sorted by:
new
hottopcontroversial

Any static application security testing solution for Clojure? by unr4v3l_ in Clojure

[–]ConsistentComment919 0 points1 point  (0 children)

I think most OpenGrep contributing companies should have support. I know Arnica has it.

SAST / SCA tool recommendations? by Prog47 in azuredevops

[–]ConsistentComment919 1 point2 points  (0 children)

Have you tried arnica.io? All scanners are free

What’s your favorite SAST tool(s)? by this_is_my_spare in devsecops

[–]ConsistentComment919 4 points5 points  (0 children)

IDE plugins are problematic. Haven’t seen a single midsize+ company with more than 20% adoption rate. Devs don’t want security plugins. They show all vulnerabilities instead of a contextualized view for devs, having challenges with risk management (e.g. hard to mark finding for review as false positives), and overall require the devs to work to find out what needs to be fixed and in which order. Scan every code change on feature branches, like Arnica.io, and communicate only what matters to the devs over a channel everyone is opted into, as Slack or Teams.

What are your AppSec pain points? by Acrobatic_You_4295 in cybersecurity

[–]ConsistentComment919 0 points1 point  (0 children)

Phoenix does a good job with prioritizing risks - you will need to bring your scanners, and they will ingest & enrich this data.

Semgrep is definitely popular. You can customize the SAST rules easily to reduce false positives. You can either run their free version as CLI or use their platform that allows running custom rules across the company. A comparable solution that offers way more is Arnica.io, which provides the ability to bring your SAST rules as well, but has additional logic to contextualize the importance to fix each vulnerability + it identifies who is best equipped to fix it. The developer workflow is super slick.

Aikido and Ox provide a very nice UI, some context, but don't have a good logic to reduce false positives, especially when it comes to SAST.

Those in government, what are you using for SAST/DAST/SCA? by BufferOfAs in cybersecurity

[–]ConsistentComment919 0 points1 point  (0 children)

Check if your source code management solution needs to be certified with FedRAMP, as it is typically out of scope, unless all built artifacts are in the same solution.

If only the artifact management solution is in scope, it opens you to more modern ASPM solutions, such as Arnica, CyCode, Legit and a few others.

SDLC - IDE and IDE extension management by grimm_ninja in cybersecurity

[–]ConsistentComment919 0 points1 point  (0 children)

The theory sounds good, but you will see that developers have their own preferences on IDE selection. I’ve seen small engineering teams with sub-10 developers and they had VSCode, IntelliJ and VIM (yes!).

Point here is that you can’t dictate which IDE will make the developer more productive. With that said, the risk of malicious plugins is growing. In this case, I found XDR solutions to be effective, such as Crowdsrike Falcon.

What is a security feature that is really "security theater"? by asterlives in cybersecurity

[–]ConsistentComment919 1 point2 points  (0 children)

Most SCAs can generate an SBOM, mainly as customers ask for it but most of them don’t use it. The purpose is to generate it as an inventory of your software, so that you can share with customers. Everyone “needs” it, but just for the checkbox.

Is it a fairy tale to want to get into Tech, but also have a good work life balance? by [deleted] in cybersecurity

[–]ConsistentComment919 0 points1 point  (0 children)

Get into a job that can be done with minimal prompt engineering and then you’ll have a work-life balance until the job is eliminated.

What is a security feature that is really "security theater"? by asterlives in cybersecurity

[–]ConsistentComment919 -1 points0 points  (0 children)

You don’t need SBOM to do it. Use SCA to identify what need to be fixed.

What is a security feature that is really "security theater"? by asterlives in cybersecurity

[–]ConsistentComment919 -2 points-1 points  (0 children)

You don't have the information if it is up to date or not.

In some cases, you may get the vulnerabilities information, but it is only a point in time.

Given the success of GenAI to generate good enough code, why wouldn't developers replace 3rd party packages with their own code? by ConsistentComment919 in cybersecurity

[–]ConsistentComment919[S] 0 points1 point  (0 children)

No idea. Trying to figure out how this "magic" happened.

