OWASP & static analysis tools (#83)

andyblundell · web-flow · commit 2949c5dd8835 · 2020-11-17T17:06:28.000Z
* OWASP &amp; static analysis tools

* Disclaimer about reliance on automated security tools
diff --git a/practices/security.md b/practices/security.md
@@ -18,6 +18,8 @@
 
 - Cover the **basics**
   - Ensure the [OWASP Top Ten](https://www.owasp.org/index.php/Category:OWASP_Top_Ten_2017_Project) is well understood and considered during software delivery
+    - Static code analysis tools can catch some of these issues early, for example [SonarQube](https://www.sonarqube.org/features/security/owasp/)
+    - Beware of over-reliance on automated tools: they can help to catch some issues, but they cannot be relied on to catch everything
   - Encode/validate all user input. Code against (and test for) XSS and injection attacks such as SQL/XML/JSON/CRLF
 - Ensure **authentication** is robust
   - Strong passwords and MFA
