Like A Girl

Pushing the conversation on gender equality.

Code Like A Girl

Developer and Ops Security Tools

Sometimes people ask me what tools I suggest for developers and/or ops people, and since I am asked it often I decided it was a worthy blog post topic.

This is not an exhaustive list, but it is certianly a place a for a Developer or Ops person to start. I suggest getting as many of these tools as you feel comfortable with. There is no “one tool to rule them all”, you always need more than one tool to get good coverage.

  • OWASP Zed Attack Proxy: Zap (Free) This is a web proxy that includes an automated scanner that will find all the low hanging fruit for you. Zap is also really easy to use, compared to many other security tools, so I feel it’s great for beginners and pros.
  • Burp Suite Pro ($299 USD) Burp is also a web proxy with an automated scanner, that has a large community built around it like Zap. I learned on Burp, and although it is more difficult to “drive” than Zap is, it is my favourite. The automated scanner is powerful, the Burp Collaborator feature is incredible, and you can get into quite a bit of fun with the intruder feature. There is a free version of Burp, but the scanner is not included and intruder is throttled (slowed down on purpose), and if you don’t have a budget to pay for the pro version, this is a good tool to have along side Zap in your tool box.
  • Nessus, Nexpose or OpenVAS: All of these tools will scan your virtual machine, server OS or your host machine (the computer you do your work on). Sometimes when we apply patches, they don’t “take”, or we miss a machine and don’t realize it, they will figure out what has been missed. Nessus and Nexpose are not free, but they are always bleeding-edge up to date and for me it’s worth it for a company, but OpenVAS, which is free, could definitely be okay for home use. Yes, I am a nerd and I scan my own computers with Nessus (there’s a free home version!). Anyway…. It’s important that all of the operating systems you are running your apps on are secure, and that means patched and up to date.
  • Fiddler. Also a web proxy, and very well respected. Many, many developers use Fidler, and like it.
  • Test with multiple browsers, not just one. FireFox Developer Edition (will allow you to undo security features for better testing, definitely your best choice), Edge (has newest security header features, and you all use the security headers, right??), Chrome (very modern, large marketshare), Safari (many mac users use it, and you want them to use your app, right?), Internet Explorer (it used to have the lionshare of the market, and you want to ensure all users have a nice and secure experience in your app).
  • I want to add a list of code review tools here, but unfortunately most the best & free ones are language-specific, such as Find Security Bugs for Java, Brakeman for Ruby and Puma or Security Guard for .Net. For a complete list of all the code scanners, visit the OWASP Project page for this.
  • Unit tests. I know this might sound lame, but it’s actually awesome! Make negative unit tests, tests that test the opposite of what your app is supposed to do. Does your app fail gracefully? Does it reject invalid input? How does it handle code injected into it’s inputs? Adding unit tests like this can ensure that insecure code is not accidentally added to your app. I hope to do a larger and more in-depth post on this in the future….
  • For those performing CI/CD, a great tool to help integrate security activities into your pipeline is OWASP Glue. If you are going to have a pipeline, you absolutely must add in security checks. Speaking of which….
  • Dependency Check and Dependency Track, to verify that your libraries and other components are not known to be vulnerable. With an average of 80% of application code coming from libraries and other components, not verifying the security of these additional pieces is living dangerously. Also, you can add them your your CI/CD pipeline, just like you can many of the tools above.

I feel this is a good start for someone looking to dip their toes into AppSec. Please feel free to contact me with more suggestions for tools, and any feedback you may have.

Thank you for reading!