Gaining Access to All Source Code for AppSec Enhancement
The Importance of Source Code Access
As an appsec engineer, it's essential to have access to your company's source code. This allows you to:
- Stay informed about projects
- Identify security issues
- Have a global perspective of your company's codebase.
I'll walk you through the process of obtaining all the code and share some practical tips on how you can use it to enhance your security efforts.
How to Access All the Code
- Request Access: Request read-only access to the system where your company stores its source code.
- Use the System's API: To get a list of all projects and repositories, use the system's API. This will provide you with information about each repository, including how to clone it.
- Clone Repositories: Next, clone each repository to get the source code and store it locally. You can automate this process by writing a small script. With this, you've got all the code!
Leveraging the Code for Security
With access to all the code, you can:
- Detect new projects and add them to your appsec radar for timely intervention.
- Identify new developers and introduce them to the application security team.
- Quickly find impacted applications when a CVE occurs (e.g., find all applications impacted by log4j).
- Search for patterns in code reviews across the enterprise to scale your efforts.
- Detect and remove secrets and credentials at scale.
- Monitor project activity to pinpoint security risks.
- Find projects using insecure algorithms like MD5 or disabled TLS verification.
- Track new branches, perform basic scans, and collaborate with developers for secure coding practices.
- Scan every commit for specific keywords to preemptively address security issues.
Remember, the sky's the limit when it comes to improving security with code access!
Addressing Concerns
You might encounter resistance from those skeptical about granting code access. Address their concerns by:
- Clarifying the purpose and benefits of your access.
- Offering a grace period before scanning if there are secrets or credentials in the code.
- Understanding that access might be restricted for repositories with patented code or confidential information.
To mitigate concerns, maintain a list of repositories and projects you won't clone. Some source code hosting systems even offer a "god mode" access, barring specific repositories.
Conclusion
In today's video, we explored the importance of accessing your company's source code and how to use it for enhancing application security. Implementing this can drastically improve your organization's security posture.