I'm looking for recommendations on tools to enhance our security standards for the code we develop at my company. We want to ensure we can detect vulnerabilities like SQL injection and CSRF. We primarily work with serverless lambdas that are accessed via API Gateway, so any specific tools or experiences you can share would be greatly appreciated!
3 Answers
In my opinion, training your developers on secure coding practices is crucial. Most vulnerabilities originate in the source code itself, so education can go a long way in preventing issues.
Don't forget to check out Helmet.js! It's a great npm package that helps secure your applications by setting various HTTP headers. Definitely worth considering in your stack.
A solid option is SonarQube. It can be part of your security toolset, but be aware that it tends to generate a lot of false positives, which can be frustrating. Still, it provides insight on code quality too!
Yeah, I agree! SonarQube is great for general code quality checks, but it might not focus enough on security aspects to be relied upon solely for that.
Absolutely, while it has its uses, I think SonarQube might be better suited for overall code quality rather than being your primary security tool.