An Incomplete List of Practical Security for Mortals

This page summarizes the projects mentioned and recommended in the original post on dev.to
#Static Analysis #Code Analysis #Java #static-code-analysis #Logging

Our great sponsors
  • InfluxDB - Access the most powerful time series database as a service
  • Sonar - Write Clean Java Code. Always.
  • SaaSHub - Software Alternatives and Reviews
Our great sponsors

  • cats

    CATS is a REST API Fuzzer and negative testing tool for OpenAPI endpoints. CATS automatically generates, runs and reports tests with minimum configuration and no coding effort. Tests are self-healing and do not require maintenance. (by Endava)

    focus on negative and boundary testing, not only on happy scenarios; CATS is a good option for API testing

  • Zed

    The OWASP ZAP core project

    consider adding some security testing inside the pipeline

  • InfluxDB

    Access the most powerful time series database as a service. Ingest, store, & analyze all types of time series data in a fully-managed, purpose-built database. Keep data forever with low-cost storage and superior data compression.

  • Vault

    A tool for secrets management, encryption as a service, and privileged access management

    do not store secrets (passwords, api keys, ssh keys, private keys, etc) in source files or in version control; use proper Secrets Vault systems

  • SonarQube

    Continuous Inspection

    some good tools for security code analysis: Veracode, Checkmarx, Sonarqube

  • SLF4J

    Simple Logging Facade for Java

    use an abstraction over the actual logging implementation; for example in Java: slf4j with logback as implementation

  • Spotbugs

    SpotBugs is FindBugs' successor. A tool for static analysis to look for bugs in Java code.

    some good tools for general code analysis (Java): Sonarqube, PMD, SpotBugs

  • semgrep

    Lightweight static analysis for many languages. Find bug variants with patterns that look like source code.

    Automate everything. Automation makes it predictable and consistent. The CI/CD pipeline should be the place where you automate all checks that will assess your (micro)service from a quality perspective. Tools like Semgrep can bring automation with less effort for standards not obviously suited for automation.

  • Sonar

    Write Clean Java Code. Always.. Sonar helps you commit clean code every time. With over 600 unique rules to find Java bugs, code smells & vulnerabilities, Sonar finds the issues while you focus on the work.

  • PMD

    An extensible multilanguage static code analyzer.

    some good tools for general code analysis (Java): Sonarqube, PMD, SpotBugs

  • Logback

    The reliable, generic, fast and flexible logging framework for Java.

    use an abstraction over the actual logging implementation; for example in Java: slf4j with logback as implementation

NOTE: The number of mentions on this list indicates mentions on common posts plus user suggested alternatives. Hence, a higher number means a more popular project.

Suggest a related project

Related posts