Security tools for Developers
In Rest Secured we believe that security tools should be easy to understand and use.
We are not alone with our thinking. I’m presenting few tools that every developer should try — each protect software from different sources of attack.
1. Src:clr — protect your dependencies — you are only as secure as your weakest link
SourceClear (thanks for t-shirt!) focuses on open-source libraries. They monitor, scan and analyze open source libraries we normally use as a dependencies to our projects for vulnerabilities. If we have outdated or vulnerable library you will for sure know about that from that tool.
They currently report 1142 vulnerabilities and they analyzed so far 503808 libraries.
To analyze our vulnerable application all we need is activate scanner on our side and invoke scan over our repository or any public git project.
After few minutes of work we received short report in output with a link to web report:
Libraries:
16 libraries, 0 lines of code
4 direct and 12 transitive
0 vulnerable libraries
5 different licenses are used
1 libraries is GPL-licensed
Security Issues:
0 high [H] risk vulnerabilities affecting 0 libraries
0 medium [M] risk vulnerabilities affecting 0 libraries
0 low [L] risk vulnerabilities affecting 0 libraries
On website I could investigate how is it possible that I have GPL library here.
I was curious how it will work against fake libraries, but they were already removed from pip.
2. Rest Secured — API pentesting as a service
Disclaimer: I’m cofounder of Rest Secured
Rest Secured service focus is on Restful API black-box testing, the most common comm layer for mobile or web applications. It follows OWASP guidelines, so you may be sure that top issues are covered by this service, it uses exploratory strategies to find unknown vulnerabilities, and most important, it attacks from outside — just like most of the hackers would do.
If development follows API first strategy all we need is paste URL to our Open API specification, service then scans API which may take some time.
In result we receive great insights about potential issues with API with easy to understand remediation plans.
3. Sqreen — protect live application
Screen is not Web Application firewalls, it’s more — it works inside web application as an agent that monitors and inspects every important call.
Python version is not yet available but seeing such easy onboarding process for sure will give it a try.
