Category: Cybersecurity

Cybersecurity is the practice of protecting systems, networks, and programs from digital attacks. These cyberattacks are usually aimed at accessing, changing, or destroying sensitive information; extorting money from users; or interrupting normal business processes.

Security & Code Quality Tools

Post author By mohd.farihin.bin.anuar
Post date September 29, 2021

General & Generic Code Quality (Static Application Security Testing — SAST)

This is a White-box testing method. (inside out approach)

Checking naming conventions
Checking of duplicated codes
Highlighting complicated codes such as if-else while loops
OWASP vulnerability
CWE list

Tools to Use:

CheckMarx (https://checkmarx.com/product/cxsast-source-code-scanning/)
Sonarqube (https://www.sonarqube.org/)
Fortify Static Code Analyzer (https://www.microfocus.com/en-us/cyberres/application-security/static-code-analyzer)
Synk (https://snyk.io/product/snyk-code/)
Appknox for Mobile (https://www.appknox.com/vulnerability-assessment/sast)
CodeScan for Salesforce Development (https://www.codescan.io/)

Dynamic Vulnerability (Dynamic Application Security Testing — DAST)

This is a Black-box/Grey-box testing method. (Outside in approach)

Performed on runtime with deployed binaries.
Checks for application inputs and responses.
Crawls the site

Tools to Use:

Acunetix (https://www.acunetix.com/)
Appscan (https://cloud.appscan.com/)
CheckMarx (https://checkmarx.com/product/cxiast-interactive-code-scanning/)
Fortify WebInspect (https://www.microfocus.com/en-us/cyberres/application-security/webinspect)
OWASP Zap (https://www.zaproxy.org/)
Netsparker (https://www.netsparker.com/)

Dependency Libraries Vulnerabilities

Open-source security

Software composition analysis (SCA)
Scans each OSS library

Tools to Use:

Nexus Lifecycle (https://www.sonatype.com/products/open-source-security-dependency-management)
OSS Index (https://ossindex.sonatype.org/)
OWASP Dependency Check (https://owasp.org/www-project-dependency-check/)
Synk (https://snyk.io/product/open-source-license-compliance/)

Container Security

Cloud-based applications and server-less

Signature monitoring of container drifts and rogue containers
Scans for setup errors and vulnerabilities
Provides risk scoring for vulnerability type
Checks image registries and specific images are used

Tools to Use:

Aqua Security (https://www.aquasec.com/)
Anchore (https://anchore.com/)
Claire (https://github.com/quay/clair)
Docker Bench (https://github.com/docker/docker-bench-security)
Prisma Cloud (https://www.paloaltonetworks.com/prisma/cloud/container-security)

Share this article