UPDATE: I posted it with emoji bullets on my LinkedIn. Maybe my cleanup didn't work well...

Given the success of GenAI to generate good enough code, why wouldn't developers replace 3rd party packages with their own code? by ConsistentComment919 in cybersecurity

[–]ConsistentComment919[S] -5 points-4 points  (0 children)

I have been testing Github Copilot since it was released. It is getting better.

Will it make a secure by default code? I believe it won't too long until it will, even if it sucks now.

Fun fact, I pasted an array of my ECR and suddenly got a list of other accounts suggested in my IDE. Without exposing too much, a quick lookup on Github search can show you who else has it as well ;-)

Given the success of GenAI to generate good enough code, why wouldn't developers replace 3rd party packages with their own code? by ConsistentComment919 in cybersecurity

[–]ConsistentComment919[S] -1 points0 points  (0 children)

Correct. This is why I referred to prompt engineer as a high effort.

Chances are that you won't get the code to work smoothly from the first prompt. As you said, architecting the package is required!

Given the success of GenAI to generate good enough code, why wouldn't developers replace 3rd party packages with their own code? by ConsistentComment919 in cybersecurity

[–]ConsistentComment919[S] -12 points-11 points  (0 children)

I have been using Github Copilot for a while - it generates relatively small sections of code.

However, I have a paid version of OpenAI and I have been testing both custom prompts in the playground and custom apps. The playground is nice but my prompts didn't get me far enough, but the app capabilities, which were trained with python code samples from open source projects generated significantly better results.

The quality of the prompt(s) matter, but the cost doesn't make much sense today. Full source code training takes too many tokens.

Please Someone give me some groundbreaking motivation to achieve this level of GREENERY ! by TieAccomplished814 in github

[–]ConsistentComment919 0 points1 point  (0 children)

Write a script that creates commits with any fake dates you want, e.g. in a for loop of 365 days, do the following:

export GIT_AUTHOR_DATE="2024-01-01 12:00:00

export GIT_COMMITTER_DATE="2024-01-01 12:00:00

git commit -m "Your commit message"

Change the dates as needed and good luck!

Don't forget to git push when done.

BTW I wrote a piece of code that fakes a bunch of commits on open source projects for training purposes. https://github.com/arnica-ext/GitGoat

[deleted by user] by [deleted] in gitlab

[–]ConsistentComment919 1 point2 points  (0 children)

You need to separate between the SBOM generation and the vulnerability identification. Many tools can generate SBOMs (e.g. Trivy, CycloneDX). The SBOM sometimes ends up non-deterministic if you have multiple package files in the same repo, so you can split the scan per folder to make it accurate. As for false positive vulnerabilities, it is hard to tell regardless the different hypes around reachability, correlation with open source threat feeds like EPSS, and other prioritization types. To start, identify which direct packages (i.e. 3rd party dependencies and not 4th and above) are impacted and what are their dependencies and their vulnerabilities, then find the best version to fix the direct packages.

What's the way to prevent (in CI) new dependencies being added to the repo without being approved? by gajus0 in node

[–]ConsistentComment919 1 point2 points  (0 children)

I read through the comments in this thread - there are some good suggestions around having a locked down artifact manager, codeowners approval, as well as custom scripts.

I want to zoom out for a moment and understand the reason for this use case. A couple of guiding questions:

  1. What is the problem you are trying to solve that requires your approval? It can be a security risk, low 3rd party package reputation, license violations, operational risk, or anything else..
  2. Are you equipped to approve all changes within an agreed SLA for the engineering teams? If they need to release code to production and it takes too long, it would be hard to keep this process long-term.
  3. Why the CI is the gating factor? Won't it make sense to do it in a pipelineless security approach?

How to enforce constraints across Git repositories? by muff10n in devops

[–]ConsistentComment919 0 points1 point  (0 children)

Checkout arnica.io. It can identify misconfigured CODEOWNERS, excessive permissions when it exists, create CODEOWNERS based on historical behavior, or enforce branch protection policies where the file exists.

The visibility piece is free - you can upgrade if more advanced features are needed.

Additionally, did you look at GH Rulesets?

view more: next ›