vulnerability-scanner

Vulnerability Scanner

> Think like an attacker, defend like an expert. 2025 threat landscape awareness.

🔧 Runtime Scripts

Execute for automated validation:

| Script | Purpose | Usage |

|--------|---------|-------|

| scripts/security_scan.py | Validate security principles applied | python scripts/security_scan.py |

📋 Reference Files

| File | Purpose |

|------|---------|

| [checklists.md](checklists.md) | OWASP Top 10, Auth, API, Data protection checklists |

---

1. Security Expert Mindset

Core Principles

| Principle | Application |

|-----------|-------------|

| Assume Breach | Design as if attacker already inside |

| Zero Trust | Never trust, always verify |

| Defense in Depth | Multiple layers, no single point |

| Least Privilege | Minimum required access only |

| Fail Secure | On error, deny access |

Threat Modeling Questions

Before scanning, ask:

---

2. OWASP Top 10:2025

Risk Categories

| Rank | Category | Think About |

|------|----------|-------------|

| A01 | Broken Access Control | Who can access what? IDOR, SSRF |

| A02 | Security Misconfiguration | Defaults, headers, exposed services |

| A03 | Software Supply Chain 🆕 | Dependencies, CI/CD, build integrity |

| A04 | Cryptographic Failures | Weak crypto, exposed secrets |

| A05 | Injection | User input → system commands |

| A06 | Insecure Design | Flawed architecture |

| A07 | Authentication Failures | Session, credential management |

| A08 | Integrity Failures | Unsigned updates, tampered data |

| A09 | Logging & Alerting | Blind spots, no monitoring |

| A10 | Exceptional Conditions 🆕 | Error handling, fail-open states |

2025 Key Changes

2021 → 2025 Shifts:
├── SSRF merged into A01 (Access Control)
├── A02 elevated (Cloud/Container configs)
├── A03 NEW: Supply Chain (major focus)
├── A10 NEW: Exceptional Conditions
└── Focus shift: Root causes > Symptoms

---

3. Supply Chain Security (A03)

Attack Surface

| Vector | Risk | Question to Ask |

|--------|------|-----------------|

| Dependencies | Malicious packages | Do we audit new deps? |

| Lock files | Integrity attacks | Are they committed? |

| Build pipeline | CI/CD compromise | Who can modify? |

| Registry | Typosquatting | Verified sources? |

Defense Principles

---

4. Attack Surface Mapping

What to Map

| Category | Elements |

|----------|----------|

| Entry Points | APIs, forms, file uploads |

| Data Flows | Input → Process → Output |

| Trust Boundaries | Where auth/authz checked |

| Assets | Secrets, PII, business data |

Prioritization Matrix

Risk = Likelihood × Impact

High Impact + High Likelihood → CRITICAL
High Impact + Low Likelihood  → HIGH
Low Impact + High Likelihood  → MEDIUM
Low Impact + Low Likelihood   → LOW

---

5. Risk Prioritization

CVSS + Context

| Factor | Weight | Question |

|--------|--------|----------|

| CVSS Score | Base severity | How severe is the vuln? |

| EPSS Score | Exploit likelihood | Is it being exploited? |

| Asset Value | Business context | What's at risk? |

| Exposure | Attack surface | Internet-facing? |

Prioritization Decision Tree

Is it actively exploited (EPSS >0.5)?
├── YES → CRITICAL: Immediate action
└── NO → Check CVSS
         ├── CVSS ≥9.0 → HIGH
         ├── CVSS 7.0-8.9 → Consider asset value
         └── CVSS <7.0 → Schedule for later

---

6. Exceptional Conditions (A10 - New)

Fail-Open vs Fail-Closed

| Scenario | Fail-Open (BAD) | Fail-Closed (GOOD) |

|----------|-----------------|---------------------|

| Auth error | Allow access | Deny access |

| Parsing fails | Accept input | Reject input |

| Timeout | Retry forever | Limit + abort |

What to Check

---

7. Scanning Methodology

Phase-Based Approach

1. RECONNAISSANCE
   └── Understand the target
       ├── Technology stack
       ├── Entry points
       └── Data flows

2. DISCOVERY
   └── Identify potential issues
       ├── Configuration review
       ├── Dependency analysis
       └── Code pattern search

3. ANALYSIS
   └── Validate and prioritize
       ├── False positive elimination
       ├── Risk scoring
       └── Attack chain mapping

4. REPORTING
   └── Actionable findings
       ├── Clear reproduction steps
       ├── Business impact
       └── Remediation guidance

---

8. Code Pattern Analysis

High-Risk Patterns

| Pattern | Risk | Look For |

|---------|------|----------|

| String concat in queries | Injection | "SELECT * FROM " + user_input |

| Dynamic code execution | RCE | eval(), exec(), Function() |

| Unsafe deserialization | RCE | pickle.loads(), unserialize() |

| Path manipulation | Traversal | User input in file paths |

| Disabled security | Various | verify=False, --insecure |

Secret Patterns

| Type | Indicators |

|------|-----------|

| API Keys | api_key, apikey, high entropy |

| Tokens | token, bearer, jwt |

| Credentials | password, secret, key |

| Cloud | AWS_, AZURE_, GCP_ prefixes |

---

9. Cloud Security Considerations

Shared Responsibility

| Layer | You Own | Provider Owns |

|-------|---------|---------------|

| Data | ✅ | ❌ |

| Application | ✅ | ❌ |

| OS/Runtime | Depends | Depends |

| Infrastructure | ❌ | ✅ |

Cloud-Specific Checks

---

10. Anti-Patterns

| ❌ Don't | ✅ Do |

|----------|-------|

| Scan without understanding | Map attack surface first |

| Alert on every CVE | Prioritize by exploitability + asset |

| Ignore false positives | Maintain verified baseline |

| Fix symptoms only | Address root causes |

| Scan once before deploy | Continuous scanning |

| Trust third-party deps blindly | Verify integrity, audit code |

---

11. Reporting Principles

Finding Structure

Each finding should answer:

Severity Classification

| Severity | Criteria |

|----------|----------|

| Critical | RCE, auth bypass, mass data exposure |

| High | Data exposure, privilege escalation |

| Medium | Limited scope, requires conditions |

| Low | Informational, best practice |

---

> Remember: Vulnerability scanning finds issues. Expert thinking prioritizes what matters. Always ask: "What would an attacker do with this?"