A presentation at BlackHat Asia 2022 in in Singapore by Akhil Mahendra
#BHASIA @BlackHatEvents
Patronus Swiss Army Knife SAST Toolkit #BHASIA @BlackHatEvents
About us Ashwin Shenoi Akshansh Jaiswal Akhil Mahendra Security Engineer @ CRED Security Engineer @ CRED Security Engineer @ CRED @c3rb3ru5 @Akshanshjaiswl @Akhil_Mahendra #BHASIA @BlackHatEvents
Agenda ● Why we built this ● How Patronus stands out ● Design Solution ● False Positive Reduction ● Demo ● Future roadmap #BHASIA @BlackHatEvents
Why we built it? ● Single security framework for vulnerability management & assets inventory ● High levels of false positives and huge operational overheads ● Lack of visualisation of organisation’s security posture and metrics ● Ease for devs to adapt to shift left without interfering in production code pipelies ● Cater to organisational needs and keep source code always within the ecosystem ● Actionable approach to security vulnerability findings rather than being a blocking function ● Developer-friendly security scans for their projects in real time #BHASIA @BlackHatEvents
How Patronus stands out ● Secret Scanning✓ ● SCA ✓ ● SAST✓ ● On-demand scan ✓ ● Asset inventory ✓ ● All in one dashboard ✓ ● Scanning only latest code commits ✓ ● REST API Support ✓ ● Security vulnerability stats and trends ✓ ● Multi-language support ✓ ● Configurable scans ✓ ● Fully dockerized ✓ ● Custom integrations ✓ ● Single Sign On ✓ #BHASIA @BlackHatEvents
Design Solution #BHASIA @BlackHatEvents
Initiation #BHASIA @BlackHatEvents
Scanning #BHASIA @BlackHatEvents
Enrichment #BHASIA @BlackHatEvents
False Positives reduction ● Validation of active tokens and secrets ● Actively searching for publicly available exploits for identified CVEs ● Classify findings based on configurable CVSS scores to prioritise remotely exploitable CVEs. #BHASIA @BlackHatEvents
Demo #BHASIA @BlackHatEvents
Future Roadmap ● Introducing new verticals: ○ SBOM ○ Licence management ● Increase coverage for more languages ● Integration with VCS like github/gitlab ● One click automated patching of SCA issues. ● CI/CD integration #BHASIA @BlackHatEvents
Thank You https://github.com/th3-j0k3r/Patronus #BHASIA @BlackHatEvents
https://www.blackhat.com/asia-22/arsenal/schedule/#patronus-swiss-army-knife-sast-toolkit-25987
for free. You
can too.