Up next in 10
Coding Secure Software: What Developers Keep Getting Wrong - Code Red: Ep.3
0 views
Aug 6, 2025
Join us for the next episode of 'Code Red' as the host, Dr.Naveen Sharma, will discuss 'Coding Secure Software: What Developers Keep Getting Wrong'. AGENDA ✅ Ethical hacking vs. black-hat hacking: What's the difference? ✅ How do bug bounty hunters make money legally by hacking? ✅ Live talk: Biggest hacks in history and lessons learned. ✅ Audience Q&A: Can I become an ethical hacker without a degree? 📺 CSharp TV - Dev Streaming Destination http://csharp.tv 🌎 C# Corner - Community of Software and Data Developers https://www.csharp.com #CSharpTV #CSharpCorner #CSharp #CodeRed #CyberSecurity
View Video Transcript
0:19
[Music]
0:30
[Music]
0:46
[Music]
0:52
good morning in the another episode of
0:55
good morning in the another episode of
0:55
good morning in the another episode of cod R how are you guys hopes you are
1:00
cod R how are you guys hopes you are
1:00
cod R how are you guys hopes you are secure and in the last episode you have
1:02
secure and in the last episode you have
1:02
secure and in the last episode you have learned about uh cyber security and how
1:06
learned about uh cyber security and how
1:06
learned about uh cyber security and how do we cover different aspects today this
1:10
do we cover different aspects today this
1:10
do we cover different aspects today this session specially is for developers but
1:13
session specially is for developers but
1:14
session specially is for developers but not restricting to developers because
1:15
not restricting to developers because
1:15
not restricting to developers because everyone should be aware about the cyber
1:19
everyone should be aware about the cyber
1:19
everyone should be aware about the cyber security uh loopholes or gaps in their
1:23
security uh loopholes or gaps in their
1:23
security uh loopholes or gaps in their application either they are developing
1:25
application either they are developing
1:25
application either they are developing these applications or they are using
1:27
these applications or they are using
1:27
these applications or they are using them uh so
1:30
them uh so
1:30
them uh so let's without further chitchat let's get
1:34
let's without further chitchat let's get
1:34
let's without further chitchat let's get into this so are you aware
1:37
into this so are you aware
1:37
into this so are you aware that we develop applications by using
1:41
that we develop applications by using
1:41
that we develop applications by using some source code we develop some code we
1:46
some source code we develop some code we
1:46
some source code we develop some code we uh get inspired from some code and uh
1:50
uh get inspired from some code and uh
1:50
uh get inspired from some code and uh additionally we uh consume some open
1:54
additionally we uh consume some open
1:54
additionally we uh consume some open source libraries in our
1:56
source libraries in our
1:57
source libraries in our code so 80% more than than 80% of the
2:01
code so 80% more than than 80% of the
2:01
code so 80% more than than 80% of the modern applications they use these open
2:03
modern applications they use these open
2:03
modern applications they use these open source
2:04
source
2:04
source libraries so when they use these
2:07
libraries so when they use these
2:07
libraries so when they use these libraries how how do we make sure that
2:11
libraries how how do we make sure that
2:11
libraries how how do we make sure that these libraries are kept
2:15
these libraries are kept
2:15
these libraries are kept updated because as a developer when the
2:19
updated because as a developer when the
2:19
updated because as a developer when the fresh graduate come from out from you
2:22
fresh graduate come from out from you
2:22
fresh graduate come from out from you know a university and he gets a job and
2:25
know a university and he gets a job and
2:25
know a university and he gets a job and he's all about just I will develop this
2:28
he's all about just I will develop this
2:28
he's all about just I will develop this component that function and what not
2:31
component that function and what not
2:31
component that function and what not but the whole software development life
2:34
but the whole software development life
2:34
but the whole software development life cycle is um is a big game and no one
2:39
cycle is um is a big game and no one
2:39
cycle is um is a big game and no one talks about it no one teaches them uh
2:42
talks about it no one teaches them uh
2:42
talks about it no one teaches them uh what basically are the good security
2:45
what basically are the good security
2:45
what basically are the good security secure devopment uh practices and how
2:48
secure devopment uh practices and how
2:48
secure devopment uh practices and how should they maintain the software
2:50
should they maintain the software
2:50
should they maintain the software versions now with cicd the knowledge of
2:53
versions now with cicd the knowledge of
2:53
versions now with cicd the knowledge of Dev cops and Dev cops people are getting
2:56
Dev cops and Dev cops people are getting
2:56
Dev cops and Dev cops people are getting aware like uh they are becoming aware
2:59
aware like uh they are becoming aware
2:59
aware like uh they are becoming aware that how how to maintain the code
3:02
that how how to maintain the code
3:02
that how how to maintain the code different versions of it if doesn't work
3:05
different versions of it if doesn't work
3:05
different versions of it if doesn't work fix it on it's in your local repo and
3:08
fix it on it's in your local repo and
3:08
fix it on it's in your local repo and then publish it so let's so I'm not
3:13
then publish it so let's so I'm not
3:13
then publish it so let's so I'm not going to teach you how to code um I'm
3:17
going to teach you how to code um I'm
3:17
going to teach you how to code um I'm just uh exploring the area with you like
3:21
just uh exploring the area with you like
3:21
just uh exploring the area with you like what could be the different security
3:23
what could be the different security
3:23
what could be the different security gaps so you might have heard about uh
3:26
gaps so you might have heard about uh
3:26
gaps so you might have heard about uh OAS top 10 if not then that is the next
3:30
OAS top 10 if not then that is the next
3:30
OAS top 10 if not then that is the next week we will cover in next few weeks oop
3:33
week we will cover in next few weeks oop
3:33
week we will cover in next few weeks oop top 10 so oop is an uh organization and
3:39
top 10 so oop is an uh organization and
3:39
top 10 so oop is an uh organization and um they have listed down what are the
3:43
um they have listed down what are the
3:43
um they have listed down what are the top 10 vulnerabilities in the web
3:45
top 10 vulnerabilities in the web
3:45
top 10 vulnerabilities in the web applications what we face today and
3:48
applications what we face today and
3:48
applications what we face today and which actually result into Data preaches
3:51
which actually result into Data preaches
3:51
which actually result into Data preaches so any of the uh penetration testers or
3:56
so any of the uh penetration testers or
3:56
so any of the uh penetration testers or uh you know software security tools if
4:00
uh you know software security tools if
4:00
uh you know software security tools if they use the very at a very bare minimum
4:03
they use the very at a very bare minimum
4:03
