# What you'll learn

After watching this video, you will be able to:
* Describe the use of software vulnerability and software component analysis (SCA) tools.
* Explain defect tracking tools and how they support application developers.
* Demonstrate the use of OWASP’s ZAP tool to scan a vulnerable website.

# Evaluating software vulnerabilities

* Developers code their applications using their code, code from packages, and third-party libraries.
* Therefore, application developers need tools to evaluate and analyze potential vulnerabilities before releasing their applications.
* Scanning software should include the application’s code base and all relevant resources, such as containers and container images, either statically or dynamically.
* Additionally, software licenses should also be analyzed to keep software compliant.

# Open-source software vulnerability

* An open-source software vulnerability requires analysis by software developers.
* First, developers must resolve any compliance or legal issues with the software.
* This includes checking other open-source software for known vulnerabilities.
* All open-source software included in an application should be aggregated, listed, and verified that they are compliant.

# SCA tools

* One method for scanning software vulnerabilities is software composition analysis (SCA).
* SCA tools help identify and repair open-source or proprietary vulnerabilities.
* Additionally, SCA tools can identify third-party issues in software libraries through the National Vulnerability Database (NVD).
* Developers submit various software vulnerabilities to this database for public reference.

# Penetration tools

* Penetration tools aid in the discovery of software vulnerabilities within software applications.
* There are different types of penetration tests.
* An **internal test** can determine if any software vulnerabilities exist.
* A security team does this test often.
* Another option is an outside party can run an **external test** and report if any vulnerabilities exist.

# Defect tracking tool

* A defect-tracking tool may be necessary to help track any discovered vulnerabilities.
* Jira and Bugzilla are two popular defect-tracking tools that track the progress of fixing and registering newly discovered vulnerabilities.
* These defect-tracking tools help software developers categorize the severity of the vulnerabilities.
* Moreover, defect tracking tools offer centralizing vulnerabilities organization-wide for multiple developers to implement within their software development.

# Prioritizing vulnerabilities

![image.png](attachment:f50ff483-ed66-4d04-ae11-b02720704efe.png)

* If you are a software developer, prioritizing vulnerabilities is an important task for you.
* Mission-critical vulnerabilities should be handled as the highest priority.
* Once the mission-critical vulnerabilities are closed, the high-severity vulnerabilities are the next highest priority.
* Vulnerabilities with medium and low statuses are lower priorities.

# Demonstration

![image.png](attachment:b35a5225-3b4b-402f-b8b0-e1bfbe09ace4.png)

Next, let’s see a demonstration of how you can scan your website for vulnerabilities.
* For this demonstration, we will use a vulnerability tool from OWASP called **ZAP** to scan a vulnerable website.
* In the Welcome window, click **Automated Scan**.
* Enter a website that has PHP vulnerabilities, such as **`http://testphp.vulnweb.com`**.
* Then click **Attack**.
* Zap will then automatically scan the website to find all the vulnerabilities.
* In the bottom pane, Zap does an active scan of the entire website, which takes a few minutes.
* Click **Stop** to review the preliminary results.
* You can view the history of the scan by clicking the history tab.

Next, click Alerts, to see all of the vulnerability alerts found on this website, such as: 
* Cross-Site Scripting 
* Absence of Anti-CSRF Tokens 
* Content Security Policy Header Not Set 
* Missing Anti-clickjacking Header 
*Server Leaks Information via HTTP Response Header Fields 
* Server Leaks Version Information via Server HTTP Response Header Field 
* Cross-Content-Type-Options Header Missing 
* Charset Missing 
* Information Disclosure Suspicious Comments 
* Modern Web Application And User Controllable HTML Element Attribute, which is potentially Cross-Site Scripting vulnerable.

# Bug bounty

* If an organization has too many vulnerabilities to close, a bug bounty may be a solution to implement.
* A bug bounty can be administered internally, or publicly for anyone to attempt to resolve a vulnerability and earn a reward.
* In conclusion, it’s important to have vulnerability policies to support managing software vulnerabilities.

# Summary

In this video, you learned that:
* Application developers need tools to evaluate and analyze potential vulnerabilities before releasing their applications.
* Some tools that help discover and evaluate software vulnerabilities are:
    * Software composition analysis ( SCA), 
    * Penetration tools, and 
    * Defect-tracking tools, like Jira and Bugzilla.
* You saw a demonstration on scanning a vulnerable website using the vulnerability tool, **OWASP ZAP**.
* You also learned that an organization that has too many vulnerabilities can use a bug bounty.
* It offers some reward for helping to close out vulnerabilities.