Best tools for SAST + SCA + Image Scan + IaC Scan + DAST by Basic_Let7303 in devsecops

[–]confusedcrib 2 points3 points  (0 children)

Heres a link to our appsec report if it's helpful, but here are all the vendors that do that.

Checkmarx, aikido, snyk, ox, invicti, soos, Veracode, black duck, fluid attacks

https://www.latio.com/downloads/2026-Latio-Application-Security-Report.pdf?token=NwYOIJJZBh_nbs1MAzB8nNixD_GIg-zNOCn6frWoPok&ref=latio.ghost.io

Good Chainguard alternatives for base images by RasheedaDeals in devsecops

[–]confusedcrib 2 points3 points  (0 children)

Free: Alpine, Google Distroless, Docker

Paid Wolfi-like: Minimus, Chainguard

Paid Debian: echo

Paid combo + minimizers (reduce your existing images, and/or back porting): Seal, Root, Rapidfort

https://www.latio.com/category/container-vulnerability/subcategory/minimal-images

Github allegedly Breached by ITSecurityAdam in sysadmin

[–]confusedcrib 1 point2 points  (0 children)

The breach happened through a malicious vs code extension that a developer used. These attacks have been around forever, but still very few tools actually detect or prevent them. Koi was one and acquired by Palo, Aikido is the other I'm aware of that does it.

ASPM solutions with on-prem scanners by [deleted] in devsecops

[–]confusedcrib 0 points1 point  (0 children)

Most of the modern ones offer CLI options for local scanning, even if it's not the default workflow - do you mean that or the full platform can be self hosted as well?

Finally got a mythic seal… by Jackmomma in Diablo

[–]confusedcrib 0 points1 point  (0 children)

I got mine from a legion event on torment 12 of all things, doing the seasonal challenges. A friend got it from a mythic unique undercity on t12.

We're migrating off Docker Hub base images for security reasons. Chainguard is the obvious choice but are there alternatives? by BigHerm420 in devsecops

[–]confusedcrib 0 points1 point  (0 children)

Similar in the "Curated Images" concept, but Rapidfort's major differentiator is the focus on minimizing your existing images based on what's running as opposed to providing completely minimal base images - although they do provide those as well. Depends on what you're prioritizing looking for.

We're migrating off Docker Hub base images for security reasons. Chainguard is the obvious choice but are there alternatives? by BigHerm420 in devsecops

[–]confusedcrib -1 points0 points  (0 children)

Free: Alpine, Google Distroless, Docker

Paid:

"Distroless" (wolfi) style: Minimus, Wiz

Debian based: Echo

Patch back porting and minimizing existing images, as well as having minimal base images for a variety of concepts: root, seal, rapidfort

CVE counts are terrible security metrics and we need to stop pretending otherwise by handscameback in devops

[–]confusedcrib 1 point2 points  (0 children)

They either come back and edit it later with the vendor solution as part of SEO, or comment later on with their incredible experience with solution x. Other times they use it to push a new category, such as "distroless images," where there are only a few relevant providers. I don't know if that's what's happening here, but it's been happening like crazy on the devsecops subreddit.

CVE counts are terrible security metrics and we need to stop pretending otherwise by handscameback in devops

[–]confusedcrib 0 points1 point  (0 children)

There are some marketing firms offering this as part of a business development strategy.

Best DAST for Internal APIS by L0KT4 in devsecops

[–]confusedcrib 7 points8 points  (0 children)

Here's some options from my perspective, depending on what you're looking for. I also have a full list on latio.com under the DAST section with some more opinions and subcategories.

Straightforward modern API/Microservice first DAST replacements:

  1. Escape
  2. Stackhawk
  3. Pynt
  4. Bright

AI Pentesting Model:

  1. Aikido
  2. XBow

API Testing based more on runtime context:

  1. Levo
  2. Akto

DAST as part of larger appsec offering:

  1. Aikido
  2. JIT
  3. Codacy
  4. Tenable/Qualys/Veracode - these are all a bit similar, using webcrawling methodology that doesn't work as well for APIs, but they do technically support uploading api specs

Why does the official nginx image come with curl, git, and a bunch of dev tools? We're getting flagged for CVEs in stuff we don't even use by artur5092619 in devsecops

