The SAST and the furious
Introduction to using SAST and DAST scanners and adding a safety blanket to your pipeline/software development life cycle to catch common issues and CVEs.
This will review tools like SEMGREP for PHP, Trivy for third-party dependencies like Composer and NPM, and Operating System packages for the host box/container image.
This is just an introductory talk about these tools and how they can benefit developers and teams by preventing security concerns in their projects without requiring cybersecurity knowledge and catching common issues such as CSRF, XSS and SQL Injection.
I'll cover the concepts of SAST and DAST and how they benefit software security. I'll review the tools available, i.e., OpenSource and paid solutions. I'll be using two free solutions in the demo, as mentioned SEMGREP and Trivy
Once I've reviewed these tools and their benefits, I will discuss how to integrate them into your pipelines. I'll also discuss Gitlab integration since Github has actions you can click to install, whereas Gitlab is all YAML and requires additional hand-holding.
From here, it'll also be about passing the results into a dashboard so they can be tracked by the team/managers/security teams/owners so that security results can be shared with customers/business partners or internal teams.
While this isn't specifically for TYPO3, it's around PHP security and infrastructure-related security since installing random composer packages and downloading random APK packages could put applications at risk. This could, in effect, have a knock-on effect on TYPO3 being considered "insecure" when, in reality, it'll be someone downloading a risky package.