Heads up! To view this whole video, sign in with your Courses account or enroll in your free 7-day trial. Sign In Enroll
Preview
Start a free Courses trial
to watch this video
The fight for secure web apps doesn’t always have to be manual. Many existing automated tools, both open-source and paid, will help expose security flaws in your web apps and services, reveal to you what needs to be changed, and put you in a better place next time attackers come knocking.
Automated tools
- Snyk: https://snyk.io/
- Snyk YouTube Tutorials: https://www.youtube.com/channel/UCh4dJzctb0NhSibjU-e2P6w
- SonarCube: https://www.sonarqube.org/
- SecurityHeaders: https://securityheaders.io/
- Nessus/Tenable Scanner: https://www.tenable.com/products/tenable-io/web-application-scanning
-
Burp Suite and Burp Suite Scanner docs
- ZAProxy: http://www.zaproxy.org/
-
14 Best Open Source Web Application Vulnerability Scanners
Further Reading on CI/CD and Security:
-
Injecting Security into Continuous Delivery, by Jim Bird
-
Securing the Continuous Integration Continuous Deployment (CICD) Pipeline, by Fabian Lim
-
Amazon Web Services: Integrating Security into DevOps and CI / CD Environments
The fight for secure applications
doesn't always have to be manual.
0:00
Many existing automated
tools both open source and
0:04
paid, will help expose security flaws
in your applications and services.
0:08
They can show you what
needs to be changed so
0:13
that you can be in a better place
next time attackers come knocking.
0:16
These tools can analyze your
projects while they live
0:20
on a version control
system such as GitHub.
0:23
They raise issues and interrupt
releases when issues are discovered.
0:26
Other tools exist to analyze your
code via a command line application.
0:31
These tools perform static
analysis of your code.
0:36
They look at the structure and
meaning of code without running it.
0:40
And thus discover ways to more
fully protect critical resources,
0:44
endpoints and other assets.
0:49
Here are just a few of
the tools that exist.
0:52
Snyk integrates with your
version control system, and
0:55
raises issues when it analyzes your
commits and finds security flaws.
0:58
SonarQube is developed and refined by
leading academic and industry researchers
1:04
to find security flaws via static analysis
of code in a variety of languages.
1:09
Securityheaders.io is a site
where you enter your site's URL.
1:15
It will scan your site and
1:22
tell you whether you're using the proper
security headers in your request.
1:23
Proper headers help protect your site from
vulnerabilities like cross site scripting
1:28
and information exposure.
1:33
Not only can you use these tools
on your own, but they can be
1:35
integrated into your continuous
integration and deployment pipeline.
1:39
Greatly simplifying and streamlining
your baseline security testing process.
1:44
Though this topic is too in-depth to
cover here, we have linked resources for
1:50
integrating automated tools
in the Teacher's notes.
1:55
I strongly suggest testing out some,
if not all,
1:58
of these tools with your own projects.
2:02
You need to sign up for Treehouse in order to download course files.
Sign up