►
From YouTube: Security trends in GitLab hosted projects - April 2020
Description
https://about.gitlab.com/blog/2020/04/02/security-trends-in-gitlab-hosted-projects/
Top security risks include using components with known vulnerabilities, XSS, lack of secret management, lack of CSP, CSRF, and SQLi
A
Hi,
my
name
is
Wayne
Hebert
I'm,
a
director
of
engineering
of
defend
at
KITT
lab
and
want
to
give
you
a
quick
overview
of
the
security
trends
and
give
up
hosted
projects
blog
post,
so
get
lab
is
unique.
Is
that
we
have
a
solution
for
the
entire
day
of
satcoms
lifecycle
and
we
host
thousands
of
different
projects.
This
allows
us
to
compute
trends
and
vulnerabilities
across
many
different
factors,
so
the
vulnerability
scanning
solutions
include
static
analysis,
dynamic
analysis,
dependency,
scanning
container
scanning
and
secret
detection.
A
The
top
vulnerabilities
that
were
found
were
components
with
known
vulnerabilities,
cross-site,
scripting,
lack
of
Secrets
management
content,
security
protection
or
lack
thereof,
cross-site
request,
forgery
and
sequel.
Injection
we've
seen
the
trends
change
over
time,
for
example,
over
all
we've
seen
projects
new
vulnerability
scanning
increasing
about
160
percent
over
the
last
six
months
for
the
vulnerabilities
of
specific
types.
So
the
first
one
scanned
projects
using
components,
known
vulnerabilities,
it's
the
top
thing
we
seen
about
half
of
the
project
scan
and
it's
been
relatively
stable
over
the
last
six
months.
A
Key
things
to
do
here
are
to
make
sure
that,
during
the
build
process,
you
are
built
you're,
pulling
the
latest
packages
packages
and
their
dependencies
and
cursive
dependencies
and
your
builds
and
also
recruit
and
also
scanning,
and
making
sure
that
you're
using
containers
from
a
known
reputable
sources
and
that
are
appropriate
levels
of
minimal
vulnerabilities
in
them.
Next
is
cross-site
scripting
cross-site
scripting
is
the
number
two
vulnerability
type
that
we
find
in
about
20%
of
projects,
and
it's
increased
a
little
bit
over
the
last
six
months.
A
We've
seen
it
key
things
on
cross-site
scripting
are
to
sanitize
input
data.
Make
sure
your
developers
also
understand
that
it's
not
just
about
the
data
that
can
come
in
directly
to
the
to
the
web
browser
to
the
web
application
through
the
web
browser,
but
also
the
attacks
can
come
in
as
stored
across
site
scripting,
where
the
attack
is
sent
to
something
that
stores
the
data,
for
example,
in
a
database
or
other
data
store,
and
then
it's
displayed
in
the
web
application
later.
A
That
is
a
non
obviously,
sometimes
that
these
attacks
can
be
successful.
The
other
is,
as
many
developers
believe,
that
an
internal
application
is
not
a
concern
for
cross-site
scripting,
because
an
attacker
will
Mississippi
won't
know
the
structure
of
the
internal
application.
That
could
be
a
unfortunate
assumption
if
the
attacker
does
know
or
can
or
does
learn
the
structure
of
the
internal
application.
A
The
application
can
be
vulnerable
as
well.
Next,
lack
of
secret
management
was
number
three.
It
was
seen
in
about
20%
of
projects
that
were
scan
and
it's
been
relatively
the
same
over
the
last
six
months.
Key
things,
unlike
secret
management,
is
to
make
sure
developers
understand
why
strong
secrets
and
repositories,
intentionally
or
unintentionally
isn't
advisable
and
giving
them
good
tools
to
store,
store
and
prove
secrets
in
your
environment.
A
Next
is
content
security
protection
or
the
lack
thereof.
We've
seen
that,
actually,
where
projects
were
we've
seen,
this
vulnerabilities
increased
quite
a
bit
over
the
last
six
months.
It
was
in
about
8%
of
projects
the
best
practice
on
content
security
protection
is
educating
your
developers
on
it
and
setting
up
an
environment
so
that
they
can
take
advantage
of
it
content
security
protection.
It's
a
little
bit
different
than
many
other
protection
mechanisms.
A
Cross-Site
request
forgery
in
about
6%
of
projects,
and
it's
decreased
a
bit
over
the
last
six
months
and
often
we've
seen
it
key
things
across
that
request.
Forgery
are
to
really
use
the
built
in
frameworks
for
CSRF
cross-site,
request,
forgery,
protection
that
many
frameworks
have,
and,
lastly,
in
terms
of
the
type
sequel
injection
has
decreased
a
little
bit
over
the
last
six
months
about
6%
of
projects
seen
as
well
key
things
on
Cinco
injection
or
the
sanitized
input
and
use
parameterised
database
queries
wherever
possible.
A
So
we
hope
you
find
this
report
to
be
useful
to
you.
You
know
making
sure
you're,
educating
developers
on
the
top
security
risks
and
designing
for
security
and
automating
security
as
far
left
as
possible
is
really
key
for
your
organization.
Doing
this
will
not
only
improve
the
security
of
your
applications,
but
will
also
improve
productivity
and
morale
for
your
development
teams.
If
you
have
feedback
on
this
report,
things
you'd
like
to
see
improved
or
considered
for
the
next
one.
Please
do
provide
that
feedback
in
this
public
issue.
The
we've
left
it
open
to
everyone.