As a developer who went through a bootcamp a few years ago, I can tell you the number one subject that was never touched upon was SECURITY.
On one hand, I get it. Starting your development journey can be quite challenging, especially when you're working to establish a strong foundation.
From learning a programming language, setting up routes, running servers, and conducting unit tests, to fetching data from databases, there's already a lot to handle.
Looking back, I can only imagine how overwhelming it would have been if security concerns were piled on top of all that.
While login security was always a consideration, the broader topic of security, ranging from Application Security (AppSec) to Cloud security, etc. was a vast and somewhat elusive subject.
My perspective shifted when I joined communities discussing security and my eyes were opened to a bigger picture.
I began uncovering the intricacies of concepts like SQL injection and vulnerabilities that are introduced through open-source dependencies.
The reason top-secret open-source projects often remain a mystery to newcomers is that to those new to development, security can seem like a distant realm.
So, let's explore some services that can enhance the security of your application at various stages.
It's important to note that while this list isn't exhaustive, one thing remains clear: never underestimate the importance of security.
It should always be a top priority because, as the saying goes, it's not a matter of if a security breach will occur, but when.
This leads us to the significance of maintaining comprehensive logs, especially in the event of such an incident.
Let's dive in and take a closer look!
One integrated API, BoxyHQ's Audit Logs will provide you or your customers the ability to record and search events that happen within your application.
an exportable record of read/write events. It also provides an API to send audit events and several different methods for customers to view and extract events.
For all companies but in particular large companies, the ability to monitor the flow of data and be alerted to any breaches is essential.
Audit logs help to pinpoint any misuse of information and ensure that data policies are followed
 Dotenv - Vault
The secrets manager for .env files which allows you to sync your
.env files with a single command, deploy them with an encrypted .env.vault file, and say goodbye to scattered secrets across multiple platforms and tools.
Here's a quick rundown of how to use it:
Make changes to your .env file.
Push those changes up using the command:
$ npx dotenv-vault@latest push.
Add the .env.vault file to your git repository:
$ git add .env.vault.
Commit the changes:
$ git commit -am "Add .env.vault.
Push the changes to your git repository:
$ git push.
 External Secrets
A Kubernetes operator that integrates external secret management systems like AWS Secrets Manager, HashiCorp Vault, Google Secrets Manager, Azure Key Vault, IBM Cloud Secrets Manager, and many more. The operator reads information from external APIs and automatically injects the values into Kubernetes Secrets.
synchronize secrets from external APIs into Kubernetes
ESO is a collection of custom API resources -
ClusterSecretStorethat provide a user-friendly abstraction for the external API that stores and manages the lifecycle of the secrets for you.
Scan all platform's version history for hidden secrets. Secrets get exposed in much more than code repositories.
Stop secrets from entering your platforms with various TruffleHog integrations (pre-commit hooks, CI integrations, etc.)
Remediation workflows puts power in the hands of the developers to fix these issues as they are found without having to engage security or triage false positives.
Here's how to use it:
To scan a GitHub repo, use the command:
trufflehog github --repo=https://github.com/trufflesecurity/test_keys --issue-comments --pr-comments.
To scan a GitHub repo using SSH authentication in docker, use the command:
docker run --rm -v "$HOME/.ssh:/root/.ssh:ro" trufflesecurity/trufflehog:latest git ssh://github.com/trufflesecurity/test_keys.
Replibyte is a tool that is used to seed databases with production data while keeping sensitive data safe. It's a fast and easy-to-use tool that doesn't require anything special to get started.
Create a development dump from production.
Subset your production dump into a more reasonable size.
Hide sensitive data via customizable Transformers.
Make your development dump easily accessible from any remote and local databases.
Sqlmap, an open-source penetration testing tool that automates the process of detecting and exploiting SQL injection flaws and taking over database servers.
It comes with a powerful detection engine, many niche features for the ultimate penetration tester, and a broad range of switches lasting from database fingerprinting to fetching data from the database.
Support to directly connect to the database without passing via a SQL injection, by providing DBMS credentials, IP address, port and database name.
Support to enumerate users, password hashes, privileges, roles, databases, tables, and columns.
Automatic recognition of password hash formats and support for cracking them using a dictionary-based attack.
Don't underestimate the significance of security; the beauty of open-source lies in the availability of countless tools that can kickstart your journey.
This is a lifelong adventure woven into the fabric of software development throughout your Software Development Life Cycle (SDLC).
I'd be genuinely interested in knowing the tools you've incorporated into your security practices, so please feel free to share them in the comments.