they use the very at a very bare minimum uh setting they check for the top 10
4:06
uh setting they check for the top 10
4:06
uh setting they check for the top 10 vulnerabilities or top 10 or Sans top
4:10
vulnerabilities or top 10 or Sans top
4:10
vulnerabilities or top 10 or Sans top 25 so Sans is another organization which
4:13
25 so Sans is another organization which
4:13
25 so Sans is another organization which has like top 25 vulnerabilities listed
4:16
has like top 25 vulnerabilities listed
4:16
has like top 25 vulnerabilities listed so they they uh actually uh SC the tools
4:21
so they they uh actually uh SC the tools
4:21
so they they uh actually uh SC the tools you go into the normal General
4:23
you go into the normal General
4:23
you go into the normal General configuration and they can scan against
4:26
configuration and they can scan against
4:26
configuration and they can scan against these uh vulnerabilities which are well
4:28
these uh vulnerabilities which are well
4:29
these uh vulnerabilities which are well defined but
4:30
defined but
4:30
defined but then there is a more to
4:32
then there is a more to
4:32
then there is a more to that so uh when application becomes
4:37
that so uh when application becomes
4:37
that so uh when application becomes vulnerable you you followed the secure
4:40
vulnerable you you followed the secure
4:41
vulnerable you you followed the secure development guideline you are keeping a
4:44
development guideline you are keeping a
4:44
development guideline you are keeping a control on that you did everything
4:47
control on that you did everything
4:47
control on that you did everything correct but the moment you release
4:51
correct but the moment you release
4:51
correct but the moment you release application in the production or maybe
4:54
application in the production or maybe
4:54
application in the production or maybe from test environment to you know uh
4:58
from test environment to you know uh
4:58
from test environment to you know uh staging and the production so what
5:02
staging and the production so what
5:02
staging and the production so what happens in
5:03
happens in
5:03
happens in between some cyber security researcher
5:07
between some cyber security researcher
5:07
between some cyber security researcher or some bad guy across the planet might
5:11
or some bad guy across the planet might
5:11
or some bad guy across the planet might be doing a reverse engineering on this
5:15
be doing a reverse engineering on this
5:15
be doing a reverse engineering on this piece of uh code or all the codes you
5:19
piece of uh code or all the codes you
5:19
piece of uh code or all the codes you have imported in your source code as a
5:21
have imported in your source code as a
5:21
have imported in your source code as a open source code they and it's it's very
5:26
open source code they and it's it's very
5:26
open source code they and it's it's very easier like very practical if I cannot
5:30
easier like very practical if I cannot
5:30
easier like very practical if I cannot get into you know your home because you
5:34
get into you know your home because you
5:34
get into you know your home because you have so many uh Majors then I will see
5:38
have so many uh Majors then I will see
5:38
have so many uh Majors then I will see what are the most common lock types uh
5:41
what are the most common lock types uh
5:41
what are the most common lock types uh people deploy so I will just break that
5:44
people deploy so I will just break that
5:44
people deploy so I will just break that lock so it's uh similar to that when uh
5:49
lock so it's uh similar to that when uh
5:49
lock so it's uh similar to that when uh security researchers or malicious guys
5:53
security researchers or malicious guys
5:53
security researchers or malicious guys they are able to break some widely used
5:58
they are able to break some widely used
5:58
they are able to break some widely used uh open source Library they find some
6:01
uh open source Library they find some
6:01
uh open source Library they find some bug in it they find some vulnerabilities
6:03
bug in it they find some vulnerabilities
6:03
bug in it they find some vulnerabilities or they can manipulate data expose the
6:07
or they can manipulate data expose the
6:07
or they can manipulate data expose the data and do lots of stuff using that
6:10
data and do lots of stuff using that
6:10
data and do lots of stuff using that vulnerability then and if this guy the
6:15
vulnerability then and if this guy the
6:15
vulnerability then and if this guy the bad actor it keeps this information with
6:19
bad actor it keeps this information with
6:19
bad actor it keeps this information with them then it's called zero day because
6:23
them then it's called zero day because
6:23
them then it's called zero day because the vulnerability is known now but to a
6:25
the vulnerability is known now but to a
6:25
the vulnerability is known now but to a very set of people and it is not
6:29
very set of people and it is not
6:29
very set of people and it is not released for the public perview so that
6:31
released for the public perview so that
6:31
released for the public perview so that people or OEM or other uh companies can
6:36
people or OEM or other uh companies can
6:36
people or OEM or other uh companies can uh you know secure their infrastructure
6:38
uh you know secure their infrastructure
6:38
uh you know secure their infrastructure from that
6:39
from that
6:40
from that vulnerability so this zero day it's like
6:43
vulnerability so this zero day it's like
6:43
vulnerability so this zero day it's like Hot Topic across dark web acoss across
6:46
Hot Topic across dark web acoss across
6:47
Hot Topic across dark web acoss across security Community because first and the
6:49
security Community because first and the
6:49
security Community because first and the foremost when we talk about cyber
6:51
foremost when we talk about cyber
6:51
foremost when we talk about cyber security it's running some sort of
6:53
security it's running some sort of
6:53
security it's running some sort of software and software is running
6:56
software and software is running
6:56
software and software is running importing some sort of these libraries
6:59
importing some sort of these libraries
6:59
importing some sort of these libraries which in a way or so it's like equal to
7:02
which in a way or so it's like equal to
7:02
which in a way or so it's like equal to having a common lock companies and they
7:06
having a common lock companies and they
7:06
having a common lock companies and they just have to uh you know easier to pick
7:10
just have to uh you know easier to pick
7:10
just have to uh you know easier to pick these logs standard logs in earlier days
7:13
these logs standard logs in earlier days
7:13
these logs standard logs in earlier days like 20 25 30 years back um we used to
7:18
like 20 25 30 years back um we used to
7:18
like 20 25 30 years back um we used to have a list of all the devices which are
7:22
have a list of all the devices which are
7:22
have a list of all the devices which are there people were using router Network
7:24
there people were using router Network
7:24
there people were using router Network switches and uh firewalls were like very
7:28
switches and uh firewalls were like very
7:28
switches and uh firewalls were like very less at that moment but um in General
7:32
less at that moment but um in General
7:32
less at that moment but um in General Corporate it was like even the systems
7:34
Corporate it was like even the systems
7:34
