Download all public source code available for organization under analysis
Search for keywords throughout code: -API and key. (Get some more endpoints and find API keys.) -token -secret -TODO -password -vulnerable -http:// & https://
Analyze code related to (difficult to get right): -CSRF -random -hash -MD5, SHA-1, SHA-2, etc. -HMAC
Search issues for security problems, information shared about infrastructure (search for domains/subdomains) Look at org. member's projects.
Skim commit history in search of changes related to security. Check blame and history of files of interest
Tools
- OWASP Static analysis tools
- NIST Source Code Security Analyzers
- Awesome static analysis (curated list of static analyzers)
- GithubCloner (to clone all repositories of the company under analysis)
- snyk.io (check dependencies)
- Truffle Hog (search for high entropy strings and secrets in git commit history)
- git-all-secrets
Python
- Bandit (static analyzer)
- Online Requirements Checker (check for outdated dependencies)
Ruby
- Brakeman (static analyzer)
JS
.NET