The Third-Party Problem: Your Code Is Not Your Only Attack Surface
Modern applications rely heavily on open-source libraries and third-party components. While this accelerates development, it also expands the attack surface: every dependency you import and every credential accidentally committed to version control can become a vector for attackers.
Software Composition Analysis: Scanning What You Import
Software Composition Analysis (SCA) tools identify known vulnerabilities in open-source libraries by comparing your project's dependencies against databases like the National Vulnerability Database (NVD). One widely used tool is OWASP Dependency-Check, which integrates into CI/CD pipelines to automatically flag vulnerable components.
OWASP Dependency-Check in Practice
Dependency-Check works by scanning your project's manifest files (e.g., pom.xml, package.json, requirements.txt) and cross-referencing the libraries against CVE records. It produces a report listing each dependency, its version, and any associated vulnerabilities, along with severity scores and suggested fixes.
Secrets Scanning: Credentials in the Codebase
Hardcoded credentials – API keys, passwords, tokens – are a common security flaw. Secrets scanning tools automatically search codebases and git history for patterns that match sensitive strings. For example, an AWS access key ID begins with "AKIA" and has a specific character length.
TruffleHog: Scanning Git History for Exposed Secrets
TruffleHog is an open-source secrets scanner that goes beyond the current commit. It scans the entire git history and even branches, looking for high-entropy strings and known secret patterns. It can also scan S3 buckets, file systems, and other data stores.
SCA and Secrets in the Pen Test Workflow
During a penetration test, SCA and secrets scanning are typically performed early in the reconnaissance phase. They help identify easy-to-exploit weaknesses – a vulnerable library or an exposed credential – that can give the tester a foothold. For example, the 2017 Equifax breach was caused by an unpatched vulnerability in Apache Struts (CVE-2017-5638), and the 2021 Log4Shell vulnerability (CVE-2021-44228) allowed remote code execution on millions of systems.
Quiz Time
Test your understanding of SCA and secrets scanning with a short quiz included in the full video.