Locking It Down? Easy Tools to Help You Develop Secure Software

(Originally written Sunday, 9 January 2022)

If you're like me, sometimes when you're working on bringing a great idea to life security can be a bit of an afterthought. You have already thought about the big stuff like TLS and implementing the right authentication and authorisation system, but there can still be blind spots - for example, how your application is handling user data flow, or how it's exposing that data to the rest of your application's code. Luckily there are tools that can help you with secure development, and I'll show you some of the big ones out there.

1. SonarQube

SonarQube is a hosted automatic static analysis tool that detects bugs, vulnerabilities and code smells in your code. It works great with your existing workflow - for example, when you make a pull request, it can automatically check for code smells in your work and produces a quality report which can appear in the conversation over on GitHub (or whichever version control system you use).


You're probably thinking *"What's a code smell? Code doesn't smell!"* 👃 While it isn't a fragrance, a code smell is a hint that there could be deeper problems in your code. By fixing code smells when they occur, this can help to prevent critical paths for vulnerabilities forming in your code that can be used for exploitation at some point. These are generally small things, like how you could be handling a string, or uncontrolled side effects of a function.

P.S. If anyone knows the term for some code that has a lot of smells, please let me know. Is the code stinky? Pungent? Who knows!

2. SonarLint

If you don't want to actually set up a SonarQube instance and you just need something simple that can work, SonarLint is great. It's made by the same team behind SonarQube but it's a text editor/IDE plugin that can run standalone without SonarQube and it highlights smells while you're writing code.


3. Dependabot

Enabled by default on GitHub repositories, Dependabot automatically scans dependencies in Ruby, JavaScript, Python, PHP, Elixir, Elm, Go, Rust, Java and .NET projects, and if any of them have been updated to address security vulnerabilities, it'll update your dependency definitions to use the new versions. You can even run it yourself.

Dependabot Repository