Should you outsource product security maturity modeling to a third party? On a recent episode of the Future of Application Security, FullStory’s VP of Product Security and Compliance, Mark Stanislav shared his views.
Spooky TLS scared all of us last week, but today we came to find out that this may have been overblown - it was downgraded from CRITICAL to HIGH primarily due to non-exploitability (under most circumstances) for RCE. If you are still looking to identify and remediate assets with 3.x, we are here for you.
This is part three of our GitHub series, where we have covered GitHub and Application Security, GitHub Dependabot, and now GitHub CodeQL. Following this blog, we will cover GitHub Secret Scanner. Some additional resources that might be helpful are the two blogs How GitHub Uses Dependabot and What are Software Dependencies. Let’s dive into CodeQL!
Dependabot is an awesome Dependency Monitoring tool that helps keep dependencies up to date. In real-time, it checks dependency files for outdated requirements and opens individual pull requests (PRs) for any it finds. Then, users can review, merge, and get to work on the latest, most secure releases.
When users check in an insecure dependency, or a new vulnerability is discovered in an existing dependency, Dependabot will notify users with security alerts for vulnerable dependencies. Additionally, Dependabot Alerts and Dependabot Security Updates watch the National Vulnerability Database and other sources for vulnerabilities in open source packages. If Dependabot finds a vulnerability in a leveraged package, it sends an alert. If it can suggest a fix, it also sends a PR to update the dependency manifest with the closest non-vulnerable version.