Scribd
Upload
31 views26 pages

Source Code Security - HackerOne BugBounty Meetup

Uploaded by

zexceed020
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
31 views26 pages

Source Code Security - HackerOne BugBounty Meetup

Uploaded by

zexceed020
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 26

A Presentation by Rohit Kumar (@rohitcoder)

Source Code Security Like a


Pro - SAST, DAST, IAST, RASP,
SCA, Reachability Analysis,
EPSS, AST, CST, CFG, DFG, CPG
& Hela Tool
By - Rohit Kumar (@rohitcoder)
A Presentation by Rohit Kumar (@rohitcoder)

Who am I

● Top 20 Security Researcher at Meta Bug Bounty for last 5 years


● Maintaining some open-source projects like Hawk-Eye and Hela
● Participated in Some Live Hacking Events by Meta
● I Code in Rust, Python, Javascript, Scala, Java, Whatever you can think off
● Source Code Security, Supply Chain Security & Web Security.
● Product Security Engineer @ Groww

@rohitcoder @rohitcoder @rohitcoder


A Presentation by Rohit Kumar (@rohitcoder)

Shift Left vs Shift Right

Image Source: Dynatrace


A Presentation by Rohit Kumar (@rohitcoder)

What’s SAST and How it works?


Static Application Security Testing (SAST) looks for weaknesses in custom code
(Written by your team/developers).

Image Source: Xebia


A Presentation by Rohit Kumar (@rohitcoder)

What’s DAST and How it works?


Dynamic Application Security Testing (DAST) performs automated attacks on
applications to test them for weaknesses when they are running

Image Source: Xebia


A Presentation by Rohit Kumar (@rohitcoder)

What’s IAST and How it works?


Interactive Application Security Testing (IAST) combines DAST capabilities with SAST
insights

Image Source: DZone


A Presentation by Rohit Kumar (@rohitcoder)

CVSS vs EPSS, Which one to use?


Let’s Use both?
A Presentation by Rohit Kumar (@rohitcoder)

What’s RASP and How it works?


Runtime Application Self-Protection (RASP) is built into a program to protect it after deployment.
It is capable of detecting and preventing external threats in real time.

Image Source: DZone


A Presentation by Rohit Kumar (@rohitcoder)
A Presentation by Rohit Kumar (@rohitcoder)
A Presentation by Rohit Kumar (@rohitcoder)

What’s SCA and How it works?


SCA tools identify all open source packages in an application and all the known
vulnerabilities of those packages. This knowledge can be used to notify developers of
the issues in their code to fix them before they are exploited.

Image Source: DZone


A Presentation by Rohit Kumar (@rohitcoder)

What’s Reachability analysis?


Reachability analysis in SCA
checks if vulnerable functions in
third-party libraries are invoked by
your application, helping prioritize
real security risks.

Image Source: Myrror Security


A Presentation by Rohit Kumar (@rohitcoder)

Source Code Representation - AST


Abstract syntax tree Represents the syntactic structure of code.

Image Source: ResearchGate


A Presentation by Rohit Kumar (@rohitcoder)

Source Code Representation - CST


CST (Concrete Syntax Tree): Represents the full syntactic structure of the code,
including all tokens, closely reflecting the actual source code.
A Presentation by Rohit Kumar (@rohitcoder)

Source Code Representation - CFG


Control Flow Graph Represents the flow of control between statements or instructions.

Image Source: ResearchGate


A Presentation by Rohit Kumar (@rohitcoder)

Source Code Representation - DFG


Data flow Graph, Represents how data values flow through the code.
A Presentation by Rohit Kumar (@rohitcoder)

Source Code Representation - CPG


Code Property Graph, Combines AST, CST, CFG, and DFG for a comprehensive view of
code properties.
A Presentation by Rohit Kumar (@rohitcoder)

But,

What’s Hela?
A Presentation by Rohit Kumar (@rohitcoder)

Hela is a fully open-source tool built in


Rust that integrates Semgrep,
OSV-Scanner, and TruffleHog to
perform SAST, SCA, and secret
scanning simultaneously. It adds
features like scanning PRs instead of
the entire codebase, YAML-based
declarative rules to fail pipeline builds,
a Dashboard UI using defectdojo, and
a server mode that improves scan
times by 77%.
https://github.com/rohitcoder/hela
Hela: God of Death, but here a source code
security tool :)
A Presentation by Rohit Kumar (@rohitcoder)

How Hela Works?


A Presentation by Rohit Kumar (@rohitcoder)

How to run a Scan?


1. Pull Docker image => docker pull rohitcoder/hela
2. Run Scan => docker run rohitcoder/hela:latest
--code-path
https://<PAT>@github.com/<ORG>/<REPO> --sast --sca
--secret
A Presentation by Rohit Kumar (@rohitcoder)

How to Declare YAML


Hela Policy?
A Presentation by Rohit Kumar (@rohitcoder)

What features does Hela


support?
1. Full Repo, Branch & PR Scan (Including all
commits)
2. Built on Top of Git - Supports Github,
BitBucket, CodeCommit, etc
3. SAST, SCA, SECRET, Licence Compliance
4. Pushes Results to DefectDojo and can be
integrated with any Vulnerability
Management tool, hela outputs report in
sarif format.
5. Supports Slack Notifications and
maintains DB for reducing Noise for same
alerts
A Presentation by Rohit Kumar (@rohitcoder)

For more, Check Hela Repo

https://github.com/rohitcoder/hela
A Presentation by Rohit Kumar (@rohitcoder)

Q&A Time!
A Presentation by Rohit Kumar (@rohitcoder)

Thanks!

You might also like