Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add Sobelow Example to CI/CD Module #55

Open
wants to merge 6 commits into
base: main
Choose a base branch
from
Open

Add Sobelow Example to CI/CD Module #55

Changes from all commits
Commits
Show all changes
6 commits
Select commit Hold shift + click to select a range
5c80175
Update 8-cicd.livemd
hvalkerie19 Feb 8, 2023
25fca12
Update 8-cicd.livemd
hvalkerie19 Feb 9, 2023
1e0425d
Update 8-cicd.livemd
hvalkerie19 Feb 9, 2023
486f80d
Update 8-cicd.livemd
hvalkerie19 Feb 10, 2023
5a92cb7
Update 8-cicd.livemd
hvalkerie19 Feb 17, 2023
e518b03
Update 8-cicd.livemd
hvalkerie19 Feb 17, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
31 changes: 31 additions & 0 deletions modules/8-cicd.livemd
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -26,6 +26,37 @@ This module will cover over some of the automated processes you may see in a CI/

Built in Elixir, for Elixir, by NCC Group - this tool will try to determine whether your codebase has a number of web vulnerabilities as well as the insecurites outlined in [Module 5 - Elixir Security](./5-elixir.livemd).

### <span style="color:blue;">Example</span>
Install [Sobelow](https://sobelow.io/) and add it to your application dependicies or install it by following the instructions https://hexdocs.pm/sobelow/readme.html

Scan your project by running the following at a terminal in your project's root directory
```
$ mix sobelow
```
As a vulnerability scanner, there are multiple categories of vulnerabilities sobelow is capable of discovering and reporting on.

For instance, there are a number of security issues published on the Common Weakness Enumeration (CWE) site - [CWE's](https://cwe.mitre.org/top25/archive/2022/2022_cwe_top25.html) and on OWASP Top 10 [OWASP Top 10](https://owasp.org/www-project-top-ten/).

Scanning tools like Sobelow identify code patterns that match these issues and report them back to developers/users.

### <span style="color:blue;">Example</span>

Let's say you are interested finding in places in your application that may be susceptible to injection attacks.

There are several types of injection. Referring to the CWE list, we see #17 CWE-77 for Command Injection, #25 CWE-94 is Code Injection, and #3 CWE-89 is SQL Injection. If we look at the OWASP Top 10 for 2021, A03:2021-Injection is third on the list. Sobelow has the capability to detect these types of security issues.

Injection vulnerabilities are places in an application where a malicious actor can send commands, queries, and other input that gets processed and executed as code. Injection attacks can trigger the application into performing an unauthorized action or exposing sensitive data.

[The following modules are supported by Sobelow for the discovery of Command Injection Vulnerabilities](https://hexdocs.pm/sobelow/0.2.4/Sobelow.CI.html#content)

```
Sobelow.CI
Sobelow.CI.OS
Sobelow.CI.System
```

Reference: https://docs.guardrails.io/docs/vulnerabilities/elixir/insecure_use_of_dangerous_function

### Usage

Refer to Sobelow's [README](https://github.com/nccgroup/sobelow#installation) for the simplest instructions on how to use it.
Expand Down