Application Security (AppSec) Fundamentals

Application Security (AppSec) focuses on improving the security of applications by finding, fixing, and preventing security vulnerabilities.

Scanning Dependencies for Known Vulnerabilities

Modern applications rely heavily on open-source libraries. These libraries can have known vulnerabilities, so it is important to scan your dependencies regularly.

npm audit: For Node.js projects, npm audit scans your project for vulnerabilities and provides you with a report.
```
npm audit
```
To automatically fix the vulnerabilities, you can run:
```
npm audit fix
```
trivy: A versatile scanner for vulnerabilities in container images, file systems, and Git repositories.
```
# Scan a container image
trivy image my-app:latest

# Scan a filesystem
trivy fs /path/to/project
```

Introduction to SAST & DAST

SAST (Static Application Security Testing): SAST tools analyze an application's source code, byte code, or binary code for security vulnerabilities without executing the application. They are often integrated into the CI/CD pipeline to provide early feedback to developers.
- Examples: SonarQube, Checkmarx, Veracode.
DAST (Dynamic Application Security Testing): DAST tools test a running application for vulnerabilities by sending malicious inputs and observing the responses. They are good at finding vulnerabilities that are only apparent when the application is running.
- Examples: OWASP ZAP, Burp Suite, Netsparker.

Scanning Dependencies for Known Vulnerabilities​

Introduction to SAST & DAST​

Scanning Dependencies for Known Vulnerabilities

Introduction to SAST & DAST