A couple of weeks ago, Ecosystem Security announced that we are launching and open sourcing a new tool called the Forge Security Requirement Tester (FSRT). FSRT expands our Ecoscanner platform to include Forge apps, and makes significant strides in our goal of validating that all apps are following our security requirements for cloud applications. To read the full blog post, check here!
Implementing FSRT will help you validate that your app(s) are meeting our first security requirement, listed below:
An application must authenticate and authorize every request on all endpoints exposed.
Starting today, we welcome our community to try this tool out on your Forge apps. We will begin scanning all Marketplace Forge apps ourselves in the next few weeks. As always, apps that miss security requirements will receive AMS tickets that are subject to our timeframes for resolution outlined in our Security Bug Fix Policy.
Are there any docs on what FSRT actually does under the hood to validate the “authenticate and authorize” requirement? I would like to understand what this scanner does without reading the Rust code.
It would be nice to have a high-level description of each implemented requirement that documents what’s being verified by the scanner to pass the requirement.
I second what @BenjaminCJohn has posted, I get errors as well:
thread 'main' panicked at 'called `Option::unwrap()` on a `None` value', crates/forge_analyzer/src/engine.rs:107:13
note: run with `RUST_BACKTRACE=1` environment variable to display a backtrace
You can create issues under our issue tracker: Issues · atlassian-labs/FSRT · GitHub.
Preferably with a backtrace and a Forge app-id(or source code but it’s fine if you can’t provide it).