Web Application Tools
Tools by languages
Dependency check
What is it?
A dependency checker is a tool that attempts to detect when updates are available for third party dependencies (libraries, frameworks, etc) used in your application due to publicly disclosed security vulnerabilities.
Why is it needed?
- Up to 90% of many applications are comprised of third party components.
- Applications often inadvertently introduce vulnerabilities by failing to update components in a timely manner or by pulling in outdated components with vulnerabilities.
When should I use this?
All the time.
Using components with known vulnerabilities is a widespread and serious problem in application development. It can lead to easy, scannable vulnerabilities in your app. Recommended tools for a variety of languages are provided elsewhere in this project:
Tools
- Agnostic dependency check
- Dependency check for Java
- Dependency check for Javascript
- Dependency check for Python
- Dependency check for Ruby
Further reading
Static analysis
What is it?
A static analysis tool, referred to as a Static Application Security Tool (SAST) in the context of security, identifies potential security flaws in source code, byte code, and binaries. SAST tools provide a powerful way to identify potential defects by analyzing applications from the “inside out”. This provides much greater sight into possible flaws than a scanner that only interacts with a application as a user would.
Why is it needed?
- Sometimes the easiest or most obvious way to do something is also not secure. These tools provide fast feedback if a mistake is made.
- Continuous, fast feedback about potential vulnerabilities saves teams time and stress.
When should I use this?
- In your CI pipeline. Automatically run the scanner periodically, possibly alongside other automated tests following a checkin if it can complete quickly enough.
- During manual testing. More in-depth scans can be run and verified along with the other necessary manual tests. Testers can also start to do some exploratory security testing after familiarizing themselves with typical weaknesses.
Tools
- Agnostic static analysis
- Static analysis for Java
- Static analysis for Javascript
- Static analysis for Python
- Static analysis for Ruby
Further reading
- Wikipedia page on static program analysis
- Wikipedia list of static program analyzers
- OWASP wiki page on static program analysis
- NIST list of security-focused static program analyzers
Dynamic analysis
To be written
Secret management
What is it?
Secrets such as passwords, credentials, access tokens, certificates, and other confidential information are something we can’t allow to fall into the wrong hands. A secret management tool makes it possible to manage these kinds of secrets safely.
Why is it needed?
We see this more than you’d think. The dangers of leaving secrets into your code are wide ranging and severe. It could lead to everything from an attacker compromising a user’s session to full owning your application, and even the application server, gaining access to your database, and impersonating you to uncover more valuable data (and this is not an exhaustive list).
- Applications rely on secrets to access services such as databases, encrypted files, and to securely communicate with other applications and systems.
- Team members may also need a way to manage and share similar confidential information.
- Writing secrets in a place they can be easily retrieved exposes projects to unnecessary risks. This includes doing things like writing them on sticky notes or in source code or configuration files.