Corporate it was like even the systems bios passwords and whatnot so Oracle
7:38
bios passwords and whatnot so Oracle
7:38
bios passwords and whatnot so Oracle databases so we used to had uh these uh
7:44
databases so we used to had uh these uh
7:44
databases so we used to had uh these uh you know PDF file or Word file or Excel
7:46
you know PDF file or Word file or Excel
7:46
you know PDF file or Word file or Excel file which which had all the default
7:49
file which which had all the default
7:49
file which which had all the default user ID and default passwords for those
7:52
user ID and default passwords for those
7:52
user ID and default passwords for those systems so it was way easier to get into
7:56
systems so it was way easier to get into
7:56
systems so it was way easier to get into BIOS because we knew what the OEM keeps
7:59
BIOS because we knew what the OEM keeps
7:59
BIOS because we knew what the OEM keeps the default like for example uh Oracle
8:02
the default like for example uh Oracle
8:02
the default like for example uh Oracle database I don't know if it's still
8:04
database I don't know if it's still
8:04
database I don't know if it's still valid there was a user inbuilt user Scot
8:07
valid there was a user inbuilt user Scot
8:07
valid there was a user inbuilt user Scot and the password was Tiger Oracle user
8:10
and the password was Tiger Oracle user
8:10
and the password was Tiger Oracle user has a password
8:11
has a password
8:11
has a password Oracle so um similarly for bios U
8:16
Oracle so um similarly for bios U
8:16
Oracle so um similarly for bios U password was like
8:19
password was like
8:19
password was like um uh 000000 or something like there
8:23
um uh 000000 or something like there
8:23
um uh 000000 or something like there there were lots of
8:25
there were lots of
8:25
there were lots of combinations there was a Microsoft
8:27
combinations there was a Microsoft
8:27
combinations there was a Microsoft product key if you put all
8:30
product key if you put all
8:30
product key if you put all 11111 it will let you work on the system
8:35
11111 it will let you work on the system
8:35
11111 it will let you work on the system so there were lots of bypasses and
8:38
so there were lots of bypasses and
8:38
so there were lots of bypasses and generally these bypasses are created at
8:41
generally these bypasses are created at
8:41
generally these bypasses are created at development stage to frequent test the
8:45
development stage to frequent test the
8:45
development stage to frequent test the systems or developers create their
8:48
systems or developers create their
8:48
systems or developers create their standard Keys similarly happens to
8:51
standard Keys similarly happens to
8:51
standard Keys similarly happens to credit cards so there are some test
8:53
credit cards so there are some test
8:53
credit cards so there are some test credit card numbers you can use them to
8:55
credit card numbers you can use them to
8:55
credit card numbers you can use them to test your payments and
8:57
test your payments and
8:57
test your payments and not uh coming why I'm setting this
9:00
not uh coming why I'm setting this
9:00
not uh coming why I'm setting this context is that any software which is
9:03
context is that any software which is
9:03
context is that any software which is running it uh is not Pure Play software
9:06
running it uh is not Pure Play software
9:07
running it uh is not Pure Play software you must be importing some code or
9:09
you must be importing some code or
9:09
you must be importing some code or functions or some other libraries into
9:11
functions or some other libraries into
9:11
functions or some other libraries into it and those libraries are basically get
9:14
it and those libraries are basically get
9:14
it and those libraries are basically get attacked more easily than your code
9:17
attacked more easily than your code
9:17
attacked more easily than your code yourself um and because you have a weak
9:22
yourself um and because you have a weak
9:22
yourself um and because you have a weak point now in that Library which has a
9:26
point now in that Library which has a
9:26
point now in that Library which has a zero day attack possible on it and it's
9:30
zero day attack possible on it and it's
9:30
zero day attack possible on it and it's not visible in like who will tell you
9:33
not visible in like who will tell you
9:33
not visible in like who will tell you that this library is broken now so
9:38
that this library is broken now so
9:38
that this library is broken now so basically any vulnerability which is
9:41
basically any vulnerability which is
9:41
basically any vulnerability which is found uh there is a
9:44
found uh there is a
9:44
found uh there is a disclosure which is like um you know you
9:49
disclosure which is like um you know you
9:49
disclosure which is like um you know you have to do on a disclosure that this
9:52
have to do on a disclosure that this
9:52
have to do on a disclosure that this exposure is happened or this code has
9:55
exposure is happened or this code has
9:55
exposure is happened or this code has this vulnerability so all the OMS have
9:57
this vulnerability so all the OMS have
9:57
this vulnerability so all the OMS have to disclose that and create a patch
9:59
to disclose that and create a patch
9:59
to disclose that and create a patch according to that immediately or in the
10:02
according to that immediately or in the
10:02
according to that immediately or in the meantime the patch is not available they
10:04
meantime the patch is not available they
10:04
meantime the patch is not available they need to tell their consumers or the
10:06
need to tell their consumers or the
10:06
need to tell their consumers or the public at large that this system is
10:09
public at large that this system is
10:09
public at large that this system is exploitable these are the measures you
10:11
exploitable these are the measures you
10:11
exploitable these are the measures you can take to you know secure it so the
10:15
can take to you know secure it so the
10:15
can take to you know secure it so the OEM provide oems or the software vendors
10:18
OEM provide oems or the software vendors
10:18
OEM provide oems or the software vendors are are supposed to be on edge all the
10:21
are are supposed to be on edge all the
10:21
are are supposed to be on edge all the time and this is very hot and you know
10:24
time and this is very hot and you know
10:24
time and this is very hot and you know turbulent time at this moment and that
10:26
turbulent time at this moment and that
10:27
turbulent time at this moment and that is why cyber security is a Hot Topic so
10:30
is why cyber security is a Hot Topic so
10:30
is why cyber security is a Hot Topic so let's come back to the uh code so for
10:34
let's come back to the uh code so for
10:34
let's come back to the uh code so for example this vulnerability is found what
10:36
example this vulnerability is found what
10:36
example this vulnerability is found what happens so every country um or there are
10:41
happens so every country um or there are
10:41
happens so every country um or there are some databases that different people
10:44
some databases that different people
10:44
some databases that different people maintain and they exchange these
10:45
maintain and they exchange these
10:45
maintain and they exchange these databases this is called cve database so
10:50
databases this is called cve database so
10:50
databases this is called cve database so common vulnerabilities and
10:52
