AppSec Santa

Gain Superhero Powers To Prevent Cyber Criminals From Disrupting Business

Summary

ProjectDiscovery.io is one of the fastest growing open source initiatives going viral in #devsecops, accelerating the path to a more secure world🦾. 

7 min read

Project Discovery

Cybercriminals are clearly getting more and more sophisticated, and the number of vulnerabilities that are discovered in infrastructure and software stacks continues to increase exponentially. The size of the attack surface is also increasing as we introduce more of everything (software, APIs, data repositories, virtual and container-based computing…..).

 

Organisations are also moving faster by the day with more frequent software release cycles that have been enabled by the shift to dev/ops. With this, each change has the potential to introduce new vulnerabilities through configuration errors in different layers of the stack or insecure code.

 

Keeping up with this “merry-go-round” is no mean feat, and even companies that one would expect to be on top of their game are named and shamed in the press on a weekly basis.

 

Unfortunately, there is probably not one silver bullet that is going to prevent all evils, but there are definitely some new ways to tackle some of the challenges that deserve serious consideration and ones that fit very nicely into the dev/ops model.

 

The ultimate test of whether an application is secure is to get the best hackers and bug bounty hunters out there to come and break in. Leveraging their expertise can reveal the weaknesses in your stack. The reality is that this is just not feasible for most because the best of the best in the world invariably have important day jobs, or there is already a queue of organisations lining up to exploit their expertise.

 

Furthermore, the cost of employing their expertise may also prove to be prohibitive. Given the frequency of release cycles, and the changes that result from this, it is also probably not feasible to rely on people alone to orchestrate the process.

The Superhero Connection

In my search for “silver bullets”, I was made aware of an open source initiative called Project Discovery. They are driving a number of open source initiatives, that provide a suite of tools that achieves what I describe above, but in software.

There are several things that I find interesting about Project Discovery's approach, and make it worthy on further investigation;

  • They provide a framework so that developers can build out their own penetration tests in templates in human-readable code, leveraging YAML. For those unaware of this, YAML is declarative in nature and is widely used and well understood across the world today.

This means that for those with security and developer skills, it is relatively straightforward to implement and maintain. This code can also easily be embedded into the testing phases of CI/CD pipelines providing an automated feedback loop that can drive remedial actions when vulnerabilities are detected.

  • They have a large and rapidly growing community, and through this community, they are curating the expertise of leading security practitioners and developers from all over the world. On a daily basis, members of their community are developing new ways to test the vulnerability of simple and complex services and contributing their work for use by others.

In addition, plug-ins also exists to automatically create templates from popular pen testing tools, such as BurpSuite. At the end of the day the best way to tackle the challenges I highlighted earlier is as a collective. One that includes the best and brightest minds in the field.

  • Speed Of Execution – when you are releasing new code, you need to get to the defects as quickly as possible in order to remove the roadblocks without delay. I noted from the commentary I read how blistering fast this is to produce results, unlike many other DAST solutions.

The framework they have built can be leveraged by anyone and is applicable for the largest internet-scale businesses, Enterprises, SMEs and start-ups, where dev/ops principles have already been applied. Even software and services companies can build new offerings to solve their customer's challenges. All without having to start from scratch, employ external expertise or leverage expensive packaged software to do so.

If my explanation sparks an idea in your mind, how your organisation might benefit from Project Discovery, I highly recommend that you or members of your team take a closer look to establish whether it could be worth your while. I started with a video I found on youtube that sparked my curiosity to want to learn more. The most interesting initiative is called Nuclei which incorporates hundreds of vulnerability detection techniques to address publicly disclosed cyber security vulnerabilities, but the other tools could also prove useful depending on the nature of your services.

On this page:

Leave a Reply

Your email address will not be published.