top of page

A case for Source Code Security Posture management:
Koala Spotlight

State of affairs: Sourcecode security & it’s importance

 

Software supply chain starts with the codebase and the code repositories. Security of the codebase involves source-code review through SAST tools and security of the source code management systems like github, bitbucket etc.

While doing research for KoalaLab we realised two broad problems here:

  • Information and alerts fatigue due to SAST tools which do code-scanning, secret-scanning and dependency vulnerability alerts

  • Source-code management is completely overlooked with many misconfigurations like unmanaged deploy keys, missing codeowners files and underuse of branch & PR protection.

All these are real problems that have led to serious problems like Microsoft’s code leakage & Sushiswap MISO’s 3MM USD crypto loss due to lack of branch protection.

The source-code repositories also act as the gateway to CI pipelines while also housing the workflow code which runs in CI pipelines, so the securing them becomes paramount for CI/CD security too. OWASP top 10 CI/CD covers similar aspects around access controls to SCM, configurations of repositories & securely using 3rd party-code & secrets in build environments.

pinny-actions.gif

Pinny is open-source, check it out on github. We will soon be adding a video tutorial to help developers understand how easy it to use pinny. Let us know on github what else can we do to improve pinny and help you follow secure-by-design principles.

Introducing

(Open Source) Hash-pinning for OSS Dependencies

Hash pin your docker and third-party github action dependencies with ease.

bottom of page