We sync weekly on Wednesday. See our sync doc
See strategy page
@code-security-tiger-team on Slack
sourcegraph/code-security-tiger-team on GithUb
If you are interested in the space but don’t know where to start, here’s a few items to put on your reading list:
- The log4j vulnerability, and how Sourcegraph helped
- Blogs from well known companies in the application security space provide good perspectives. For example (non-exhaustive list!), Snyk’s, Veracode’s, Sonatype’s.
- Software supply chain is a key area of interest:
We try not to use acronyms at Sourcegaph, but there’s a lot of them in security. Here’s a list that could be useful to Sourcegraphers new to the field:
- NTIA: National Telecommunications and Information Administration. A US agency that advises the US president on telecommunication policy, and contributes to developing frameworks and standards.
- OWASP: The Open Web Application Security Project. A nonprofit foundation that works to improve the security of software.
- SBOM: Software Bill Of Material. The two most common SBOM standards are SPDX (developed by ISO) and OWASP’s CycloneDX (developed by OWASP).
- SLSA: Supply chain Levels for Software Artifacts, or SLSA (salsa). A security framework and set of standards for improving software supply chain integrity and security.
- SCA: Software Composition Analysis. An automated process to identify dependencies of a software. SCA tools analyzes the application’s dependencies for potential vulnerabilities.
- SAST: Static Application Security Testing. SAST tools analyzes the the application’s code for potential vulnerabilities, based on a set of predefined rules. Some SAST tools also suggest fixes.
- DAST: Dynamic Application Security Testing. DAST tools interact directly with the application to identify vulnerabilities by performing attacks, without having access to the source code.
- NVD: National Vulnerability Database. A US-government maintained repository of vulnerabilities.