15 Audit tools

 

This chapter covers

  • Finding security vulnerabilities in a web application
  • Using OWASP ZAP to automatically scan for vulnerabilities
  • Using Security Code Scan and other static code analyzers
  • Learning how GitHub Advanced Security helps find security issues

In September 2019, GitHub acquired Semmle, a company providing a code analysis platform for securing software. About a year later, they had integrated and improved the code analysis service and published the results of a 5-month beta phase: 12,000 repositories were scanned, and over 20,000 security issues were identified (see http://mng.bz/woA2).

Not all security issues are visible when just looking at the code, especially for websites. As we have discussed previously in this book—for instance, in chapter 3 (cookie attributes) and chapter 9 (HTTP headers)—even the absence of certain security settings can count as a vulnerability. Therefore, testing an actual, running web application is an important approach as well. The “nine out of ten web applications have security vulnerabilities” study result from chapter 1 (here’s the link again: http://mng.bz/qYAJ) was retrieved by doing exactly that: scanning (running) websites for issues.

15.1 Finding vulnerabilities

15.2 OWASP ZAP

15.3 Security Code Scan

15.4 GitHub Advanced Security

Summary