-only filesystems where possible
- Resource Limits: Set resource limits to prevent DoS
Dependency Vulnerability Management
Dependency Management Strategies
- Regular Updates: Regularly update dependencies to latest secure versions
- Automated Scanning: Integrate SCA into CI/CD pipelines
- Vulnerability Alerts: Set up alerts for new vulnerabilities
- Version Pinning: Pin specific versions to prevent unexpected updates
- Lock Files: Use lock files to ensure reproducible builds
- Supply Chain Security: Verify package integrity and provenance
SBOM (Software Bill of Materials)
- What is SBOM: Formal inventory of software components and dependencies
- SBOM Formats: SPDX, CycloneDX, SWID tags
- SBOM Benefits: Vulnerability tracking, license compliance, supply chain security
- SBOM Tools: Syft, Trivy, Microsoft SBOM Tool, CycloneDX tools
Supply Chain Security
- Package Integrity: Verify package signatures and checksums
- Provenance: Track package origin and build process
- Signed Artifacts: Use signed packages and container images
- Dependency Pinning: Pin to specific verified versions
- Private Registries: Use private registries for sensitive packages
- Reproducible Builds: Ensure builds are reproducible and verifiable
Common Vulnerability Tools
Snyk
- Features: SCA, SAST, container scanning, IaC scanning
- Integration: CI/CD, IDEs, package managers, registries
- Languages: JavaScript, Python, Java, Go, Ruby, PHP, .NET
- Use Cases: Developer-first security, automated scanning, remediation
Trivy
- Features: Container scanning, file scanning, dependency scanning
- Integration: CI/CD, container registries, Kubernetes
- Languages: Supports multiple languages and package managers
- Use Cases: DevSecOps, container security, infrastructure scanning
OWASP ZAP
- Features: Automated and manual web application security testing
- Integration: CI/CD, browsers, proxies
- Capabilities: Spidering, scanning, fuzzing, authentication testing
- Use Cases: DAST, web application security, penetration testing
SonarQube
- Features: Code quality, security analysis, technical debt tracking
- Integration: CI/CD, IDEs, build tools
- Languages: 25+ programming languages
- Use Cases: Code quality, security, technical debt management
Grype
- Features: Container image and filesystem vulnerability scanning
- Integration: CI/CD, container registries
- Vulnerability Database: Uses Grype vulnerability database
- Use Cases: Container security, DevSecOps pipelines
Vulnerability Scanning Best Practices
Scanning Strategy
- Shift Left: Scan early and often in the development lifecycle
- Automate: Integrate scanning into CI/CD pipelines
- Multiple Tools: Use multiple tools for comprehensive coverage
- Regular Scans: Schedule regular scans for production systems
- False Positive Management: Establish process for managing false positives
- Prioritization: Prioritize vulnerabilities based on risk and exploitability
Remediation Process
- Triage: Categorize vulnerabilities by severity and risk
- Prioritize: Prioritize based on CVSS score, exploitability, and business impact
- Remediate: Fix vulnerabilities or apply mitigations
- Verify: Verify that remediation was successful
- Monitor: Monitor for new vulnerabilities
- Report: Report on vulnerability status and trends
Related skills
More from davincidreams/agent-team-plugins
blender
Blender interface, workflows, and 3D production pipeline
220rigging
Rigging fundamentals, skeleton setup, and animation controls
16animation
Animation principles, techniques, and best practices for 3D animation
13vroid
Vroid Studio, VRM format, and VTuber avatar creation
10technical-writing
Technical writing principles and best practices for creating clear, accurate documentation
9unreal
Unreal Engine patterns, Actor/Component model, Blueprints vs C++, and best practices
8