An Incomplete List of Practical Security for Mortals

This page summarizes the projects mentioned and recommended in the original post on dev.to

Our great sponsors
  • SonarQube - Static code analysis for 29 languages.
  • Scout APM - Less time debugging, more time building
  • SaaSHub - Software Alternatives and Reviews
  • cats

    CATS is a REST API Fuzzer and negative testing tool for OpenAPI endpoints. CATS automatically generates, runs and reports tests with minimum configuration and no coding effort. Tests are self-healing and do not require maintenance. (by Endava)

    focus on negative and boundary testing, not only on happy scenarios; CATS is a good option for API testing

  • Zed

    The OWASP ZAP core project

    consider adding some security testing inside the pipeline

  • SonarQube

    Static code analysis for 29 languages.. Your projects are multi-language. So is SonarQube analysis. Find Bugs, Vulnerabilities, Security Hotspots, and Code Smells so you can release quality code every time. Get started analyzing your projects today for free.

  • Vault

    A tool for secrets management, encryption as a service, and privileged access management

    do not store secrets (passwords, api keys, ssh keys, private keys, etc) in source files or in version control; use proper Secrets Vault systems

  • SonarQube

    Continuous Inspection

    some good tools for security code analysis: Veracode, Checkmarx, Sonarqube

  • SLF4J

    Simple Logging Facade for Java

    use an abstraction over the actual logging implementation; for example in Java: slf4j with logback as implementation

  • Spotbugs

    SpotBugs is FindBugs' successor. A tool for static analysis to look for bugs in Java code.

    some good tools for general code analysis (Java): Sonarqube, PMD, SpotBugs

  • semgrep

    Lightweight static analysis for many languages. Find bug variants with patterns that look like source code.

    Automate everything. Automation makes it predictable and consistent. The CI/CD pipeline should be the place where you automate all checks that will assess your (micro)service from a quality perspective. Tools like Semgrep can bring automation with less effort for standards not obviously suited for automation.

  • Scout APM

    Less time debugging, more time building. Scout APM allows you to find and fix performance issues with no hassle. Now with error monitoring and external services monitoring, Scout is a developer's best friend when it comes to application development.

  • PMD

    An extensible multilanguage static code analyzer.

    some good tools for general code analysis (Java): Sonarqube, PMD, SpotBugs

  • Logback

    The reliable, generic, fast and flexible logging framework for Java.

    use an abstraction over the actual logging implementation; for example in Java: slf4j with logback as implementation

NOTE: The number of mentions on this list indicates mentions on common posts plus user suggested alternatives. Hence, a higher number means a more popular project.

Suggest a related project

Related posts