common vulnerabilities and
10:52
common vulnerabilities and exposures so what happened this cve is a
10:56
exposures so what happened this cve is a
10:56
exposures so what happened this cve is a random unique number assigned to that
10:58
random unique number assigned to that
10:58
random unique number assigned to that vulnerability
11:00
vulnerability
11:00
vulnerability um there are four letters within the uh
11:04
um there are four letters within the uh
11:04
um there are four letters within the uh you know the reference point which is
11:06
you know the reference point which is
11:06
you know the reference point which is which represents the ear like same uh
11:10
which represents the ear like same uh
11:10
which represents the ear like same uh code can be exposed to different
11:13
code can be exposed to different
11:13
code can be exposed to different vulnerabilities same Library can be
11:15
vulnerabilities same Library can be
11:15
vulnerabilities same Library can be exposed to different VAB so you can see
11:17
exposed to different VAB so you can see
11:17
exposed to different VAB so you can see the year like which year this
11:20
the year like which year this
11:20
the year like which year this vulnerability was available and then
11:24
vulnerability was available and then
11:24
vulnerability was available and then what uh are the what is the number of
11:26
what uh are the what is the number of
11:26
what uh are the what is the number of that vulnerability which is impacted and
11:29
that vulnerability which is impacted and
11:29
that vulnerability which is impacted and at times it happens that this library is
11:33
at times it happens that this library is
11:33
at times it happens that this library is impacted in certain environments only
11:36
impacted in certain environments only
11:36
impacted in certain environments only not impacted at large like in every
11:38
not impacted at large like in every
11:38
not impacted at large like in every environment so again that becomes a key
11:42
environment so again that becomes a key
11:43
environment so again that becomes a key uh you know testing area to keep testing
11:46
uh you know testing area to keep testing
11:46
uh you know testing area to keep testing now when I said that the moment you took
11:51
now when I said that the moment you took
11:51
now when I said that the moment you took your application from maybe uh
11:54
your application from maybe uh
11:54
your application from maybe uh development environment to
11:56
development environment to
11:56
development environment to production you did everything right but
12:00
production you did everything right but
12:00
production you did everything right but because the library now is vulnerable
12:02
because the library now is vulnerable
12:02
because the library now is vulnerable zero day is is available for that
12:06
zero day is is available for that
12:07
zero day is is available for that Library your code is
12:09
Library your code is
12:09
Library your code is vable so doesn't matter the number of
12:12
vable so doesn't matter the number of
12:12
vable so doesn't matter the number of times you have checked it maybe you used
12:14
times you have checked it maybe you used
12:14
times you have checked it maybe you used uh there are like um sonar Cube or some
12:19
uh there are like um sonar Cube or some
12:19
uh there are like um sonar Cube or some other sneake or some other methods where
12:22
other sneake or some other methods where
12:22
other sneake or some other methods where you uh test it for the security as well
12:26
you uh test it for the security as well
12:26
you uh test it for the security as well but their CV database is not updated so
12:30
but their CV database is not updated so
12:30
but their CV database is not updated so they cannot test it beyond
12:33
they cannot test it beyond
12:33
they cannot test it beyond that so as I said first level any uh
12:39
that so as I said first level any uh
12:39
that so as I said first level any uh security scanner will do over top 10 or
12:44
security scanner will do over top 10 or
12:44
security scanner will do over top 10 or S stop 25 or you know some other uh
12:48
S stop 25 or you know some other uh
12:48
S stop 25 or you know some other uh specific uh vulnerabilities like log for
12:51
specific uh vulnerabilities like log for
12:51
specific uh vulnerabilities like log for sh log for jshell or similar so what
12:56
sh log for jshell or similar so what
12:56
sh log for jshell or similar so what happened U these ities are now and this
13:01
happened U these ities are now and this
13:01
happened U these ities are now and this open open source repositories on GitHub
13:06
open open source repositories on GitHub
13:06
open open source repositories on GitHub because there are lots of people work on
13:08
because there are lots of people work on
13:08
because there are lots of people work on it committed you never know what when
13:11
it committed you never know what when
13:11
it committed you never know what when one digit or one function which they
13:14
one digit or one function which they
13:14
one digit or one function which they added or one um you know hyphen do comma
13:19
added or one um you know hyphen do comma
13:19
added or one um you know hyphen do comma semicolon edit it made this whole code
13:22
semicolon edit it made this whole code
13:22
semicolon edit it made this whole code vable or
13:23
vable or
13:23
vable or breaking so in open-source format it's
13:28
breaking so in open-source format it's
13:28
breaking so in open-source format it's difficult to find
13:29
difficult to find
13:29
difficult to find but it's difficult if a series of people
13:34
but it's difficult if a series of people
13:34
but it's difficult if a series of people uh out of this public are just focusing
13:37
uh out of this public are just focusing
13:38
uh out of this public are just focusing on the security of that code and
13:41
on the security of that code and
13:41
on the security of that code and generally that is the case but still um
13:44
generally that is the case but still um
13:44
generally that is the case but still um there are uh people who leave the
13:47
there are uh people who leave the
13:47
there are uh people who leave the malicious code inside this and it is you
13:50
malicious code inside this and it is you
13:50
malicious code inside this and it is you know after few days weeks or months when
13:53
know after few days weeks or months when
13:53
know after few days weeks or months when this gets exposed and uh this this is
13:56
this gets exposed and uh this this is
13:56
this gets exposed and uh this this is found that this is there is happened and
13:59
found that this is there is happened and
13:59
found that this is there is happened and this has so much
14:01
this has so much
14:01
this has so much ramifications
14:03
ramifications
14:03
ramifications now uh how do you make sure that your
14:06
now uh how do you make sure that your
14:06
now uh how do you make sure that your application is secure so what are the
14:09
application is secure so what are the
14:09
application is secure so what are the kind of tests we run so first is the Das
14:13
kind of tests we run so first is the Das
14:13
kind of tests we run so first is the Das scanner so Dynamic application security
14:16
scanner so Dynamic application security
14:16
scanner so Dynamic application security test uh scanner so what desk does is it
14:21
test uh scanner so what desk does is it
14:21
test uh scanner so what desk does is it it checks your compiled application like
