Snyk is an open source scanning tool. Today’s post is a walk through on how to setup Snyk with your Jenkins pipeline. It’s a fairly short post and we will divide the setup in three sections: Configure Snyk from the portal, setup Jenkins and finally perform the scan.

Image for post
Image for post

Configure snyk

Set the api key

Obtain the organisation ID and API key for your Snyk installation. Free version https://snyk.io or for enterprise version use your enterprise organisation ID and API key.


Image for post
Image for post

Performing authenticated application vulnerability scanning can get quite complex for modern applications or APIs. The problem gets worse if you want to integrate with your CICD pipeline. Even commercial vulnerability scanners struggle with this problem. Over the years OWASP ZAP community has done an excellent job of extending ZAP’s features and functionalities. However, I must admit ZAP has a steep learning curve but once you get over that hurdle you will love ZAP. One of the best functionality in ZAP is it’s scripting capabilities. You can write your own scripts in python, JavaScript, ZEST or Ruby. In this post we will explore how we can handle complex authentication using this scripting functionality. …


You are reading this post because you probably came across Oauth and OpenID Connect at some point in time and tried to make sense out of it and couldn’t. Don’t worry we have all been there. I am not an expert in Oauth or OpenID Connect either so feel free to correct me. I tried to explain the concepts in simple plain English so you don’t require prior knowledge of the protocol to follow the post. After reading the post I hope some of the concepts will be a little bit clearer to you.

The best way to learn a new technology is by implementing it and also the difficult way. Hence in this blog, we will try to implement a “Hello World” OpenID Connect implementation and by doing so we will know how it works under the hood.
It’s important to know how the technology works first before we try to find security issues causing relating to the technology. Hence first part of the post we will go through the OpenID and OAuth concepts and set up demo environment. In the second part of the post will go through the threat model.
If you are already familiar with OAuth and OpenID Connect you can jump to the second part of the post here. …


Welcome to the second part of the post which focuses on the threat modeling section. If you missed the first section of the post where we went through the OpenID Connect and OAuth 2.0 basic flow please visit the link here. It’s important to understand the basics first before going through the threat model.

I used OWASP Threat model tool Thread Dragon to visualize the data flow. If you want to find out how to get started using OWASP Threat Dragon visit: http://docs.threatdragon.org/. It’s simple so even if you don’t have prior experience with the tool you should be able to follow the post. …


Continuous integration and continuous deployment can become a continuous pain for security folks. But it doesn’t have to be that way. Integrating security into your CICD pipeline can improve your security posture tremendously and the best part is security folks don’t need to do any additional work. Why Anchore Engine? It’s open source, good coverage and integrates with CI tool.

This post covers setting up anchore engine container, integration of anchore engine with Jenkins plugin, then finally pushing clean docker images to docker hub. …

About

Tanvir Ahmed

Cyber mercenary | Sydney |https://www.linkedin.com/in/tanvirahmed11/

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store