Skip to content

Commit 25fca12

Browse files
hvalkerie19hvalkerie19
authored
Update 8-cicd.livemd
1 parent 5c80175 commit 25fca12

File tree

1 file changed

+8
-7
lines changed

1 file changed

+8
-7
lines changed

modules/8-cicd.livemd

Lines changed: 8 additions & 7 deletions
Original file line numberDiff line numberDiff line change
@@ -26,27 +26,28 @@ This module will cover over some of the automated processes you may see in a CI/
2626

2727
Built in Elixir, for Elixir, by NCC Group - this tool will try to determine whether your codebase has a number of web vulnerabilities as well as the insecurites outlined in [Module 5 - Elixir Security](./5-elixir.livemd).
2828

29-
### Example
30-
### <span style="color:blue;">Example</span> / <span style="color:red;">Quiz</span>
29+
### <span style="color:blue;">Example</span>
3130

3231
https://hexdocs.pm/sobelow/readme.html
33-
32+
[Sobelow](https://sobelow.io/)
3433
There are a number of security issues published
3534
Common Weakness Enumeration (CWE) - [CWE's](https://cwe.mitre.org/top25/archive/2022/2022_cwe_top25.html)
3635
OWASP Top 10 [OWASP Top 10](https://owasp.org/www-project-top-ten/)
3736
to start. Scanning tools like Sobelow map code patterns that may contain weakness that match these issues and report them back to developers/users.
3837
Depending on the tool, one or more of the issues listed may be supported/discoverable and tools by programming language.
3938

40-
*TODO: Make Example or Quiz Question*
4139

4240
For example, let's say you are interested in Injection Vulnerabilities. There are several types of injection. Referring to the CWE list, we see that #17 CWE-77 is for Command Injection, #25 CWE-94 is Code Injection, and #3 CWE-89 is SQL Injection. If we look at the Owasp Top 10 for 2021, A03:2021-Injection is third on the list. Sobelow has the capability to detect these types of attacks.
4341

4442
Injection issues are places in an application where a malicious actor can send commands, queries, that get processed as authorized code, to trigger the application into performing an unauthorized action.
4543

44+
[The following modules supported by Sobelow for the discovery of Command Injection Vulnerabilities](https://hexdocs.pm/sobelow/0.2.4/Sobelow.CI.html#content)
4645

47-
```elixir vulnerable code -
48-
49-
```
46+
```
47+
Sobelow.CI
48+
Sobelow.CI.OS
49+
Sobelow.CI.System
50+
```
5051

5152
Reference: https://docs.guardrails.io/docs/vulnerabilities/elixir/insecure_use_of_dangerous_function
5253

0 commit comments

Comments
 (0)