14:23
it checks your compiled application like
14:23
it checks your compiled application like when it's running on web server or in
14:25
when it's running on web server or in
14:25
when it's running on web server or in other environment so it's ready to serve
14:29
other environment so it's ready to serve
14:29
other environment so it's ready to serve the
14:29
the
14:29
the consumers so then this scanning uh is
14:34
consumers so then this scanning uh is
14:34
consumers so then this scanning uh is the best because it does lots of scans
14:37
the best because it does lots of scans
14:37
the best because it does lots of scans uh SQL
14:39
uh SQL
14:39
uh SQL injection uh cross-side scripting and uh
14:44
injection uh cross-side scripting and uh
14:44
injection uh cross-side scripting and uh um cross site origin or something there
14:47
um cross site origin or something there
14:47
um cross site origin or something there are lots of scans which can be conducted
14:51
are lots of scans which can be conducted
14:51
are lots of scans which can be conducted most common is I think is the uh SQL
14:54
most common is I think is the uh SQL
14:54
most common is I think is the uh SQL injection and now as a developer you
14:57
injection and now as a developer you
14:57
injection and now as a developer you might be aware that uh uh how do we um
15:01
might be aware that uh uh how do we um
15:01
might be aware that uh uh how do we um secure our uh code from esql injection
15:05
secure our uh code from esql injection
15:05
secure our uh code from esql injection so it is all about the query in old days
15:08
so it is all about the query in old days
15:08
so it is all about the query in old days we used to keep all the SQL query and
15:11
we used to keep all the SQL query and
15:11
we used to keep all the SQL query and receive the parameter directly in the
15:13
receive the parameter directly in the
15:13
receive the parameter directly in the input F input field but now we have to
15:17
input F input field but now we have to
15:17
input F input field but now we have to break that so that no one can go and
15:20
break that so that no one can go and
15:20
break that so that no one can go and input field and put a call on you know
15:22
input field and put a call on you know
15:23
input field and put a call on you know Koopa put a um uh you know some special
15:27
Koopa put a um uh you know some special
15:27
Koopa put a um uh you know some special characters and uh make it a SQL query
15:31
characters and uh make it a SQL query
15:31
characters and uh make it a SQL query break the SQL query and adds its own
15:33
break the SQL query and adds its own
15:33
break the SQL query and adds its own value in the same input field so your
15:36
value in the same input field so your
15:36
value in the same input field so your SQL will treat it as one command is
15:40
SQL will treat it as one command is
15:40
SQL will treat it as one command is terminated and the other is initiated so
15:45
terminated and the other is initiated so
15:45
terminated and the other is initiated so this is this is uh very common uh type
15:49
this is this is uh very common uh type
15:49
this is this is uh very common uh type of injection and then there are lots of
15:52
of injection and then there are lots of
15:52
of injection and then there are lots of uh stuff which can go uh bad even in the
15:56
uh stuff which can go uh bad even in the
15:56
uh stuff which can go uh bad even in the exe's at the Run level you inject lot of
15:59
exe's at the Run level you inject lot of
15:59
exe's at the Run level you inject lot of things you replace the memory um
16:02
things you replace the memory um
16:02
things you replace the memory um characters so memory leakage problem
16:06
characters so memory leakage problem
16:06
characters so memory leakage problem buffer overflow runs there are lots of
16:08
buffer overflow runs there are lots of
16:08
buffer overflow runs there are lots of lots of attacks now coming back
16:11
lots of attacks now coming back
16:11
lots of attacks now coming back to the source code so how do we see that
16:16
to the source code so how do we see that
16:16
to the source code so how do we see that application is compiled it's running
16:18
application is compiled it's running
16:18
application is compiled it's running like it's the responsibility of the
16:20
like it's the responsibility of the
16:20
like it's the responsibility of the people who are responsible to make it
16:23
people who are responsible to make it
16:23
people who are responsible to make it running so they must be scanning it for
16:26
running so they must be scanning it for
16:26
running so they must be scanning it for all the uh possible uh attack scenarios
16:30
all the uh possible uh attack scenarios
16:30
all the uh possible uh attack scenarios but as a developer when the code is
16:33
but as a developer when the code is
16:33
but as a developer when the code is within your laptop within your system
16:35
within your laptop within your system
16:35
within your laptop within your system within your Appo how do you scan it so
16:38
within your Appo how do you scan it so
16:38
within your Appo how do you scan it so we are going to talk about there's a
16:40
we are going to talk about there's a
16:40
we are going to talk about there's a company called easc and they have made
16:43
company called easc and they have made
16:43
company called easc and they have made this wonderful tool called triy so uh
16:47
this wonderful tool called triy so uh
16:47
this wonderful tool called triy so uh triy scans your source code for op
16:52
triy scans your source code for op
16:52
triy scans your source code for op source librar and it gives you a very
16:56
source librar and it gives you a very
16:56
source librar and it gives you a very decent reporting format like how much
17:00
decent reporting format like how much
17:00
decent reporting format like how much how many libraries are vulnerable and
17:02
how many libraries are vulnerable and
17:02
how many libraries are vulnerable and what to do about that we will run it uh
17:05
what to do about that we will run it uh
17:05
what to do about that we will run it uh in few minutes and what triy also does
17:10
in few minutes and what triy also does
17:10
in few minutes and what triy also does is it just not only scans your source
17:13
is it just not only scans your source
17:14
is it just not only scans your source code it can take the lock file of your
17:18
code it can take the lock file of your
17:18
code it can take the lock file of your running application and it can scan it
17:21
running application and it can scan it
17:21
running application and it can scan it uh it has the capability to scan the
17:24
uh it has the capability to scan the
17:24
uh it has the capability to scan the container image uh even a virtual
17:26
container image uh even a virtual
17:26
container image uh even a virtual machine or the file system
17:29
machine or the file system
17:29
machine or the file system wherever the code is available it can it
17:33
wherever the code is available it can it
17:33
wherever the code is available it can it downloads the latest CV database and
17:36
downloads the latest CV database and
17:36
downloads the latest CV database and check the vulnerabilities in all the
17:37
check the vulnerabilities in all the
17:37
check the vulnerabilities in all the files which are like the
17:40
files which are like the
17:40
files which are like the Target so I think it's a wonderful
