7 Free Security Tools That All Developers Will Want in Their Toolbox
What's in your toolbox?
Join the DZone community and get the full member experience.Join For Free
There has long been a common misperception that developers simply don’t care about security. While they are, of course, responsible for building innovative software and getting them out to users, security for their applications has become an integral part of their day-to-day work.
In fact, for some time now, we have seen developers taking a leading role in ensuring the security of their applications. With the help of vulnerability management tools like SAST, DAST, SCA, they are shifting left when it comes to security.
What we are seeing throughout the industry now is a reordering of responsibilities for security. By using developer-focused application security tools to find and fix vulnerabilities earlier in the Software Development Lifecycle, developers are able to handle the lion’s share of these security tasks on their own. There is even an argument to be made that developers are better suited to handle application security issues than many of the security professionals who themselves may be less familiar with the intricacies of the code.
Over the past few years, as developers have stepped up to take on more security responsibilities, we are starting to see security pros taking a step back in order to focus on bigger picture security issues.
The shift-left movement, which pushes security as far to the left in the development lifecycle as possible, calls for every developer to focus on security with the correct tools to code securely. To achieve scale in an agile or DevOps context, security cannot be an afterthought. It must be embedded in processes and people.
With that in mind, I’ve highlighted seven free security tools that all developers should have in their toolbox.
Burp Suite is a Java-based web penetration testing framework. Its various tools work seamlessly together to support the entire testing process, from initial mapping and analysis of an application’s attack surface, through to finding and exploiting security vulnerabilities.
The tool intercepts HTTP/S requests and acts as a middle-man between the user and web pages. The paid version provides a more agile automated testing tool with integrations with other frameworks such as Jenkins.
Zed Attack Proxy (ZAP)
Developed by OWASP (Open Web Application Security Project), ZAP or Zed Attack Proxy is a multi-platform web application security testing tool. ZAP is used for finding a number of security vulnerabilities in a web app during the development as well as a testing phase. Thanks to its intuitive GUI, ZAP can be used with equal ease by newbies as that by experts. The security testing tool supports command-line access for advanced users. Other than its use as a scanner, ZAP can also be used to intercept a proxy for manually testing a webpage.
ModSecurity is an open-source web-based firewall application (or WAF) supported by different web servers such as Apache, Nginx, and IIS. It provides protection from a range of attacks against web applications and allows for HTTP traffic monitoring, logging, and real-time analysis.
ModSecurity commonly installed in conjunction with Apache, an open-source web server. This helps to defend from many kinds of web-based attack including code injection and brute force attacks. ModSecurity also supports flexible rule engine to perform both simple and complex operations. It comes with a Core Rule Set (CRS) that has various rules for cross-website scripting, bad user agents, SQL injection, trojans, session hijacking, and other exploits.
WhiteSource Bolt, which is available on GitHub and Microsoft Azure DevOps/TFS, helps developers use better and more secure open source components from the early stages of coding and, most importantly, provides security alerts.
Security alerts auto-generate issues within GitHub where the user can view important details such as references for the CVE, its CVSS rating, a suggested fix, and other information that can help them to help plan their remediations. There is even an option to assign the vulnerability to another team member using the milestones feature.
LGTM is a variant analysis platform that automatically checks your code for real CVEs and vulnerabilities. By combining deep semantic code search with data science insights, LGTM ranks the most relevant results to show you only the alerts that matter. LGTM offers insights from a large community of top security researchers to help developers ship secure code.
Find Security Bugs
FSB is a free plugin for the FindBugs static code analysis tool. It specializes in finding security issues in code by searching for bug patterns. It can be used to scan Java web applications, Android applications, and, more recently, Scala and Groovy applications. Since it analyzes at the bytecode level, the source code is not mandatory for the analysis. FSB can be integrated into most Java IDEs (IntelliJ, Eclipse, Android Studio) and provides many continuous integrations, such as Jenkins or SonarQube.
Skipfish is a web application security tool that crawls your website and then checks each page for various security threats and provides a final security report. It is highly optimized for HTTP handling and utilizing minimum CPU.
It prepares an interactive sitemap for the targeted site by carrying out a recursive crawl and dictionary-based probes. The resulting map is then annotated with the output from a number of active security checks. The final report generated by the tool is meant to serve as a foundation for professional web application security assessments.
Importance of Security Best Practices
Security is, and should be, one of the main concerns of any software organization in the years to come. There are different tools that can assist with implementing security in the continuous development process, but the right attitude and culture change must come from the teams and organizations themselves.
Maintaining web application development security best practices is a team effort where everyone needs to play their part. Hopefully, by combining the right tools and practices throughout the SDLC, we can go a long way in keeping our products secure.
Opinions expressed by DZone contributors are their own.