You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: modules/8-cicd.livemd
+9-9Lines changed: 9 additions & 9 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -27,27 +27,27 @@ This module will cover over some of the automated processes you may see in a CI/
27
27
Built in Elixir, for Elixir, by NCC Group - this tool will try to determine whether your codebase has a number of web vulnerabilities as well as the insecurites outlined in [Module 5 - Elixir Security](./5-elixir.livemd).
28
28
29
29
### <spanstyle="color:blue;">Example</span>
30
-
Install Sobelow and add it to your application dependicies or install it by following the instructions https://hexdocs.pm/sobelow/readme.html
31
-
32
-
[Sobelow](https://sobelow.io/)
30
+
Install [Sobelow](https://sobelow.io/) and add it to your application dependicies or install it by following the instructions https://hexdocs.pm/sobelow/readme.html
33
31
34
32
Scan your project by running the following at a terminal in your project's root directory
35
33
```
36
34
$ mix sobelow
37
-
38
35
```
39
-
As a vulnerabilities scanner there are multiple categories of vulnerabilities sobelow is capable of discovering/reporting on.
36
+
As a vulnerability scanner, there are multiple categories of vulnerabilities sobelow is capable of discovering and reporting on.
40
37
41
38
For instance, there are a number of security issues published on the Common Weakness Enumeration (CWE) site - [CWE's](https://cwe.mitre.org/top25/archive/2022/2022_cwe_top25.html) and on OWASP Top 10 [OWASP Top 10](https://owasp.org/www-project-top-ten/).
42
39
43
-
Scanning tools like Sobelow map code patterns that may contain weakness that match these issues and report them back to developers/users.
40
+
Scanning tools like Sobelow identify code patterns that match these issues and report them back to developers/users.
44
41
45
42
### <spanstyle="color:blue;">Example</span>
46
-
Let's say you are interested in Injection Vulnerabilities. There are several types of injection. Referring to the CWE list, we see that #17 CWE-77 is for Command Injection, #25 CWE-94 is Code Injection, and #3 CWE-89 is SQL Injection. If we look at the Owasp Top 10 for 2021, A03:2021-Injection is third on the list. Sobelow has the capability to detect these types of attacks.
43
+
44
+
Let's say you are interested finding in places in your application that may be susceptible to injection attacks.
45
+
46
+
There are several types of injection. Referring to the CWE list, we see #17 CWE-77 for Command Injection, #25 CWE-94 is Code Injection, and #3 CWE-89 is SQL Injection. If we look at the OWASP Top 10 for 2021, A03:2021-Injection is third on the list. Sobelow has the capability to detect these types of security issues.
47
47
48
-
Injection issues are places in an application where a malicious actor can send commands, queries, that get processed as authorized code, to trigger the application into performing an unauthorized action.
48
+
Injection vulnerabilies are places in an application where a malicious actor can send commands, queries, and other input that gets processed and executed as code. Injection attacks can trigger the application into performing an unauthorized action or exposing sensitive data.
49
49
50
-
[The following modules supported by Sobelow for the discovery of Command Injection Vulnerabilities](https://hexdocs.pm/sobelow/0.2.4/Sobelow.CI.html#content)
50
+
[The following modules are supported by Sobelow for the discovery of Command Injection Vulnerabilities](https://hexdocs.pm/sobelow/0.2.4/Sobelow.CI.html#content)
0 commit comments