Building applications to solve a business need or to create an ability no one else has is one of the beautiful parts of application development. It has allowed our economies to grow and businesses to flourish in the information age by streamlining data and processes to achieve desired results faster while allowing for flexibility and continuous change and integration of these applications. The dark side of application development is caused by the state of programming languages and frameworks growing continuously while changing hands with the risk of poorly supported packages or libraries as we shift more to installing others code while not creating our own. I suspect this will get worse as many are turning to LLMs to create and review new code that often recommend a quick “NPM install” to get that feature or functionality rather than building the module required. Supply Chain Risk Management for developer security operations is coming into the spotlight as an imperative process for any developer to start learning and leveraging tools to secure their code and adopt better practices moving forward.
See my other Supply Chain Risk Management article here: https://www.jacklilley.us/work/spacex-supply-chain
This article is about how you can leverage FREE tools to start securing your applications and learn from your mistakes or even learn about new types of vulnerabilities your application may have.
GitHub:
More than just a code hosting platform, GitHub offers tons of security features on their platform from the basics we would expect from any platform such as user protections (think forcing MFA on login) to more advanced security features for development such as Dependabot, code scanning, and security policies. Not to mention the easy integration with Azure for deploying applications and managing the CI/CD pipeline in one place with GitHub Actions. These features make this a platform to be reckoned with as it can do a fantastic job reviewing your code for updates to new modules/packages as well as looking for clear text passwords and insecure configurations. However, to get the full picture external scanning is still required and unfortunately to use GitHub’s code scanning feature you must be set up as a GitHub Organization and buy the advanced security license starting at about $600 USD annually.
Qualys:
Did you know that Qualys has a FREE Community edition? Well, if not, now you do! I highly recommend checking it out as not only can it get you familiar with the base Qualys suite of tools but, also comes with the ability to do external scans of your application to look for several different things from misconfigured security of the application to insecure cryptographic methods and can even test with credentials allowing it to see what it can do with an authenticated account. This free account allows you to have 1 web application and 16 managed assets (think endpoints or servers) WITH vulnerability scanning on those endpoints. It also is FREE FOREVER as long as you stay within the limits of the Community edition. (I highly recommend using Qualys for vulnerability management and patching recommendations.)
There is one last layer of protection I would like to add to this list as it provides free real-time protection from the DNS perspective and can automatically mitigate some zero-day attacks such as the HTTP2 attack later last year. Enter Cloudflare:
Cloudflare:
Another innovator in their space, Cloudflare is not only a DNS Registrar, but, also so much more. Cloudflare provides WAF, DNS Proxing, QUIC, WAF rules, Enforcing HTTPS, Downgrade Attack Prevention, and more. This platform is one of the most powerful tools at your disposal and all the features mentioned so far are ABSOLUTELY FREE. Of course, these have limitations on the free plan just like the others I have stated however, this platform is a layer of security I would not recommend forgoing as it can be a wonderful shield to speed up your application, secure connections to it, as well as provide logging and monitoring for your application.
See my other article about Securing DNS here: https://www.jacklilley.us/work/dns-security
With the above platforms, you can start to leverage more secure application development methodologies in your applications as well as analyze your code for vulnerabilities and empower a secure CI/CD pipeline for FREE. The goal of illustrating free offerings around this topic is in hopes that more developers realize the impact of their applications and are empowered to lean into secure development practices.
In conclusion, it’s the year 2024, we need to move forward boldly and securely while empowering others to do the work using secure methodologies so that investments in time, people, and organizational/platform trust are not vanquished by the unrelenting state of AI powered attackers in this day and age. Of course, the tools mentioned above are no silver bullet, good cybersecurity programs look like this:
Step 1. Find a cybersecurity framework for your organization to follow
Step 2. Aligning to your chosen framework
Step 3. Auditing success of security program implementation
Step 4. Improving from audit findings
Step 5. Stay abreast of cybersecurity updates then loop back to Step 3.
Staying up to date with industry trends and security trends is important REGARDLESS of the industry you are in. Not regulated but serving consumers? Think about the impact exposing their information could have on their family and the larger impact on society.
Be part of the change you want to see in the world and make technology safer for humans, one optimization at a time.
Free Tools
Here are free tools to help you:
GitHub: https://github.com/
Qualys: https://www.qualys.com/
Cloudflare: https://www.cloudflare.com/