Stage | Available Artifacts |
---|---|
Build | Source Code Byte Code Dependencies |
Docker build | Container Image |
Staging / Production | Container Image Configured Environment |
I believe the hard part of building software to be the specification, design, and testing of this conceptual construct, not the labor of representing it and testing the fidelity of the representation.
We still make syntax errors, to be sure; but they are fuzz compared with the conceptual errors in most systems.
If this is true, building software will always be hard. There is inherently no silver bullet.
(SAST)
https://depshield.github.io/
<entry id="CVE-2012-5055">
...
<vuln:vulnerable-software-list>
<vuln:product>cpe:/a:vmware:springsource_spring_security:3.1.2</vuln:product>
<vuln:product>cpe:/a:vmware:springsource_spring_security:2.0.4</vuln:product>
<vuln:product>cpe:/a:vmware:springsource_spring_security:3.0.1</vuln:product>
</vuln:vulnerable-software-list>
...
</entry>
cpe:/[Entry Type]:[Vendor]:[Product]:[Version]:[Revision]:…
<!-- org.springframework.security:spring-security-core:3.0.1.RELEASE -->
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-core</artifactId>
<version>3.0.1.RELEASE</version>
</dependency>
https://ossindex.sonatype.org/
"So I personally consider security bugs to be just "normal bugs".
I don't cover them up, but I also don't have any reason what-so-ever to think it's a good idea to track them and announce them as something special." - Linus Torvalds, https://yarchive.net/comp/linux/security_bugs.html
https://www.veracode.com/
https://www.checkmarx.com/
https://www.microfocus.com/de-de/products/static-code-analysis-sast/overview
https://spotbugs.github.io/
https://find-sec-bugs.github.io/
http://layeredinsight.com/
https://github.com/coreos/clair/
https://docs.docker.com/ee/dtr/user/manage-images/scan-images-for-vulnerabilities/
(DAST)
http://www.zaproxy.org/
https://portswigger.net/burp
https://www.owasp.org/index.php/Category:OWASP_Top_Ten_2017_Project
Source: https://twitter.com/signalsciences/status/647533893617238016
Feedback: https://greach.contestia.es/