Learning resources and making sense of basic app/cyber security
AppSec vs OrgSec
What is SAST
SAST = Static Application Security Testing aka Static Analysis
Static Analysis is a piece of software that helps to scan and check for security problems/ bugs. As compared to dynamic analysis which requires the app to be running (DAST, or penTest or Performance Test), static analysis works even for code that is not compiled or compilable to run.
Why SAST
- Enforces important guardrails
- Prevents bugs that have occured before automatically — you can make a rule
- Eliminates classes of vulnerabilities — via above
- Scales AppSec — so you don’t do the cruel move of making people do manual code reviews all day long. This reduces time to get an appSec program up and running
- Automated code review, no expert required — just some buttons to say import the repository and you quickly get a sense of any potential vulnerabilities*
- As a newb, I found this quite fascinating with I imported my first library into Snyk
TIL: Semgrep = semantic grep (gosh)
When to use Burp Suite
It is more of an external testing tool, not so much for SAST since SAST seems to presume having a-view-from-within.
In contrast, Burp Suite enables you to discover vulnerabilities when you do not have access to the source code. Another developer expressed the sentiment that it is more of an arcane art — I found BurpSuite’s PortsWigger Academy exercises fun but especially challenging without a strong grasp of technical fundamentals (how is data transmitted, how are SQL queries written, what can/ cannot be intercepted, etc)
Semgrep or Snyk?
Semgrep supports 30+ languages whereas Snyk supports 14.
If the intent is writing custom rules, Semgrep is probably a clearly better alternative.
But for basic static analysis, both Semgrep and Snyk seem to work fine.
Note: fairly biased references (1) | detailed comparison(2) but mostly consistent with my own (limited experience)
Side comment on secret scanning
With GitGuardian already integrated in repos I work on with friends, I found myself less worried about handling committing of secrets. While embarrassing, committing secrets seems to happen to even the best of us.
Snyk has a partnership with GitGuardian whereas Semgrep has their own set of proprietary tools for secrets scanning.
Where to start learning
- https://semgrep.dev/learn — very concise quick start
- https://portswigger.net/web-security — very comprehensive and structured learning pathways
- Try static analyis on your own repos in Snyk or Semgrep and learn by fixing any vulnerabilities