Last Week: Supply Chain Security Project: Primer
Next Week: The Best Games for learning Cyber Security 🎮
This Week: Supply Chain Security Project 📦 ⚔️
Important: To follow along with the project, you should take a look at this first: Supply Chain Security Project: Primer
As much as I enjoy playing around with tools like Nmap or Hydra, or covering the basics of AWS networking, those things tend to look more appealing to beginners. They feel very Mr Robot. But I promise you, they won’t help you stand out. I may revisit them in the future, but my main goal here is to give you real value and actually move the needle on getting into this industry.
The Context
This week we’re going deeper. Learning something like Software Composition Analysis will do far more for you.
There are two aspects to SCA: Licensing/Compliance and Security. We’re not going to talk about licensing here, it’s a whole different kettle of fish, and one I’m still learning myself. We are going to talk about Security though.
SCA from a security POV really means 3 things:
Detecting known vulnerabilities (CVEs) in dependencies.
Highlighting outdated libraries or packages with poor security posture.
Sometimes checking for risky or abandoned projects.
Before we start, let’s ask: what makes a good SCA tool?
Auto fix capability (generating automatic PRs). You might not always want this tbf but it’s nice to have.
Having their own vulnerability databases (not just relying on the NVD) Making the security issues ACTUALLY contextual to your project.
Whether developers actually like using them
Does it support the languages, package managers, and frameworks you actually use?
How easily does it plug into your pipelines (GitHub Actions, GitLab CI, Jenkins, etc)?
Is it fast enough to run as part of daily builds without slowing everything down?
Does it give clear, actionable reports rather than just dumping a long list of CVEs?
The Project
Step One
Start by cloning this repo locally and: Damn-vulnerable-sca?tab=read me-ov-file
Keep reading with a 7-day free trial
Subscribe to Cyber Notes to keep reading this post and get 7 days of free access to the full post archives.