Skip to content

Commit 5c80175

Browse files
hvalkerie19hvalkerie19
authored
Update 8-cicd.livemd
To add Sobelow example to pending updates to this module under the new Defense In Depth section under System and Application and Security Tooling. Once complete will also address issue #27
1 parent c92af20 commit 5c80175

File tree

1 file changed

+24
-0
lines changed

1 file changed

+24
-0
lines changed

modules/8-cicd.livemd

Lines changed: 24 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -26,6 +26,30 @@ This module will cover over some of the automated processes you may see in a CI/
2626

2727
Built in Elixir, for Elixir, by NCC Group - this tool will try to determine whether your codebase has a number of web vulnerabilities as well as the insecurites outlined in [Module 5 - Elixir Security](./5-elixir.livemd).
2828

29+
### Example
30+
### <span style="color:blue;">Example</span> / <span style="color:red;">Quiz</span>
31+
32+
https://hexdocs.pm/sobelow/readme.html
33+
34+
There are a number of security issues published
35+
Common Weakness Enumeration (CWE) - [CWE's](https://cwe.mitre.org/top25/archive/2022/2022_cwe_top25.html)
36+
OWASP Top 10 [OWASP Top 10](https://owasp.org/www-project-top-ten/)
37+
to start. Scanning tools like Sobelow map code patterns that may contain weakness that match these issues and report them back to developers/users.
38+
Depending on the tool, one or more of the issues listed may be supported/discoverable and tools by programming language.
39+
40+
*TODO: Make Example or Quiz Question*
41+
42+
For example, let's say you are interested in Injection Vulnerabilities. There are several types of injection. Referring to the CWE list, we see that #17 CWE-77 is for Command Injection, #25 CWE-94 is Code Injection, and #3 CWE-89 is SQL Injection. If we look at the Owasp Top 10 for 2021, A03:2021-Injection is third on the list. Sobelow has the capability to detect these types of attacks.
43+
44+
Injection issues are places in an application where a malicious actor can send commands, queries, that get processed as authorized code, to trigger the application into performing an unauthorized action.
45+
46+
47+
```elixir vulnerable code -
48+
49+
```
50+
51+
Reference: https://docs.guardrails.io/docs/vulnerabilities/elixir/insecure_use_of_dangerous_function
52+
2953
### Usage
3054

3155
Refer to Sobelow's [README](https://github.com/nccgroup/sobelow#installation) for the simplest instructions on how to use it.

0 commit comments

Comments
 (0)