I never had the chance to compact a list of available Security tools in Q1 2021, here it goes. If something’s missing from this list, anyone can freely open a PR and I’ll gladly update the list.

Security tooling available #

By attending the ZapCon ‘21, I’ve received a feedback request email from them where I should list security tools I’ve used in the past.

Opinions #

Of all these tools I’ve heard good remarks on dependabot mainly because it’s Open-Source since GitHub acquired it, plus it’s fairly simple to integrate it into your CI/CD pipelines.

dependencytrack I saw it demoed in a real use-case scenario and what can you do with this tool is absolutely amazing, you can configure the server to push dependency deprecations in your PRs (Pull Requests), you have a pretty neat unified dashboard with any security vulns for your apps, definintely recommend it; plus, it’s easy to set-up as they offer a Docker image and it’s licensed under Apache 2.0.

veracode is amazing for scanning your OnPrem and this is just one use-case, there are plenty more out there, main point is that you should know how/what to configure properly so that you get a good experience from it (like all tools nonetheless)

What you get #

Depending on your needs, don’t go for something Premium just because you’re buying the support, trust me, that in 2021 is so overrated and Support is not how it used to be before, now when you open a ticket, if you’re lucky ☝️, you get someone experienced handling your case, otherwise you’ll get someone who constantly asks you for logs et. al. and then just keeps escalating your issue to heavenly gates and you lose time & neurons…

Choosing something that’s Open-Source has way more benefits because for most of the issues you could find a GitHub issue raised by someone else, or find something on StackOverflow, ddg.co or whatnot… it’s also good to share your experiences to the community 😉