A case for Source Code Security Posture management:
Koala Spotlight
State of affairs: Sourcecode security & it’s importance
Software supply chain starts with the codebase and the code repositories. Security of the codebase involves source-code review through SAST tools and security of the source code management systems like github, bitbucket etc.
While doing research for KoalaLab we realised two broad problems here:
-
Information and alerts fatigue due to SAST tools which do code-scanning, secret-scanning and dependency vulnerability alerts
-
Source-code management is completely overlooked with many misconfigurations like unmanaged deploy keys, missing codeowners files and underuse of branch & PR protection.
All these are real problems that have led to serious problems like Microsoft’s code leakage & Sushiswap MISO’s 3MM USD crypto loss due to lack of branch protection.
The source-code repositories also act as the gateway to CI pipelines while also housing the workflow code which runs in CI pipelines, so the securing them becomes paramount for CI/CD security too. OWASP top 10 CI/CD covers similar aspects around access controls to SCM, configurations of repositories & securely using 3rd party-code & secrets in build environments.

Pinny is open-source, check it out on github. We will soon be adding a video tutorial to help developers understand how easy it to use pinny. Let us know on github what else can we do to improve pinny and help you follow secure-by-design principles.