SAST/DAST Requiremnets
- Damian Borowiecki (Deactivated)
- Oliver Lewandowski
SAST Requirements
Tool
For our SAST initiatives, we utilize SonarCloud, a leading tool that systematically reviews source code to identify potential security vulnerabilities, as well as to assess code quality and technical debt. This tool is an essential component of our CI pipeline, delivering automated and immediate feedback on the integrity of code changes. SonarCloud's robust detection capabilities for a variety of security weaknesses and code quality issues are crucial for maintaining high standards throughout our software development process.
Rules
As it comes to the rules which were used, we adhere to the rigorous set of quality profiles and rules provided by SonarCloud. These rules encompass a wide spectrum of coding and security best practices, ensuring a robust defense against common and emerging vulnerabilities. The complete set of rules used for our scans can be accessed and reviewed for transparency and insight into our SAST practices.
For more information on the specific rules applied during our analysis, refer to the SonarCloud rules for the openIMIS organization: SonarCloud openIMIS Rules.
DAST Requirements
Tool
For our DAST initiatives, we have chosen OWASP ZAP (Zed Attack Proxy) as our primary tool. OWASP ZAP stands out in the realm of open-source security tools for its effectiveness in discovering vulnerabilities in web applications while they are active. This tool is adept at revealing a wide range of security weaknesses, which makes it a perfect fit for our security testing requirements.
Rules
As it comes to the rules which were used in scans, we're utilizing the default policy created by experts at OWASP. This policy is a comprehensive set of rules and configurations that have been conscientiously developed to cover a vast array of current security vulnerabilities.
Category | Rule Name | Threshold | Strength | Status |
|---|---|---|---|---|
Client Browser | Cross Site Scripting (DOM Based) | Default | Default | Release |
Information Gathering | .env Information Leak | Default | Default | Release |
Information Gathering | .htaccess Information Leak | Default | Default | Release |
Information Gathering | Directory Browsing | Default | Default | Release |
Information Gathering | ELMAH Information Leak | Default | Default | Release |
Information Gathering | Heartbleed OpenSSL Vulnerability | Default | Default | Release |
Information Gathering | Hidden File Finder | Default | Default | Release |
Information Gathering | Remote Code Execution - CVE-2012-1823 | Default | Default | Release |
Information Gathering | Source Code Disclosure - /WEB-INF folder | Default | Default | Release |
Information Gathering | Source Code Disclosure - CVE-2012-1823 | Default | Default | Release |
Information Gathering | Spring Actuator Information Leak | Default | Default | Release |
Information Gathering | Trace.axd Information Leak | Default | Default | Release |
Information Gathering | User Agent Fuzzer | Default | Default | Release |
Injection | Buffer Overflow | Default | Default | Release |
Injection | Cloud Metadata Potentially Exposed | Default | Default | Release |
Injection | CRLF Injection | Default | Default | Release |
Injection | Cross Site Scripting (Persistent) | Default | Default | Release |
Injection | Cross Site Scripting (Persistent) - Prime | Default | Default | Release |
Injection | Cross Site Scripting (Persistent) - Spider | Default | Default | Release |
Injection | Cross Site Scripting (Reflected) | Default | Default | Release |
Injection | Format String Error | Default | Default | Release |
Injection | Parameter Tampering | Default | Default | Release |
Injection | Remote OS Command Injection | Default | Default | Release |
Injection | Server Side Code Injection | Default | Default | Release |
Injection | Server Side Include | Default | Default | Release |
Injection | Server Side Template Injection | Default | Default | Release |
Injection | Server Side Template Injection (Blind) | Default | Default | Release |
Injection | Spring4Shell | Default | Default | Release |
Injection | SQL Injection | Default | Default | Release |
Injection | SQL Injection - Hypersonic SQL | Default | Default | Release |
Injection | SQL Injection - MsSQL | Default | Default | Release |
Injection | SQL Injection - MySQL | Default | Default | Release |
Injection | SQL Injection - Oracle | Default | Default | Release |
Injection | SQL Injection - PostgreSQL | Default | Default | Release |
Injection | SQL Injection - SQLite | Default | Default | Release |
Injection | XML External Entity Attack | Default | Default | Release |
Injection | XPath Injection | Default | Default | Release |
Injection | XSLT Injection | Default | Default | Release |
Miscellaneous | External Redirect | Default | Default | Release |
Miscellaneous | Generic Padding Oracle | Default | Default | Release |
Miscellaneous | GET for POST | Default | Default | Release |
Miscellaneous | Log4Shell | Default | Default | Release |
Miscellaneous | Script Active Scan Rules | Default | Default | Release |
Miscellaneous | SOAP Action Spoofing | Default | Default | Beta |
Miscellaneous | SOAP XML Injection | Default | Default | Beta |
Server Security | Path Traversal | Default | Default | Release |
Server Security | Remote File Inclusion | Default | Default | Release |
Did you encounter a problem or do you have a suggestion?
Please contact our Service Desk
This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License. https://creativecommons.org/licenses/by-sa/4.0/