17:43
Target so I think it's a wonderful
17:43
Target so I think it's a wonderful tool and from today onwards you need to
17:47
tool and from today onwards you need to
17:47
tool and from today onwards you need to start using it whenever you build a code
17:49
start using it whenever you build a code
17:49
start using it whenever you build a code even the smallest possible code so that
17:52
even the smallest possible code so that
17:52
even the smallest possible code so that you contribute to uh uh you know
17:56
you contribute to uh uh you know
17:56
you contribute to uh uh you know building the secure applications I know
17:58
building the secure applications I know
17:58
building the secure applications I know you are a best developer you do
18:01
you are a best developer you do
18:01
you are a best developer you do everything about the safe secure coding
18:03
everything about the safe secure coding
18:03
everything about the safe secure coding practices but checking your code is also
18:08
practices but checking your code is also
18:08
practices but checking your code is also important so this is called SCA software
18:11
important so this is called SCA software
18:11
important so this is called SCA software composition
18:13
composition
18:13
composition analysis um it checks for all the
18:17
analysis um it checks for all the
18:17
analysis um it checks for all the dependencies libraries and then uh tells
18:20
dependencies libraries and then uh tells
18:20
dependencies libraries and then uh tells you if they are vulnerable or not and to
18:23
you if they are vulnerable or not and to
18:23
you if they are vulnerable or not and to check your source code itself as I said
18:26
check your source code itself as I said
18:26
check your source code itself as I said sonar Cube and some sneak and some other
18:31
sonar Cube and some sneak and some other
18:31
sonar Cube and some sneak and some other uh platforms are available the way you
18:33
uh platforms are available the way you
18:33
uh platforms are available the way you code has to be tested as well whether
18:35
code has to be tested as well whether
18:35
code has to be tested as well whether it's a uh safe way of using that method
18:39
it's a uh safe way of using that method
18:39
it's a uh safe way of using that method or function or the call whatever you did
18:42
or function or the call whatever you did
18:42
or function or the call whatever you did in your code so let's uh let me share my
18:46
in your code so let's uh let me share my
18:46
in your code so let's uh let me share my screen and um I have already
18:50
screen and um I have already
18:50
screen and um I have already downloaded the TV and this but if you if
18:55
downloaded the TV and this but if you if
18:55
downloaded the TV and this but if you if you have not uh you just go to tv.
19:02
you have not uh you just go to tv.
19:02
you have not uh you just go to tv. Dev let me share that screen as
19:12
well
19:14
well
19:14
well um so can I share additional one more
19:18
um so can I share additional one more
19:18
um so can I share additional one more screen just
19:44
yeah
19:46
yeah
19:46
yeah so this is triy dodev uh trivy obviously
19:52
so this is triy dodev uh trivy obviously
19:52
so this is triy dodev uh trivy obviously is uh open source project so anyone can
19:56
is uh open source project so anyone can
19:56
is uh open source project so anyone can use it and uh
20:00
use it and uh
20:00
use it and uh basically if you see it says that it is
20:02
basically if you see it says that it is
20:02
basically if you see it says that it is a
20:03
a
20:03
a opsource security scanner which finds
20:06
opsource security scanner which finds
20:06
opsource security scanner which finds the CVS minties and
20:09
the CVS minties and
20:09
the CVS minties and misconfigurations across the code
20:12
misconfigurations across the code
20:12
misconfigurations across the code repositories it can check binary
20:15
repositories it can check binary
20:15
repositories it can check binary artifacts container images clusters and
20:19
artifacts container images clusters and
20:19
artifacts container images clusters and whatnot all in one tool there are
20:21
whatnot all in one tool there are
20:21
whatnot all in one tool there are similar tools available and 3E helps you
20:25
similar tools available and 3E helps you
20:25
similar tools available and 3E helps you build uh sbom which is like software
20:29
build uh sbom which is like software
20:29
build uh sbom which is like software bill of material like what your
20:32
bill of material like what your
20:32
bill of material like what your application contains basically like uh
20:35
application contains basically like uh
20:35
application contains basically like uh we call it bomb bill of material when we
20:38
we call it bomb bill of material when we
20:38
we call it bomb bill of material when we try to order something there's a detail
20:40
try to order something there's a detail
20:40
try to order something there's a detail bomb comes in so it creates your s
20:43
bomb comes in so it creates your s
20:43
bomb comes in so it creates your s bomb and then there are other platforms
20:46
bomb and then there are other platforms
20:46
bomb and then there are other platforms like black Tak and what not
20:49
like black Tak and what not
20:49
like black Tak and what not they uh help you they are like
20:52
they uh help you they are like
20:52
they uh help you they are like commercial tools they help you keep your
20:55
commercial tools they help you keep your
20:55
commercial tools they help you keep your whole code and repositories healthy and
20:58
whole code and repositories healthy and
20:58
whole code and repositories healthy and build healthy uh environment for the
21:01
build healthy uh environment for the
21:01
build healthy uh environment for the applications to run um so you you go to
21:07
applications to run um so you you go to
21:07
applications to run um so you you go to getting started uh if you are on Mac you
21:10
getting started uh if you are on Mac you
21:10
getting started uh if you are on Mac you just say Brew install Tri or you can run
21:14
just say Brew install Tri or you can run
21:14
just say Brew install Tri or you can run directly Docker instance or you can
21:17
directly Docker instance or you can
21:17
directly Docker instance or you can build at your own so it's a fantastic
21:21
build at your own so it's a fantastic
21:21
build at your own so it's a fantastic way and now uh let me go back and share
21:25
way and now uh let me go back and share
21:25
way and now uh let me go back and share my screen where we'll be running
21:29
my screen where we'll be running
21:29
my screen where we'll be running uh this uh application and we'll show
21:34
uh this uh application and we'll show
21:34
uh this uh application and we'll show you how
21:38
to what are the common use case
21:41
to what are the common use case
21:42
to what are the common use case scenarios so we check uh whether triv is
21:47
scenarios so we check uh whether triv is
21:47
scenarios so we check uh whether triv is there so triv is installed already
21:50
there so triv is installed already
21:50
there so triv is installed already although it's a old version but it
21:52
although it's a old version but it
21:52
although it's a old version but it doesn't matter and on this uh machine I
21:57
doesn't matter and on this uh machine I
21:57
doesn't matter and on this uh machine I have some
21:59
have some
21:59
have some um Docker Mage is available so first of
