15 Audit tools
This chapter covers
- Which strategies exist to find security vulnerabilities in a web application
- How to use OWASP ZAP to automatically scan for vulnerabilities
- How to use Security Code Scan and other static code analyzers
- How GitHub Advanced Security may help finding security issues
In September of 2019, GitHub acquired Semmle, a company providing a code analysis platform for securing software. About one year later, they have integrated and improved the code analysis service, and published the results of a five-month beta phase: 12,000 repositories were scanned, and over 20,000 security issues were identified (Computer Weekly has a report at https://www.computerweekly.com/news/252489880/GitHub-makes-code-vulnerability-scanning-feature-public).
Especially for web sites, not all security issues are visible when just looking at the code. As we have discussed previously in this book, for instance in chapters 3 (cookie attributes) and 9 (HTTP headers), even the absence of certain security settings can count as a vulnerability. Therefore, testing an actual, running web application is an important approach, as well. The “nine out of ten web applications have security vulnerabilities” study result from chapter 1 (here’s the link again: https://www.ptsecurity.com/ww-en/analytics/web-vulnerabilities-2020/) was retrieved by doing exactly that: scanning (running) web sites for issues.