In declarative approaches, you specify the desired final state of the security you want to apply without dictating how to get it.<\/p>\n
This behavior is ideal for CWEs, which refer to software weaknesses rather than specific instances of vulnerabilities within products or systems.<\/p>\n
Declarative programming minimizes the factors that could affect the behavior of a piece of code to ensure that only a function\u2019s input should affect the output, not what\u2019s happening elsewhere in the program.<\/p>\n
This approach enables Security-as-Code\u2019s immutability and makes it possible to prevent vulnerability regressions.<\/p>\n
For example, if SQLi vulnerabilities are rampant in your applications, it\u2019s possible through SaC platforms to declaratively tell your applications that you never want to see another SQLi again.<\/p>\n
From the time you deploy your SQLi rule, there\u2019s no code that developers can add to the codebase that will override your rule.<\/p>\n
Due to the nature of these rules, they inherently remediate zero-days in some instances. This inherent protection is the case for Security-as-Code solutions also provide imperative rules for more involved vulnerabilities like Log4shell (CVE-2021-45105), where conditionality and context are needed.<\/p>\n","protected":false},"excerpt":{"rendered":"Declarative rules tell the machine what should be done. Learn how to use declarative Security-as-Code rules to immutably remediate CWEs.","protected":false},"author":1,"featured_media":410,"parent":16,"menu_order":3,"comment_status":"closed","ping_status":"closed","template":"template-chapter.blade.php","meta":{"footnotes":"","_links_to":"","_links_to_target":""},"class_list":["post-19","page","type-page","status-publish","has-post-thumbnail","hentry"],"yoast_head":"\nCVE-2022-42889<\/code>, in which the process forking rule is more than sufficient for payloads supplied as Javascript code, as seen below:<\/p>\napp<\/span>(\"nashorn CVE-2022-42889\"<\/span>):<\/span>\r\n\u00a0 \u00a0<\/span> requires<\/span>(version:<\/span> ARMR\/<\/span>2.2<\/span>)\r\n\u00a0 \u00a0 <\/span>process<\/span>(\"Deny any process execution\"<\/span>):<\/span>\r\n\u00a0 \u00a0 \u00a0 \u00a0 <\/span>execute<\/span>(\"*\"<\/span>)\r\n\u00a0 \u00a0 \u00a0 \u00a0 <\/span>protect<\/span>(message:<\/span> \"\"<\/span>, severity:<\/span> 7<\/span>)\r\n\u00a0 \u00a0 <\/span>endprocess<\/span>\r\nendapp<\/span><\/pre>\n