Security Tools

Web application security is a broad discipline that requires multiple layers of defense. No single tool covers every attack vector, so a mature security practice combines application scanners, secrets detectors, dependency analyzers, and configuration auditors. This lesson provides a detailed guide to the most important security tools available, organized by category, with honest assessments of what each tool does well and where it falls short.

Application Security Scanners

CodeFrog

Pricing: $99/year — Platform: Desktop app (Mac and Windows)

CodeFrog performs comprehensive security scanning as part of its mega report. It checks for OWASP vulnerabilities, runs Gitleaks for secrets detection in public repositories, queries OSV.dev for known vulnerabilities in dependencies, and uses Semgrep for static analysis of common security anti-patterns. It also validates security headers, checks SSL/TLS configuration, and verifies that security.txt is properly configured.

CodeFrog is particularly valuable because it integrates security testing alongside accessibility, performance, SEO, and code quality checks. Rather than running five separate tools, you get a single comprehensive report. The ability to scan localhost means you can catch security issues before they ever reach production.

Best use cases

• Comprehensive security audits of websites including localhost
• Teams that want security integrated into a broader quality report
• Checking security headers, SSL/TLS, and security.txt in one pass
• Identifying exposed secrets in public Git repositories

OWASP ZAP

Pricing: Free, open-source — Platform: Desktop (Java), Docker, CLI

OWASP ZAP (Zed Attack Proxy) is the world's most widely used free web application security scanner. Maintained by the OWASP Foundation, ZAP acts as a man-in-the-middle proxy between your browser and the application, allowing it to intercept, inspect, and modify traffic. Its automated scanner crawls your site and tests for common vulnerabilities including SQL injection, cross-site scripting (XSS), broken authentication, and security misconfigurations.

ZAP supports both passive scanning (observing traffic without modifying it) and active scanning (sending attack payloads to test for vulnerabilities). It also includes a spider for crawling your application, a fuzzer for sending unexpected input, and an API for CI/CD integration. The HUD (Heads Up Display) mode provides a visual overlay in the browser for interactive testing.

Best use cases

• Comprehensive web application penetration testing
• CI/CD pipeline integration for automated security scanning
• Teams that need a free, enterprise-grade security scanner
• Learning web security through hands-on testing

Burp Suite

Pricing: Community Edition (free, limited features); Professional ($449/year); Enterprise (custom pricing) — Platform: Desktop (Java)

Burp Suite by PortSwigger is the industry-standard tool for professional web application security testing. Like ZAP, it works as an intercepting proxy, but Burp Suite Professional includes a significantly more advanced scanner, the Intruder tool for automated attack payloads, the Repeater for manual request manipulation, and an extensive extension marketplace (BApp Store).

Burp Suite is the tool of choice for most professional penetration testers and security researchers. The Community Edition is useful for learning but lacks the automated scanner and some advanced features. For teams with a security budget, the Professional edition provides the most thorough web application scanning available.

Best use cases

• Professional penetration testing engagements
• Advanced manual security testing and research
• Organizations with dedicated security teams
• Testing complex authentication flows and business logic vulnerabilities

Secrets Detection

Gitleaks

Pricing: Free, open-source — Platform: CLI (Go binary), GitHub Actions

Gitleaks scans Git repositories for secrets like API keys, tokens, passwords, and private keys that were accidentally committed. It examines the entire Git history, not just the current state of files, which is critical because removing a secret from HEAD does not remove it from earlier commits. Gitleaks uses regular expression patterns to detect over 100 types of secrets across all major cloud providers and services.

Gitleaks can run as a pre-commit hook to prevent secrets from being committed in the first place, as a CI step to scan on every push, or as a one-time audit of an existing repository. Its speed is a major advantage — it is written in Go and can scan large repositories in seconds.

Best use cases

• Pre-commit hooks to prevent secrets from entering the repository
• CI/CD pipeline scanning on every push or pull request
• Auditing existing repositories for historical secrets
• Teams using GitHub Actions (native integration available)

TruffleHog

Pricing: Free, open-source (Enterprise version available) — Platform: CLI (Go binary), Docker

TruffleHog by Truffle Security takes a verification-first approach to secrets detection. Beyond finding patterns that look like secrets, TruffleHog actively verifies whether detected secrets are live and valid by testing them against the relevant APIs. This dramatically reduces false positives — instead of a list of possible secrets, you get a list of confirmed, active credentials that need immediate rotation.

