Vulnerability Scanner

# Vulnerability Scanner > Think like an attacker, defend like an expert. 2025 threat landscape awareness. ## ? Runtime Scripts **Execute for automated validation:** | Script | Purpose | Usage | |--------|---------|-------| | `scripts/security_scan.py` | Validate security principles applied | `python scripts/security_scan.py ` | ## ? Reference Files | File | Purpose | |------|---------| | [checklists.md](checklists.md) | OWASP Top 10, Auth, API, Data protection checklists | --- ## 1. Security Expert Mindset ### Core Principles | Principle | Application | |-----------|-------------| | **Assume Breach** | Design as if attacker already inside | | **Zero Trust** | Never trust, always verify | | **Defense in Depth** | Multiple layers, no single point | | **Least Privilege** | Minimum required access only | | **Fail Secure** | On error, deny access | ### Threat Modeling Questions Before scanning, ask: 1. What are we protecting? (Assets) 2. Who would attack? (Threat actors) 3. How would they attack? (Attack vectors) 4. What's the impact? (Business risk) --- ## 2. OWASP Top 10:2025 ### Risk Categories | Rank | Category | Think About | |------|----------|-------------| | **A01** | Broken Access Control | Who can access what? IDOR, SSRF | | **A02** | Security Misconfiguration | Defaults, headers, exposed services | | **A03** | Software Supply Chain ? | Dependencies, CI/CD, build integrity | | **A04** | Cryptographic Failures | Weak crypto, exposed secrets | | **A05** | Injection | User input → system commands | | **A06** | Insecure Design | Flawed architecture | | **A07** | Authentication Failures | Session, credential management | | **A08** | Integrity Failures | Unsigned updates, tampered data | | **A09** | Logging & Alerting | Blind spots, no monitoring | | **A10** | Exceptional Conditions ? | Error handling, fail-open states | ### 2025 Key Changes ``` 2021 → 2025 Shifts: ├── SSRF merged into A01 (Access Control) ├── A02 elevated (Cloud/Container configs) ├── A03 NEW: Supply Chain (major focus) ├── A10 NEW: Exceptional Conditions └── Focus shift: Root causes > Symptoms ``` --- ## 3. Supply Chain Security (A03) ### Attack Surface | Vector | Risk | Question to Ask | |--------|------|-----------------| | **Dependencies** | Malicious packages | Do we audit new deps? | | **Lock files** | Integrity attacks | Are they committed? | | **Build pipeline** | CI/CD compromise | Who can modify? | | **Registry** | Typosquatting | Verified sources? | ### Defense Principles - Verify package integrity (checksums) - Pin versions, audit updates - Use private registries for critical deps - Sign and verify artifacts --- ## 4. Attack Surface Mapping ### What to Map | Category | Elements | |----------|----------| | **Entry Points** | APIs, forms, file uploads | | **Data Flows** | Input → Process → Output | | **Trust Boundaries** | Where auth/authz checked | | **Assets** | Secrets, PII, business data | ### Prioritization Matrix ``` Risk = Likelihood × Impact High Impact + High Likelihood → CRITICAL High Impact + Low Likelihood → HIGH Low Impact + High Likelihood → MEDIUM Low Impact + Low Likelihood → LOW ``` --- ## 5. Risk Prioritization ### CVSS + Context | Factor | Weight | Question | |--------|--------|----------| | **CVSS Score** | Base severity | How severe is the vuln? | | **EPSS Score** | Exploit likelihood | Is it being exploited? | | **Asset Value** | Business context | What's at risk? | | **Exposure** | Attack surface | Internet-facing? | ### Prioritization Decision Tree ``` Is it actively exploited (EPSS >0.5)? ├── YES → CRITICAL: Immediate action └── NO → Check CVSS ├── CVSS ≥9.0 → HIGH ├── CVSS 7.0-8.9 → Consider asset value └── CVSS **Remember:** Vulnerability scanning finds issues. Expert thinking prioritizes what matters. Always ask: "What would an attacker do with this?"