Holy s**t! We're really behind!

Holy s**t! We're really behind!

Have been doing a lot of work with, the Cloud, Kubernetes, Serverless and Containers over the last 2 years, and I realize that we have very little by way of effective security tooling for these technologies (especially at their depth).

For me, security tools also need to be very developer and DevOps centric, as that fosters

  1. Effective Usage
  2. Integration into Pipelines
  3. Visibility

Disclaimer: I'm not saying that the things I mention below have NO tools. I believe the security tooling around this space is either unrepresented/underrepresented/not mature yet.

Additional Disclaimer: I am not ASKING anyone to work on this. In fact, I am planning to work on some of these myself. This is more a list of things that I'd like to see in days to come

Things that I believe that tooling is badly needed for:

  1. SAST tools for Frameworks, especially Cloud SDKs. There are a lot of SAST checks that one can do on the way developers use SDKs from cloud providers like Amazon, Azure, etc. This is a definite need. Aside from that, SAST for specific frameworks is definitely a burning need. I write webapps in Django, not Python. Or Express, not NodeJS. Or Rails, not Ruby. I need more framework-specific tools. Tools have now started adding framework-specific checks, but there's a long way to go here.
  2. Security linting/analysis for Infrastructure-as-Code tools. I use Docker, Kubernetes, Serverless, Terraform, Ansible and other infrastructure as code tools. For sure, there are less-than-perfect security configurations that I would be using. I need quality tools that would help me catch that early (preferably in my IDE). There are some tools out there like KubeSec, etc. But as always, there's room for a LOT of improvement here
  3. Simple(r) Monitoring tools for Docker and Kubernetes. I like OSQuery and I love its simplicity for Docker monitoring. Integrating it into K8s workflows and simpler cookbooks will make it a lot more effective for companies to use as a monitoring tool. Tools to collate and aggregate security events in the Kubernetes API also, is a much-needed development.
  4. Simple(r) approach to search CloudTrail events. Amazon's CloudTrail is a great resource for API access to Amazon. This can be much better with better querying tools for it.
  5. Security Observability tools for Serverless. This is definitely improving (at least commercially) but we could use better OSS tools for this, for serverless (FaaS) workloads
  6. Moar GraphQL Fuzzing Patterns and Tools that can do it! I am sure that a lot of this can be done with ZAP, Burp, etc. Burp has something for GraphQL, but its more as a set of insertion points. I am looking at common GraphQL attack patterns to make things easier to identify.
  7. Moar JWT Fuzzer Generators and Tools! JWT can have some very large exploit possibilities, which are likely to be simple e.g. "none" signature flaws or more complex flaws, JKU flaws, Algo Confusions and many more. BurpSuite is the only one with reasonable good enough tooling out there for this. I'd also love to see common SAST checks for JWT.
  8. AST (Application Security Testing) tools for gRPC and Protobuf. gRPC is gaining traction as a leading framework for microservices workloads. Having literally NO security testing tools for this (except for a Burp extension) is not a great sign.