Security Vulnerability Scanning

Introduction

Automated vulnerability scanning helps proactively identify software weaknesses. By integrating these tools into your DevOps pipeline, you can prevent many common security attacks caused by vulnerable components and insecure coding practices. Promptly addressing any issues found ensures a more secure software environment.

Dependency scans should be included in the pipelines. Advanced tools like Aikido can also identify vulnerabilities post-deployment and assist with corrective actions.

• Implement security scanning in the pipeline

• Act promptly on security issues

• Consider security concerns in code reviews and software design

Implementing this control

We use Aikido to scan code and dependencies in our CI/CD pipelines. We record these scans and ensure that no artifact with missing or failed Aikido scans runs in production.

Additionally, while not mandatory for our process, we run continuous nightly Aikido scans on our cloud infrastructure (AWS) to detect any new vulnerabilities and any misconfigurations. In addition to this, it is also used to monitor our route53 domains for subdomain takeover attacks.