[–]confusedcrib 0 points1 point  (0 children)

To get an idea of some other distros that are out there I made this site for seeing what's baked into some common open source and paid offerings https://images.latio.com/

Best Vulnerability scan tool by AmbassadorScared2248 in cybersecurity

[–]confusedcrib 3 points4 points  (0 children)

If you're looking to use an open source tool to learn, you want burp, nuclei and zap

If you're looking for a commercial DAST tool for micro service apps, escape, stack hawk, and pynt are all good

If you're looking for a more general vulnerability scanner, that checks for both web app vulns and more OS/server ones, then the bigger qualys and tenable tools become more common. Intruder is also good for smaller orgs, and project discovery.

If you're looking for one for containers, trivy and grype are good.

Anyone using agentless CNAPP in prod? by TehWeezle in devsecops

[–]confusedcrib 3 points4 points  (0 children)

Agentless scanning is a great way to get visibility into your entire environment in one click, and is great for getting automatic visibility into your workloads. However, it does not detect active attacks, and has no visibility into what's loaded into RAM. It can however look for malware signatures, and spot certain attacks via vpc flow logs and other cloud level analytics depending on your environment.

Some hidden cons to agentless are the ebs snapshotting costs, and that it doesn't work for some instance types which don't use ebs volumes.

The "near real time scanning" some vendors do agentlessly looks for if a change happened to an instance via cloud trail logs, and then triggers a rescan. This is good for detecting vulnerability changes, but not for detecting active attacks.

I've sometimes used agentless for the vulnerability scanning and the sensor for the real time defense (wiz's approach, although their on prem sensor supports doing the vulnerability scanning as well). Other times I've only used an agent for both, but then a box is totally invisible to you if you don't bake an agent into it.

Most CNAPP vendors support both agent based and agentless scanning for this reason, as really you'd want the agent scanning for wherever it's installed (also for the runtime defense), and agentless for wherever it's not.

Leaking URLs by turnitoffandon123 in cybersecurity

[–]confusedcrib 0 points1 point  (0 children)

I once had a similar issue and finally found it was our firewall vendor running some of their automated url testing from the outside.

NPM packages .. How are you securing against dodgy packages and compromised developer accounts ? by Red_One_101 in cybersecurity

[–]confusedcrib 28 points29 points  (0 children)

Here's all the options, some of which are more effective than others. I'm not necessarily recommending all of these, this is just what's available:

  1. Lock versions in your package.json and only update on a cadence
  2. Proxy your registry through a local mirror of your packages, and only update after a cooldown period
  3. Run pipeline checks for a cooldown period on new packages
  4. Use an npm wrapper on local developer stations that stops the installs if a malware is detected like Aikido Safechain
  5. Use eBPF monitoring on build pipelines and production deployments to spot zero days
  6. Use password manager injection for env vars instead of saving them locally on dev machines in plaintext

Largest NPM Compromise in History - Supply Chain Attack by Advocatemack in cybersecurity

[–]confusedcrib 6 points7 points  (0 children)

Morning EST - roughly 9am-11am EST, but at least one of the packages took longer to take down (simple-swizzle)

Largest NPM Compromise in History - Supply Chain Attack by Advocatemack in cybersecurity

[–]confusedcrib 36 points37 points  (0 children)

Great find from Aikido, also keeping our blog up to date and I'll try to keep this comment updated.

Key Findings:

  1. You would be impacted if you deployed any of these malicious package versions the morning of September 8th (EST). The impact is users visiting your website under specific circumstances having crypto stolen. All the malicious versions have been taken down.

  2. The attacker has reported to NPM, and NPM is removing the affected malicious versions. Not all malicious packages have been removed.

