We can help your organization automate the discovery, and sometimes the remediation, of vulnerabilities by implementing and deploying tools in your infrastructure.
CI/CD pipelines, be it for building and releasing applications, deploying infrastructure or something else, can be a valuable place to integrate security controls. We help our clients by integrating static and dynamic application security testing (SAST/DAST) directly in the pipelines or as parallel jobs.
What tools that fit each company's CI/CD system varies and must normally be tailor-made, but examples of jobs that we have seen good value from implementing includes Semgrep, Trivy, OWASP Zap, OWASP Dependency Check and Mozilla Observatory.
We have experience with Azure Pipelines, GitHub Actions, Jenkins and GitLab Runners, but can adapt to whatever technology our client relies on.
Keeping track of what software is used in an organization's internally developed applications is important as new vulnerabilities are disclosed frequently in much used libraries and third party software. We can help our clients improve their supply-chain security by setting up systems for dependency scanning and keeping a record of the "Software Bill of Materials". This is extremely helpful when the next critical CVE affecting a much-used software is released, as you immediately know whether the given software is used or not in your products.
Using advanced cloud infrastructure can give rise to new classes of vulnerabilities, such as subdomain takeover, IAM issues, unknowingly exposing back-end services through proxies with opaque configurations and more. We can help you test for these kind of vulnerabilities as well as automating the discovery of the vulnerabilities through policies or tools scanning the cloud infrastructure dynamically.