TruffleHog scans Git repositories, S3 buckets, filesystems, and other data sources. It supports over 700 secret types and is actively maintained with new detectors added regularly.

Best use cases

• Reducing false positives through live secret verification
• Scanning non-Git data sources (S3, filesystems, Docker images)
• Incident response when a breach is suspected
• Teams that need high-confidence results without manual triage

Dependency and Supply Chain Security

Snyk

Pricing: Free tier (up to 200 tests/month); paid Team and Enterprise plans — Platform: CLI, web dashboard, IDE plugins, CI/CD integrations

Snyk provides comprehensive dependency vulnerability scanning across multiple package ecosystems including npm, PyPI, Maven, RubyGems, and more. It scans your dependency tree (including transitive dependencies), identifies known vulnerabilities, and provides fix recommendations — often suggesting the minimum version upgrade needed to resolve the issue.

Snyk goes beyond simple vulnerability detection. It provides exploit maturity data (is there a known exploit in the wild?), severity scoring, and automated pull requests to fix vulnerable dependencies. The platform also covers container security and infrastructure-as-code scanning.

Best use cases

• Continuous dependency vulnerability monitoring
• Automated pull requests to fix vulnerable dependencies
• Teams using multiple package ecosystems
• Organizations that need a dashboard for security posture tracking

Dependabot

Pricing: Free (included with GitHub) — Platform: GitHub-native

Dependabot is GitHub's built-in dependency update and vulnerability alerting service. It monitors your dependency files (package.json, Gemfile, requirements.txt, etc.), alerts you when known vulnerabilities are found, and automatically creates pull requests to update vulnerable dependencies to safe versions.

Dependabot also supports version updates — it can create pull requests for all dependency updates, not just security-related ones. This keeps your dependencies fresh and reduces the risk of falling far behind on updates, which makes security patches harder to apply.

Best use cases

• Any project hosted on GitHub — zero setup required
• Automated security updates for dependencies
• Keeping all dependencies up to date, not just vulnerable ones
• Teams that want a low-maintenance dependency management solution

OSV.dev

Pricing: Free, open-source — Platform: Web API, CLI

OSV.dev is Google's open-source vulnerability database that aggregates data from multiple sources including the National Vulnerability Database (NVD), GitHub Advisory Database, and ecosystem-specific databases. The OSV-Scanner CLI tool can scan your project's lockfiles and SBOMs to identify known vulnerabilities.

OSV uses a precise vulnerability format that maps directly to package versions, eliminating the ambiguity that can occur with CVE descriptions. This makes it particularly reliable for automated scanning in CI/CD pipelines.

Best use cases

• Free vulnerability scanning for open-source projects
• CI/CD integration via the OSV-Scanner CLI
• Querying vulnerability data programmatically via the API
• Projects that need precise, version-aware vulnerability matching

Configuration and Header Analysis

Mozilla Observatory

Pricing: Free — Platform: Web

Mozilla Observatory scans your website and grades its HTTP security header configuration. It checks for Content-Security-Policy, Strict-Transport-Security, X-Content-Type-Options, X-Frame-Options, Referrer-Policy, and other headers that protect against common web attacks. The tool provides a letter grade (A+ through F) and specific recommendations for improvement.

Best use cases

• Quick assessment of your HTTP security header configuration
• Benchmarking your site against Mozilla's recommended security practices
• Generating a shareable security grade for stakeholders

SecurityHeaders.com

Pricing: Free — Platform: Web

SecurityHeaders.com by Scott Helme provides a focused analysis of your HTTP response headers. Like Mozilla Observatory, it grades your headers and provides recommendations, but it also includes checks for newer headers like Permissions-Policy and Cross-Origin-Opener-Policy. The simple interface makes it easy to run quick checks during development.

Best use cases

• Fast header checks during development and deployment
• Verifying that new security headers are properly configured
• Comparing header configurations across environments

SSL Labs

Pricing: Free — Platform: Web

Qualys SSL Labs provides the most thorough SSL/TLS configuration testing available. It analyzes your server's TLS implementation, checking the certificate chain, protocol versions, cipher suites, key exchange parameters, and vulnerability to known attacks (POODLE, Heartbleed, BEAST, ROBOT). The detailed report shows exactly which protocols and ciphers are enabled and provides a letter grade.

Best use cases

• Validating SSL/TLS configuration after server setup or changes
• Identifying weak cipher suites or deprecated protocol versions
• Verifying certificate chain correctness
• Compliance checks that require strong TLS configuration