#security (2021-01)
Archive: https://archive.sweetops.com/security/
2021-01-06
2021-01-14
Has anyone had any trouble managing noise in appsec scanners (think Snyk, OWASP ZAP, Bridgecrew, TFSec, Claire, and all the other SAST/DAST/SCA tools) in a modern DevOps environment? E.g. too many alerts, too hard to prioritize alerts, irrelevant alerts to the business, too hard to properly define policies for what scanners run where and when, etc? I’ve gotten the sense that a lot of cloud sec teams feel stuck figuring out how to get developers to actually fix appsec issues, and engineers/DevOps will often ignore the scan results sent over JIRA or in pull requests because there are too many. How do people solve this?
We’re working towards eliminating high severity but it’s going to take work. Most seem largely irrelevant though which makes it feel like box ticking. Some don’t account for mitigations elsewhere. Upstream images have plenty of trivy findings, especially anything Debian based (ubuntu clean). Feel like try tighten down what can and schedule routine review of what accepting is only reasonable way. Ie ratchet.. Compared with implementing and stopping the world.. depends on ones risks?
I haven’t been through soc2 etc before though.
Interesting so sounds like you mostly have to just extensively manually triage this stuff in order to find the stuff that is actually relevant?
It seems to me like there is an opportunity for better tooling here to improve actionability of findings based on various signals
2021-01-15
2021-01-19
2021-01-26
can anyone recommend some good documentation on configuring terraform compliance?
we would like to run it against CI for our terraform modules monorepo as well as when we execute this modules from other repos as part of Atlantis
we’ve started using using bridgecrew. makers of checkov.
other tools frequently mentioned: tfsec, tflint