22:02
um Docker Mage is available so first of
22:02
um Docker Mage is available so first of all we will pick one image and we try to
22:07
all we will pick one image and we try to
22:07
all we will pick one image and we try to scan it for um and you can scan from any
22:12
scan it for um and you can scan from any
22:12
scan it for um and you can scan from any directory if it is installed on your uh
22:15
directory if it is installed on your uh
22:15
directory if it is installed on your uh laptop you can call Tri because the tri
22:18
laptop you can call Tri because the tri
22:18
laptop you can call Tri because the tri command worked we checked the version
22:20
command worked we checked the version
22:20
command worked we checked the version and now we see which image we need to
22:24
and now we see which image we need to
22:24
and now we see which image we need to pick so let me hold
22:30
3v and then we
22:35
3v and then we
22:35
3v and then we say let's see
22:38
say let's see
22:38
say let's see the command
22:40
the command
22:40
the command sequences
22:42
sequences
22:42
sequences so there
22:44
so there
22:44
so there are so you there are some commands and
22:49
are so you there are some commands and
22:49
are so you there are some commands and some options available so to check the
22:51
some options available so to check the
22:51
some options available so to check the image you check uh image and the image
22:55
image you check uh image and the image
22:55
image you check uh image and the image name you even if it image is a top R
22:58
name you even if it image is a top R
22:58
name you even if it image is a top R file like archive you can still find the
23:02
file like archive you can still find the
23:02
file like archive you can still find the archive file and scan the image inside
23:04
archive file and scan the image inside
23:04
archive file and scan the image inside it FS is for file system you dot is for
23:07
it FS is for file system you dot is for
23:07
it FS is for file system you dot is for like current directory but you can scan
23:10
like current directory but you can scan
23:10
like current directory but you can scan any directory and then you can run it in
23:14
any directory and then you can run it in
23:14
any directory and then you can run it in server mode and lots of other options
23:18
server mode and lots of other options
23:18
server mode and lots of other options available so but for today we will just
23:23
available so but for today we will just
23:23
available so but for today we will just uh so let's go and see how many images
23:28
uh so let's go and see how many images
23:28
uh so let's go and see how many images we have
23:29
we have
23:29
we have and then we say triy
23:32
and then we say triy
23:32
and then we say triy image
23:34
image
23:34
image um I just have to give image ID so let's
23:38
um I just have to give image ID so let's
23:38
um I just have to give image ID so let's pick this
23:44
one so it it is scanning and it
23:57
says so so there's nothing let's find
24:00
says so so there's nothing let's find
24:00
says so so there's nothing let's find something else uh what about this post
24:15
Christ
24:19
or this
24:25
one so you can give separate options as
24:29
one so you can give separate options as
24:29
one so you can give separate options as well just to scan the vulnerabilities
24:31
well just to scan the vulnerabilities
24:32
well just to scan the vulnerabilities just to scan the high vulnerabilities
24:35
just to scan the high vulnerabilities
24:35
just to scan the high vulnerabilities and just to scan uh you know even it can
24:39
and just to scan uh you know even it can
24:39
and just to scan uh you know even it can scan secret keys by default it is
24:41
scan secret keys by default it is
24:42
scan secret keys by default it is scanning
24:43
scanning
24:43
scanning everything so now you see that we
24:46
everything so now you see that we
24:46
everything so now you see that we scanned one image and you will be
24:48
scanned one image and you will be
24:48
scanned one image and you will be surprised to see when you run it on your
24:50
surprised to see when you run it on your
24:50
surprised to see when you run it on your code or your uh container wherever you
24:53
code or your uh container wherever you
24:53
code or your uh container wherever you are running your uh software which you
24:56
are running your uh software which you
24:56
are running your uh software which you compil today you will be amazing to see
24:59
compil today you will be amazing to see
24:59
compil today you will be amazing to see the findings and this is how the need
25:04
the findings and this is how the need
25:04
the findings and this is how the need for shift
25:07
for shift
25:07
for shift left uh is important that means the uh
25:11
left uh is important that means the uh
25:11
left uh is important that means the uh developers are required to uh you know
25:15
developers are required to uh you know
25:15
developers are required to uh you know build the secured code and just not
25:17
build the secured code and just not
25:17
build the secured code and just not build keep testing the
25:20
build keep testing the
25:20
build keep testing the code so they have picked the
25:25
code so they have picked the
25:25
code so they have picked the vulnerabilities um database and
25:29
vulnerabilities um database and
25:29
vulnerabilities um database and it has uh detected
25:32
it has uh detected
25:32
it has uh detected 184
25:34
184
25:34
184 vulnerabilities
25:36
vulnerabilities
25:36
vulnerabilities so and this first is the library which
25:40
so and this first is the library which
25:41
so and this first is the library which was called second was um the
25:44
was called second was um the
25:45
was called second was um the vulnerability the CV number you see it
25:47
vulnerability the CV number you see it
25:47
vulnerability the CV number you see it was released in
25:48
was released in
25:49
was released in 2011 I'm surprised what is doing in this
25:51
2011 I'm surprised what is doing in this
25:51
2011 I'm surprised what is doing in this container image if it is and severity is
25:56
container image if it is and severity is
25:56
container image if it is and severity is low again but it is
26:00
low again but it is
26:00
low again but it is affected and installed version is
26:06
2.2.4 that all
26:08
2.2.4 that all
26:08
2.2.4 that all version
26:10
version
26:10
version okay it was found that app APD key in
26:14
okay it was found that app APD key in
26:14
okay it was found that app APD key in app all versions do not correctly so
26:17
app all versions do not correctly so
26:17
app all versions do not correctly so this is the URL where you can go and
26:20
this is the URL where you can go and
26:20
this is the URL where you can go and find more about this vulnerability and
26:23
find more about this vulnerability and
26:23
find more about this vulnerability and how to fix it or how to remediate it or
26:26
how to fix it or how to remediate it or
26:26
how to fix it or how to remediate it or how to do temporary measures if no
26:29
how to do temporary measures if no
26:29
how to do temporary measures if no uh you know resolution is available from
26:31
uh you know resolution is available from
26:31
uh you know resolution is available from the OEM now in The Bash um again it's
26:36
the OEM now in The Bash um again it's
26:36
the OEM now in The Bash um again it's very high vulnerability so there are
26:38
very high vulnerability so there are
