With every build. Security Scanners are in the pipeline. We don't have a regular scan that goes over source code for projects that are built less often, yet More on reddit.com

Hello there! Has anyone used the OWASP dependency checker before, alongside of other SAST tools on their Jenkins pipelines? More on reddit.com

Yeah we do. We use 1 to 3 tools and one training program. Will go over them one by one: OWASP DependencyCheck - a really decent tool for scanning your project for vulnerable dependencies. It is actively developed and updated and up to date with the most latest vulnerabilities. Sometimes it can be a pain in the ass, though. Some security researchers and such find a vulnerability, publish it and the next day our CI/CD pipelines fail (the dependency check build step prevents the code from going to production). And not always there is a fix available. So, some vulnerabilities have to be ignored, temporarily. Also, to be able to ignore a vulnerability one has to do a fast risk assessment. And that will require from him to read about the vulnerability and decide if it is safe to be ignored or some different workaround must be found. Trivy scan - I have a bit mixed feelings with that. It scans more stuff than OWASP DependencyCheck: Docker images, filesystem, VM, Kubernetes, etc. So in a way it is also very good. But then again, some of the vulnerabilities it finds is very difficult to fix. If not possible. Let's say it finds a vulnerability inside Gradle itself or inside Maven itself. These are tools that regular developers are not maintaining. Only the developers who actually develop Gradle/Maven itself and improve it, they can fix it. Or some pull requests on their projects. But you'll never know when your pull request gets accepted. Also as it finds vulnerabilities from unorthodox places like filesystem, Docker images, VM image, then it can be difficult for a common software developer to fix it. Sure, there are fixes and workarounds but these are not straightforward. FOSSA scan - it is different from OWASP DependencyCheck and from Trivy scan. It is checking code for supply chain attacks on dependencies and for for license violations. For example, let's say, your project is using DependaBot tool for automatically upgrading dependencies. And you are using, I don't know, Gradle v7.6 (currently the latest version). A malicious person takes the source code of Gradle v7.6, adds some malicious stuff in it and publishes it in Maven Repository with version 7.7 . Don't know about DependaBot but some tools for sure will try to upgrade your 7.6 to 7.7 then. And often these upgrades are automated. If all the tests pass, end-to-end functionality tests pass, deployment passes, then the upgrade goes through. AND a vulnerability can be introduced to your system. FOSSA scan is for checking if the dependency supply chain is legitimate or fake. A downside is that a full scan will take many hours. So one of our teams is just testing it out, right now. It is not feasible to put a 4 hour blocker in our build pipelines. But with fast releases a vulnerability can be introduced already into the system. Hoxhunt - a security awareness training program for companies. It will generate suspicious emails and will send them to employees. Its goal is to train employees to not click random stuff, download random stuff, answer to unverified emails, etc. A cyber hygiene in general. Some of the training emails can be very convincing. It is not your typical "Hi, I'm a Nigerian prince who wants to give you 1 million dollars." but it is "One of your repositories is having a vulnerable dependency in it and your company's security scanner detected it. Please check the following report for further details and how to act on them." type of an email. 3 tools are used in our CI/CD pipelines. It will just automatically scan the project whenever we push new code changes to our git repository. That Hoxhunt runs separately on background (a subscription) and will send emails to our employees with an irregular interval (to mimic a realistic scenario). The CI/CD scan tools are used by software developers, data engineers, some product managers, DevOps team and our cyber security team. All the people with a technical know-how. Hoxhunt is targeting all the developers. Business people and all kind of tech-illiterate managers and such as well. Hoxhunt is mandatory for everybody. Our cyber security team has "talks" with people who ignore it, misuse it, or actively fall a "victim" to the training emails without learning from their previous mistakes. Because the goal of Hoxhunt is to increase the overall security awareness. CI/CD pipeline tools... they are a strong recommendation. Not compulsory per se but it is a bad sign when your project does not use one of them. Some teams use all of these tools by default. Even that slow FOSSA scan. Other teams use only OWASP DependencyCheck and/or Trivy scan. More on reddit.com

Did you try Google?

More on reddit.com