Professional Documents
Culture Documents
Week 12 Session 4
Week 12 Session 4
WEEK-12: Session-4
Pre-Commit Security Controls
Rapid Risk Assessment
Git Hook Security
Code Editor Extensions
Branch Protections
CodeOwners
Commit Security Controls
Static Analysis Security Testing
Component Analysis
Client-Side Hooks:
Pre-Commit
The pre-commit hook runs on the git commit command before Git checks for a commit message or
generates a commit object. This hook can be used to run any tests on the snapshot that is about to
be committed
Examples:
Search for secrets left in the code
Abort a commit if a high-risk file or folder has been changed
Run a linter to ensure code is following coding standards
Prepare-Commit-Msg
The prepare-commit-msg hook runs just after the pre-commit hook (assuming that the commit has
not aborted) to populate the commit message with text. This hook can be used as a template to
prepare the commit message that gets printed with the commit. It will save time by automatically
formatting and pulling certain commit information, like the branch name, issue, or developer
name.
Examples:
Populate a list of false positive results from a scan run during the pre-commit hook
Generate a message with the associated issue from your issue tracker
Generate a message template for different types of commits: message (-m or -F
option), merge (if the commit is a merge), template (-t option), squash (if a commit squashes
commits)
Commit:
The commit-msg hook runs after the prepare-commit-msg hook and after the user completes the
commit message. Where the prepare-commit-msg hook prepares the template for the message,
Server-Side Hooks:
Pre-Receive
The pre-receive hook runs anytime a client pushes a commit using git push.
Examples:
Reject a push if secrets are committed in the code
Reject a push if a user has committed to a disallowed folder
Reject a push if the commit has bypassed a code review
Post-Receive
The post-receive hook runs after a push commit runs successfully. This hook is used to send
notifications on a successful git push. This hook is similar to the client-side hook post-commit but
would be a more logical place to perform notifications as this hook resides on a central server.
Examples:
Send an email notification to the engineering team
Trigger a call to the server that can run a SAST/DAST scan
The Code Owners are now displayed in the UI. They apply to the current branch only.
White-box testing
SAST is a form of white-box security testing which has full access to the underlying source code
and binary. It will test your program via an inside-out approach. Specialized SAST software such
as GitLab, Klockwork or AppThreat will scan your source code automatically either during the
coding process, or after you have committed the code to your pipeline.
For example, for Klockwork’s users, once you have established a link between your project and
Klockwork Desktop, it allows you to code your program normally using any IDE of your choice as
long as it is open in the background. Each time you save the file, Klockwork Destop will update the
[Cyber Security-20CS54I] Page 7
Department of Collegiate and Technical Education Diploma in CS&E
code automatically and perform a scan on the spot. If it detects any security issues, it will display
them on the user interface.
Early Detection
SAST is typically conducted at the early stage of the system development life cycle, usually during
or after the development stage. This allows you to identify any form of security vulnerabilities
before going into the testing or quality assurance phase.
It is a lot easier to fix problems when they are discovered early. Besides, most SAST executions
will flag lines of code with the vulnerabilities. This can be extremely useful and serve as pointers to
developers when fixing vulnerabilities. It also costs less to maintain and develop the project.
False Positives
SAST methodology is prone to high number of false positives compared to DAST. As a result, a
situation might arise where developers have wasted valuable time and resources fixing imaginary
problems in their system. Such a downfall can be costly in the long term if there are hundreds or
thousands of false positives.
Language-Dependent
SAST is language-dependent in terms of analyzing the underlying source code and binary. Most
SAST tools specialize only in a few computer languages. You will not be able to find a one-size-
fits-all SAST tool for every programming language used in your projects. As a result, scaling and
maintaining a project build with different computer languages will be an enormous task.
Having an accurate inventory of all third-party and open source components is pivotal for risk
identification. Without such knowledge, other factors of Component Analysis become impractical
to determine with high confidence. Use of dependency management solutions and/or Software Bill
of Materials (SBOM) can aid in inventory creation.
Component Age
Components may have varying degrees of age acceptance criteria. Factors that impact acceptable
age include the type of component, the ecosystem the component is a part of (Maven, NPM, etc),
and the purpose of the component. The age of a component may signify use of outdated
technology and may have a higher probability of being passed over by security researchers.
Outdated Components
Newer versions of components may improve quality or performance. These improvements can be
inherited by the applications that have a dependency on them. Components that are end-of-life
(EOL) or end-of-support (EOS) also impact risk. Two common approaches to community
supported open-source is:
Support the latest revision of the last (x) releases - (i.e. 4.3.6 and 4.2.9)
Support only the latest published version (i.e. 4.3.6 today and 4.4.0 tomorrow)
Depending on the risk appetite, it may be strategic to only use third-party and open source
components that are supported.
Known Vulnerabilities