26:39
very high vulnerability so there are four levels of vulnerabilities which are
26:41
four levels of vulnerabilities which are
26:41
four levels of vulnerabilities which are like critical high medium and low uh low
26:46
like critical high medium and low uh low
26:46
like critical high medium and low uh low are generally informational so we do not
26:49
are generally informational so we do not
26:49
are generally informational so we do not pay much heed but
26:52
pay much heed but
26:52
pay much heed but uh critical high and medium are to be
26:55
uh critical high and medium are to be
26:55
uh critical high and medium are to be addressed
26:57
addressed
26:57
addressed immediately like like critical and high
26:59
immediately like like critical and high
26:59
immediately like like critical and high are like where it can break even within
27:03
are like where it can break even within
27:03
are like where it can break even within minute
27:05
minute
27:05
minute so so you see lots of it and it says
27:09
so so you see lots of it and it says
27:09
so so you see lots of it and it says that
27:11
that
27:11
that uh this was
27:14
uh this was
27:14
uh this was fixed and this was a version and this is
27:17
fixed and this was a version and this is
27:17
fixed and this was a version and this is the version should use similarly um lots
27:22
the version should use similarly um lots
27:22
the version should use similarly um lots of stuff this is the library high and
27:26
of stuff this is the library high and
27:26
of stuff this is the library high and this has like one has lots of uh
27:32
this has like one has lots of uh
27:32
this has like one has lots of uh issues it is for
27:34
issues it is for
27:34
issues it is for ldap so you see this mapping and then it
27:41
ldap so you see this mapping and then it
27:41
ldap so you see this mapping and then it it creates a dependency map and in the
27:44
it creates a dependency map and in the
27:44
it creates a dependency map and in the going forward sessions I'll tell you
27:45
going forward sessions I'll tell you
27:45
going forward sessions I'll tell you more tools like this but um now let's do
27:52
more tools like this but um now let's do
27:52
more tools like this but um now let's do uh quick check again so we run
27:56
uh quick check again so we run
27:56
uh quick check again so we run T FS yes ye so ye is
28:01
T FS yes ye so ye is
28:01
T FS yes ye so ye is the uh
28:03
the uh
28:03
the uh software for cyber security
28:06
software for cyber security
28:06
software for cyber security research so I check
28:09
research so I check
28:09
research so I check yei and this is the example of scanning
28:13
yei and this is the example of scanning
28:13
yei and this is the example of scanning the file system again it has found lots
28:17
the file system again it has found lots
28:17
the file system again it has found lots of vulnerabilities in as well so
28:20
of vulnerabilities in as well so
28:20
of vulnerabilities in as well so jQuery no everyone use Query and then
28:24
jQuery no everyone use Query and then
28:24
jQuery no everyone use Query and then this is uh alarming
28:28
this is uh alarming
28:28
this is uh alarming so in the net shell
28:31
so in the net shell
28:31
so in the net shell what um we are running almost out of
28:34
what um we are running almost out of
28:34
what um we are running almost out of time so
28:35
time so
28:36
time so but uh I wanted to present this because
28:40
but uh I wanted to present this because
28:40
but uh I wanted to present this because you have to build secure code and you
28:44
you have to build secure code and you
28:44
you have to build secure code and you have to test your code before you and
28:47
have to test your code before you and
28:47
have to test your code before you and always keep it testing because you never
28:49
always keep it testing because you never
28:49
always keep it testing because you never know when the new CV is available and
28:52
know when the new CV is available and
28:52
know when the new CV is available and your code has become you know uh uh
28:55
your code has become you know uh uh
28:55
your code has become you know uh uh exploitable and there's no Darth of
28:58
exploitable and there's no Darth of
28:58
exploitable and there's no Darth of bad guys out there who is are
29:01
bad guys out there who is are
29:01
bad guys out there who is are continuously trying to break your
29:04
continuously trying to break your
29:04
continuously trying to break your code whether you are aware of it or you
29:07
code whether you are aware of it or you
29:07
code whether you are aware of it or you not or you just think that I am a
29:10
not or you just think that I am a
29:10
not or you just think that I am a software developer I have a small
29:12
software developer I have a small
29:12
software developer I have a small company I'm just building for this local
29:14
company I'm just building for this local
29:14
company I'm just building for this local customer who will think about it but you
29:17
customer who will think about it but you
29:18
customer who will think about it but you are using
29:19
are using
29:19
are using dependencies and open source libraries
29:22
dependencies and open source libraries
29:22
dependencies and open source libraries then your code is more than
29:26
then your code is more than
29:26
then your code is more than breakable so this was the awareness and
29:29
breakable so this was the awareness and
29:29
breakable so this was the awareness and I think triy will help you keep updated
29:32
I think triy will help you keep updated
29:32
I think triy will help you keep updated uh more for these tools more of these
29:35
uh more for these tools more of these
29:35
uh more for these tools more of these strips and uh tricks and how to pick a
29:39
strips and uh tricks and how to pick a
29:39
strips and uh tricks and how to pick a better cyber security career as I said
29:41
better cyber security career as I said
29:41
better cyber security career as I said in every session C uh and uh cyber
29:46
in every session C uh and uh cyber
29:46
in every session C uh and uh cyber navine we are bringing this cyber
29:48
navine we are bringing this cyber
29:48
navine we are bringing this cyber security
29:49
security
29:49
security holistic uh course where we teach you
29:53
holistic uh course where we teach you
29:53
holistic uh course where we teach you compliance pen testing uh cyber security
29:56
compliance pen testing uh cyber security
29:56
compliance pen testing uh cyber security essentials and and we make you a better
29:59
essentials and and we make you a better
30:00
essentials and and we make you a better professional to be uh you know joining
30:03
professional to be uh you know joining
30:03
professional to be uh you know joining the
30:03
the
30:03
the workforce so keep in touch with our team
30:07
workforce so keep in touch with our team
30:07
workforce so keep in touch with our team out there and they will uh you know give
30:12
out there and they will uh you know give
30:12
out there and they will uh you know give you the brocher everything for this
30:14
you the brocher everything for this
30:14
you the brocher everything for this course thank you and stay safe stay
30:18
course thank you and stay safe stay
30:18
course thank you and stay safe stay secure I'll catch up with you next
30:21
secure I'll catch up with you next
30:21
secure I'll catch up with you next Saturday same time
30:24
Saturday same time
30:24
Saturday same time [Music]