An Incomplete List of Practical Security for Mortals

This page summarizes the projects mentioned and recommended in the original post on dev.to

Our great sponsors
  • WorkOS - The modern identity platform for B2B SaaS
  • InfluxDB - Power Real-Time Data Analytics at Scale
  • SaaSHub - Software Alternatives and Reviews
  • cats

    CATS is a REST API Fuzzer and negative testing tool for OpenAPI endpoints. CATS automatically generates, runs and reports tests with minimum configuration and no coding effort. Tests are self-healing and do not require maintenance. (by Endava)

    focus on negative and boundary testing, not only on happy scenarios; CATS is a good option for API testing

  • ZAP

    The ZAP core project

    consider adding some security testing inside the pipeline

  • WorkOS

    The modern identity platform for B2B SaaS. The APIs are flexible and easy-to-use, supporting authentication, user identity, and complex enterprise features like SSO and SCIM provisioning.

  • Vault

    A tool for secrets management, encryption as a service, and privileged access management

    do not store secrets (passwords, api keys, ssh keys, private keys, etc) in source files or in version control; use proper Secrets Vault systems

  • SonarQube

    Continuous Inspection

    some good tools for security code analysis: Veracode, Checkmarx, Sonarqube

  • SLF4J

    Simple Logging Facade for Java

    use an abstraction over the actual logging implementation; for example in Java: slf4j with logback as implementation

  • Spotbugs

    SpotBugs is FindBugs' successor. A tool for static analysis to look for bugs in Java code.

    some good tools for general code analysis (Java): Sonarqube, PMD, SpotBugs

  • semgrep

    Lightweight static analysis for many languages. Find bug variants with patterns that look like source code.

    Automate everything. Automation makes it predictable and consistent. The CI/CD pipeline should be the place where you automate all checks that will assess your (micro)service from a quality perspective. Tools like Semgrep can bring automation with less effort for standards not obviously suited for automation.

  • InfluxDB

    Power Real-Time Data Analytics at Scale. Get real-time insights from all types of time series data with InfluxDB. Ingest, query, and analyze billions of data points in real-time with unbounded cardinality.

  • PMD

    An extensible multilanguage static code analyzer.

    some good tools for general code analysis (Java): Sonarqube, PMD, SpotBugs

  • Logback

    The reliable, generic, fast and flexible logging framework for Java.

    use an abstraction over the actual logging implementation; for example in Java: slf4j with logback as implementation

NOTE: The number of mentions on this list indicates mentions on common posts plus user suggested alternatives. Hence, a higher number means a more popular project.

Suggest a related project

Related posts