🤑 Join the Treehouse affiliate program and earn 25% commission!

✨ No-code curious? Check out 4 new FREE Adalo courses and start building an app in minutes — no code required!

🌟 Dreaming of a bright future? 🎓 Ask about the Treehouse Scholarship program! 🚀

Well done!

You have completed Introduction to Application Security!

Sign up for Treehouse Back to Library

Preview

Sign up for Treehouse Continue

Using Automated Tools for Securing Your Site

2:05 with Alena Holligan and Jared Smith

The fight for secure web apps doesn’t always have to be manual. Many existing automated tools, both open-source and paid, will help expose security flaws in your web apps and services, reveal to you what needs to be changed, and put you in a better place next time attackers come knocking.

Teacher's Notes
Questions?
Video Transcript
Downloads
Workspaces

Automated tools

Snyk: https://snyk.io/
Snyk YouTube Tutorials: https://www.youtube.com/channel/UCh4dJzctb0NhSibjU-e2P6w
SonarCube: https://www.sonarqube.org/
SecurityHeaders: https://securityheaders.io/
Nessus/Tenable Scanner: https://www.tenable.com/products/tenable-io/web-application-scanning
Burp Suite and Burp Suite Scanner docs
ZAProxy: http://www.zaproxy.org/
14 Best Open Source Web Application Vulnerability Scanners

Further Reading on CI/CD and Security:

CI/CD pipeline security: Know the risks and best practices, by Matt Heusser
CI/CD Security: Securing Your CI/CD Pipeline - Sysdig
Cloud Security for DevOps: Integrating Security into the CI/CD Pipeline, by Emmanuel Odenyire Anyira - Medium

Related Discussions

Have questions about this video? Start a discussion with the community and Treehouse staff.

Sign up

Related Discussions

Have questions about this video? Start a discussion with the community and Treehouse staff.

Sign up

The fight for secure applications doesn't always have to be manual. 0:00

Many existing automated tools both open source and 0:04

paid, will help expose security flaws in your applications and services. 0:08

They can show you what needs to be changed so 0:13

that you can be in a better place next time attackers come knocking. 0:16

These tools can analyze your projects while they live 0:20

on a version control system such as GitHub. 0:23

They raise issues and interrupt releases when issues are discovered. 0:26

Other tools exist to analyze your code via a command line application. 0:31

These tools perform static analysis of your code. 0:36

They look at the structure and meaning of code without running it. 0:40

And thus discover ways to more fully protect critical resources, 0:44

endpoints and other assets. 0:49

Here are just a few of the tools that exist. 0:52

Snyk integrates with your version control system, and 0:55

raises issues when it analyzes your commits and finds security flaws. 0:58

SonarQube is developed and refined by leading academic and industry researchers 1:04

to find security flaws via static analysis of code in a variety of languages. 1:09

Securityheaders.io is a site where you enter your site's URL. 1:15

It will scan your site and 1:22

tell you whether you're using the proper security headers in your request. 1:23

Proper headers help protect your site from vulnerabilities like cross site scripting 1:28

and information exposure. 1:33

Not only can you use these tools on your own, but they can be 1:35

integrated into your continuous integration and deployment pipeline. 1:39

Greatly simplifying and streamlining your baseline security testing process. 1:44

Though this topic is too in-depth to cover here, we have linked resources for 1:50

integrating automated tools in the Teacher's notes. 1:55

I strongly suggest testing out some, if not all, 1:58

of these tools with your own projects. 2:02

You need to sign up for Treehouse in order to download course files.

Sign up

You need to sign up for Treehouse in order to set up Workspace

Sign up