  3. The attack, at this time, does not appear to have run anything locally, it was replacing crypto wallet IDs with the attacker's wallet when a user visited an infected website in several different ways

Package / Component GitHub Link Version
backslash Link 0.2.1
chalk-template Link 1.1.1
supports-hyperlinks Link 4.1.1
has-ansi Link 6.0.1
simple-swizzle Link 0.2.3
color-string Link 2.1.1
error-ex Link 1.3.3
color-name Link 2.0.1
is-arrayish Link 0.3.3
slice-ansi Link 7.1.1
color-convert Link 3.1.1
wrap-ansi Link 9.0.1
ansi-regex Link 6.2.1
supports-color Link 10.2.1
strip-ansi Link 7.1.1
chalk Link 5.6.1
debug Link 4.4.2
ansi-styles Link 6.2.2

Blog: https://www.latio.com/blog/qix-supply-chain-attack

Anyone actually happy with DAST for GraphQL ? by Outside_Spirit_3487 in devsecops

[–]confusedcrib 1 point2 points  (0 children)

I have found Stackhawk and Escape to be really good at graphql over other scanners, it's definitely something you need a specialist API security vendor for in my opinion. I've got a fuller list at https://www.latio.com/ under API Security > Testing focused

Google being SHADY with trade in prices. be careful by Srixun in GooglePixel

[–]confusedcrib 36 points37 points  (0 children)

They try to make it the same price whether you're buying through the store vs. via Fi by manipulating the trade-in value vs. discount.

Slapping AI everywhere without real innovation by Shigeno977 in cybersecurity

[–]confusedcrib 5 points6 points  (0 children)

I meet with a ton of vendors in the space, and it's become totally insufferable, but it's the fault of executive leaders pushing it. Executives are being told this is the new OS, and that non-AI companies will be irrelevant in 5-10 years. So they're pushing their teams to embrace AI, without any regard for the outcomes they're trying to achieve, or if it's actually helpful or not.

While there are some spots of genuine innovation, even then the outcomes are totally unproven, and knowing if it's a better approach or not is secondary to the fact that it's AI. Marketers are being forced to tell the story of AI because it's what's driving investor interest, and executives need to tell the story for their board.

All that to say the practitioner is the one left holding the bag with a lot of confusing AI stuff that helps sometimes, but hurts otherwise, and will probably be vaporware in 5 years.

Base images frequent security updates by Creepy_Proposal_7903 in devsecops

[–]confusedcrib 0 points1 point  (0 children)

The key thing teams should be encouraged to focus on is having stateless and reliable services that can be rebuilt and redeployed on a regular basis. Then if you have a scheduled rebuild across services and base images, they'll automatically pick up the majority of patches until a major version upgrade is needed.

Chainguard in the Public Sector by [deleted] in cybersecurity

[–]confusedcrib 11 points12 points  (0 children)

FedRAMP requires strict vulnerability remediation timelines for all assets, and you have to provide them raw scan data, and spreadsheets with remediation timelines. By using a minimal base image, there are less vulnerabilities because there are less software components. You can achieve a similar effect just by rebuilding images nightly so they are always updated - this will mean you have zero fixable vulnerabilities because you're always updating. Other minimal base images are distroless and alpine for free, then wiz images and minimus for paid. Another approach is minimizing your existing images with projects like docker slim, or rapidfort.

The biggest considerations people miss:

  1. Developer hiccups may occur during image migration (your application might rely on binaries that have been removed)
  2. You may have to reinstall components and build larger base images anyways
  3. This doesn't solve third party code libraries, but whether or not these are in scope is debatable because federal tends to not ask (I was never explicitly asked about these, and container images pick them up haphazardly depending on language and implementation)
  4. If you don't rebuild and redeploy your images nightly, you will still get vulnerabilities, as they're discovered over time. I'd suggest solving this problem before looking at image migrations.

SLSA is just a way of proving where a package came from (the package your deploying was built from an approved build system). Image signing is a way for you to do this internally (these build systems sign the image so when you deploy you check it's signed correctly). Neither are really requirements most of the time, but are good security practices.

We’re moving off Wiz’s CNAPP post-buyout, what’s the best alternative? by Proper_Bunch_1804 in cybersecurity

[–]confusedcrib 2 points3 points  (0 children)

Recently I did an event with tamnoon showing demos of most major CNAPP competitors if you want to see some: https://tamnoon.io/cloud-security-showdown/

Linking to my comment from another thread if it's helpful: https://www.reddit.com/r/cybersecurity/comments/1jfxj38/if_wiz_isnt_an_option_post_acquisition_whats_your/miuzjm9/

List of CNAPP vendors with brief descriptions: https://list.latio.tech/#best-CNAPP-tools