Have you noticed a predominant trend- that many infosec tools are now query tools? Query tools often allow you to utilize SQL, YAML, or some DSL to compose queries. The tool translates these queries into parameters supplied into some API for $environment, such as your operating system, cloud environment, source code, and so on, to generate findings.
Here are some of my favorite query tools/ infosec labs that I think you should know about!
While you’re at it, check out some of the best appsec labs for you to sharpen your skills.
Let's start with osquery. It is an outstanding query tool for the OS and one of the first I came across. osquery works across OS platforms and is widely used for DevOps, compliance, threat hunting, and other purposes. SQL allows you to query OS properties and configurations.
Next, we have CodeQL, which was the first to impress me in the SAST segment. This is also a SQL-based query tool parses the source code's AST (abstract syntax tree) to discover vulnerabilities based on the requested patterns.
In SAST, I've recently been loving Semgrep. It makes SAST extremely strong by combining the simplicity of grep expressions with YAML. Scaling SAST across a huge codebase becomes easier and more accurate with Semgrep's pattern syntax.
Lastly, I've been highly impressed with Steampipe, which allows you to query your cloud environment for security flaws using SQL. I enjoy the pre-built rule sets they provide.
I prefer query tools for security analysis since they allow me to utilize pre-made queries or write my own for the use cases I need and want. It equips me with speed and versatility, making it ideal for integrating into a pipeline.
AppSec Training for Developers has never been easier, especially with our Hands-on appsec labs and playgrounds. Start with AppSec Essentials here!
Never Stop Learning!