Locking It Down? Easy Tools to Help You Develop Secure Software
If you're like me, sometimes when you're working on bringing a great idea to life security can be a bit of an afterthought. You have already thought about the big stuff like TLS and implementing the right authentication and authorisation system, but there can still be blind spots - for example, how your application is handling user data flow, or how it's exposing that data to the rest of your application's code. Luckily there are tools that can help you with secure development, and I'll show you some of the big ones out there.
SonarQube is a hosted automatic static analysis tool that detects bugs, vulnerabilities and code smells in your code. It works great with your existing workflow - for example, when you make a pull request, it can automatically check for code smells in your work and produces a quality report which can appear in the conversation over on GitHub (or whichever version control system you use).
You're probably thinking "What's a code smell? Code doesn't smell!" 👃 While it isn't a fragrance, a code smell is a hint that there could be deeper problems in your code. By fixing code smells when they occur, this can help to prevent critical paths for vulnerabilities forming in your code that can be used for exploitation at some point. These are generally small things, like how you could be handling a string, or uncontrolled side effects of a function.
P.S. If anyone knows the term for some code that has a lot of smells, please let me know. Is the code stinky? Pungent? Who knows!
If you don't want to actually set up a SonarQube instance and you just need something simple that can work, SonarLint is great. It's made by the same team behind SonarQube but it's a text editor/IDE plugin that can run standalone without SonarQube and it highlights smells while you're writing code.
I hope this helps you get started with securing your code! Let me know if you have any thoughts or questions. 🙂