Patronus: Swiss Army Knife SAST Toolkit

A presentation at BlackHat Asia 2022 in May 2022 in Singapore by Akhil Mahendra

Slide 1

Slide 1

#BHASIA @BlackHatEvents

Slide 2

Slide 2

Patronus Swiss Army Knife SAST Toolkit #BHASIA @BlackHatEvents

Slide 3

Slide 3

About us Ashwin Shenoi Akshansh Jaiswal Akhil Mahendra Security Engineer @ CRED Security Engineer @ CRED Security Engineer @ CRED @c3rb3ru5 @Akshanshjaiswl @Akhil_Mahendra #BHASIA @BlackHatEvents

Slide 4

Slide 4

Agenda ● Why we built this ● How Patronus stands out ● Design Solution ● False Positive Reduction ● Demo ● Future roadmap #BHASIA @BlackHatEvents

Slide 5

Slide 5

Why we built it? ● Single security framework for vulnerability management & assets inventory ● High levels of false positives and huge operational overheads ● Lack of visualisation of organisation’s security posture and metrics ● Ease for devs to adapt to shift left without interfering in production code pipelies ● Cater to organisational needs and keep source code always within the ecosystem ● Actionable approach to security vulnerability findings rather than being a blocking function ● Developer-friendly security scans for their projects in real time #BHASIA @BlackHatEvents

Slide 6

Slide 6

How Patronus stands out ● Secret Scanning✓ ● SCA ✓ ● SAST✓ ● On-demand scan ✓ ● Asset inventory ✓ ● All in one dashboard ✓ ● Scanning only latest code commits ✓ ● REST API Support ✓ ● Security vulnerability stats and trends ✓ ● Multi-language support ✓ ● Configurable scans ✓ ● Fully dockerized ✓ ● Custom integrations ✓ ● Single Sign On ✓ #BHASIA @BlackHatEvents

Slide 7

Slide 7

Design Solution #BHASIA @BlackHatEvents

Slide 8

Slide 8

Initiation #BHASIA @BlackHatEvents

Slide 9

Slide 9

Scanning #BHASIA @BlackHatEvents

Slide 10

Slide 10

Enrichment #BHASIA @BlackHatEvents

Slide 11

Slide 11

False Positives reduction ● Validation of active tokens and secrets ● Actively searching for publicly available exploits for identified CVEs ● Classify findings based on configurable CVSS scores to prioritise remotely exploitable CVEs. #BHASIA @BlackHatEvents

Slide 12

Slide 12

Demo #BHASIA @BlackHatEvents

Slide 13

Slide 13

Future Roadmap ● Introducing new verticals: ○ SBOM ○ Licence management ● Increase coverage for more languages ● Integration with VCS like github/gitlab ● One click automated patching of SCA issues. ● CI/CD integration #BHASIA @BlackHatEvents

Slide 14

Slide 14

Thank You https://github.com/th3-j0k3r/Patronus #BHASIA @BlackHatEvents