Pick up the tools…

Look, I’m 100% not saying that learning these tools will get you a Cloud Security role.

However, knowing the tools the industry already uses is definitely a step in the right direction.

The thing I like about using tools is that they provide hands on learning through real-world application. For example, I only truly grasped the layered structure of a Docker image: How base images, dependencies, and application code stack together, when I started using Prisma Cloud. By scanning images for vulnerabilities, it exposed security risks in specific layers, making it clear how each component contributes to the overall security posture of a containerised application.

Walking into your new role on day one with some knowledge of these tools will save you a lot of pain… trust me 😉

Tips: Try look at these tools without focusing too much on the product (They come and go) and instead what it’s actually doing and ultimately trying to secure. One last thing, the explainers I have for each section are SUPER high level, I encourage you to research further.

Tools I recommend looking at:

Static Application Security Testing analyses source code, or binaries for security vulnerabilities without executing the application, helping to identify issues early in the development process.

• Semgrep: Lightweight static analysis for multiple languages.

  • Semgrep GitHub Repository

• SonarQube Community Edition: Continuous inspection of code quality and security.

  • SonarQube Community Edition

• Bandit: Security analysis for Python code.

  • Bandit Documentation

• Brakeman: Static analysis for Ruby on Rails applications.

  • Brakeman GitHub Repository

• FindBugs: Bug detection for Java programs.

  • FindBugs GitHub Repository

• Gosec: Security scanner for Go code.

  • Gosec GitHub Repository

• PMD: Code analyzer for Java and other languages.

  • PMD Official Website

Infrastructure as Code Security ensures that infrastructure configurations, defined in code using tools like Terraform or CloudFormation, are free from misconfigurations and security risks before deployment.

• Checkov: Static analysis for Terraform, CloudFormation, and Kubernetes configurations.

  • Checkov GitHub Repository

• KICS: Detects insecure configurations in common IaC files.

  • KICS Official Website

• TFLint: Linter for Terraform to identify errors and enforce best practices.

  • TFLint GitHub Repository

• Terrascan: Static code analyzer for Terraform, Kubernetes, and more.

  • Terrascan GitHub Repository

• Trivy: Vulnerability scanner for containers and IaC configurations.

  • Trivy GitHub Repository

• Spectral: Detects misconfigurations and secrets sprawl in IaC.

  • Spectral Official Website

Inspects container images for known vulnerabilities in operating system packages, dependencies, and configurations, making sure that insecure components aren’t deployed in production.

• Grype: Lightweight vulnerability scanner for container images and filesystems.
  Grype Official Website

• Aqua Microscanner: CI/CD-integrated scanner for detecting vulnerabilities in containers.
  Aqua Microscanner Official Website

Involves protecting cloud environments, services, and data by implementing access controls, encryption, monitoring, and compliance measures to mitigate threats like misconfigurations and unauthorised access.

• Prowler: Security assessments and audits for AWS, Azure, and GCP.
  Prowler GitHub Repository

• CloudMapper: Visualises AWS environments and audits for security risks.
  CloudMapper GitHub Repository

• ScoutSuite: Multi-cloud auditing tool for AWS, Azure, GCP, and more.
  ScoutSuite GitHub Repository

• CloudSploit: Scans AWS environments for security misconfigurations.
  CloudSploit GitHub Repository

• Cartography: Maps cloud assets to help with security analysis and threat detection.
  Cartography GitHub Repository

Detects hardcoded credentials, API keys, tokens, and other sensitive information in source code, repositories, and CI/CD pipelines to prevent accidental leaks and unauthorised access.

• TruffleHog: Scans code repositories for high-entropy strings and known secret patterns to detect hardcoded credentials.
- GitHub Repository

• Gitleaks: A fast, portable tool for detecting secrets in Git repositories, supporting customizable regex patterns.
- GitHub Repository

• Detect Secrets: Developed by Yelp, this tool provides a plugin-based architecture to identify and prevent committing secrets into code repositories.
- GitHub Repository

• Talisman: Acts as a Git hook to check for potential secrets or sensitive information, preventing them from being committed.
- GitHub Repository

• Git-all-secrets: Aggregates results from multiple secret scanning tools to provide a comprehensive overview of exposed secrets in Git repositories.
- GitHub Repository

• Deepfence SecretScanner: Scans container images or local directories to identify and report secrets found within them. GitHub Repository

That’s a wrap 🌯

I’ve focused on Cloud Security / DevSecOps tools this week but let me know if you like these lists and I can do a more Cloud Engineering or Traditional Cyber Security one.

Thank you for reading: Keep it secure, keep it light-hearted!

WJPearce - CyberBrew