Skip to content

Commit

Permalink
Update the README
Browse files Browse the repository at this point in the history
  • Loading branch information
@kmcquade
kmcquade committed Jul 7, 2024
1 parent 7be8e9d commit 8ec4f7a
Showing 1 changed file with 11 additions and 3 deletions.
14 changes: 11 additions & 3 deletions README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -13,11 +13,13 @@ The findings are also **not** discoverable through other Dynamic Application Sec

# Motivation

**Why did I create this?** Unfortunately, the security industry has been heavily focused on "known vulnerabilities" that are not exploitable - whether that's CVEs or cloud misconfigurations. This isn't the fault of engineers or founders in those industries - it's a narrative and culture that's pushed by VCs and vendors with big marketing budgets. As a result, we're fed a cyclical narrative that known vulnerabilities in third party or OSS software are the only things that matter. This is not true.
**Why did I create this?** Unfortunately, the security industry has been heavily focused on "known vulnerabilities" that are not exploitable - whether that's CVEs or cloud misconfigurations. This isn't the fault of engineers or founders in those industries - it's a narrative and culture that's pushed by VCs and vendors with big marketing budgets. As a result, many people in the industry are left thinking that known vulnerabilities in third party or OSS software are the only things that matter. This is not true.

The Application Security industry as a subset is also heavily focused on SAST - which is known to generate a ton of noise. Over 99% of SAST findings do not result in an exploitable security vulnerability. _This is not to say that SAST is not useful_ - it is. But it's not the only thing that matters.
The Application Security industry as a subset is also heavily focused on SAST - which is known to generate a ton of noise. Over 99% of SAST findings do not result in an exploitable security vulnerability. And many times, like in this Broken Flask app, many SAST tools don't even find the vulnerability because it's a game of writing rules in whack-a-mole fashion. _This is not to say that SAST is not useful_ - it is. But it's not the only thing that matters.

_The only thing that matters is **exploitability**_. If a tree falls in a forest and no one is around to hear it, does it make a sound? If a 3rd party package or SAST finding exists in your codebase, and it's not exploitable, does it matter? **No**. It doesn't.
_The **only** thing that matters is **exploitability**_. If a 3rd party package or SAST finding exists in your codebase, and it's not exploitable, does it matter? **No**. It doesn't.

If you don't get anything else out of what I have to say here, it's this - I hope

# Getting Started

Expand Down Expand Up @@ -69,6 +71,8 @@ make snyk

### DAST Scans

#### NightVision

* If you have access to [NightVision](https://www.nightvision.net), you can run a DAST scan in a few minutes:

```bash
Expand All @@ -95,6 +99,10 @@ nightvision scan --target broken-flask-local

NightVision **will** discover SQL Injection in the application.

#### ZAP

ZAP, formerly known as OWASP ZAP, is a free and open-source web application and API security scanner.

* Run this command to perform a scan with ZAP (DAST):

```bash
Expand Down

0 comments on commit 8ec4f7a

Please sign in to comment.