Bummer! This is just a preview. You need to be signed in with a Basic account to view the entire video.
Start a free Basic trial
to watch this video
The fight for secure web apps doesn’t always have to be manual. Many existing automated tools, both open-source and paid, will help expose security flaws in your web apps and services, reveal to you what needs to be changed, and put you in a better place next time attackers come knocking.
Automated tools
- Snyk: https://snyk.io/
- Snyk YouTube Tutorials: https://www.youtube.com/channel/UCh4dJzctb0NhSibjU-e2P6w
- SonarCube: https://www.sonarqube.org/
- SecurityHeaders: https://securityheaders.io/
- Nessus/Tenable Scanner: https://www.tenable.com/products/tenable-io/web-application-scanning
-
Burp Suite and Burp Suite Scanner docs
- ZAProxy: http://www.zaproxy.org/
-
14 Best Open Source Web Application Vulnerability Scanners
Further Reading on CI/CD and Security:
-
Injecting Security into Continuous Delivery, by Jim Bird
-
Securing the Continuous Integration Continuous Deployment (CICD) Pipeline, by Fabian Lim
-
Amazon Web Services: Integrating Security into DevOps and CI / CD Environments
-
0:00
The fight for secure applications doesn't always have to be manual.
-
0:04
Many existing automated tools both open source and
-
0:08
paid, will help expose security flaws in your applications and services.
-
0:13
They can show you what needs to be changed so
-
0:16
that you can be in a better place next time attackers come knocking.
-
0:20
These tools can analyze your projects while they live
-
0:23
on a version control system such as GitHub.
-
0:26
They raise issues and interrupt releases when issues are discovered.
-
0:31
Other tools exist to analyze your code via a command line application.
-
0:36
These tools perform static analysis of your code.
-
0:40
They look at the structure and meaning of code without running it.
-
0:44
And thus discover ways to more fully protect critical resources,
-
0:49
endpoints and other assets.
-
0:52
Here are just a few of the tools that exist.
-
0:55
Snyk integrates with your version control system, and
-
0:58
raises issues when it analyzes your commits and finds security flaws.
-
1:04
SonarQube is developed and refined by leading academic and industry researchers
-
1:09
to find security flaws via static analysis of code in a variety of languages.
-
1:15
Securityheaders.io is a site where you enter your site's URL.
-
1:22
It will scan your site and
-
1:23
tell you whether you're using the proper security headers in your request.
-
1:28
Proper headers help protect your site from vulnerabilities like cross site scripting
-
1:33
and information exposure.
-
1:35
Not only can you use these tools on your own, but they can be
-
1:39
integrated into your continuous integration and deployment pipeline.
-
1:44
Greatly simplifying and streamlining your baseline security testing process.
-
1:50
Though this topic is too in-depth to cover here, we have linked resources for
-
1:55
integrating automated tools in the Teacher's notes.
-
1:58
I strongly suggest testing out some, if not all,
-
2:02
of these tools with your own projects.
You need to sign up for Treehouse in order to download course files.
Sign up