Factor in dependencies (bits of code handled by third-party programmers which they have shared out of the kindness of their hearts), and you’re looking at more code then you could ever practically revisit. In this case, finding security holes happens in one of three ways:
- You perform a massive security audit of all your code. This is considered impractical for many, many projects.
- A friendly hacker who does it for fun and/or profit finds security holes, and tells you about them.
- You and your customers find out the hard way.
Snyk is an app that tests other people’s code for security vulnerabilities (and also the sound that Wolverine’s claws make when they come out). It just came out of beta (the app, not the sound) and it was created to counter the problems inherent in trying to maintain hundreds of thousands, or millions, of lines of code.
You can run it from the command line, run it online, or through GitHub. You can test your own code, of course, and you can test your dependencies automatically. It will even help you open issues and create pull requests on GitHub, so you can help out the people who build these third-party libraries.
After a test, it will tell you and your development team exactly where to find the problem, the nature of it, and even provide suggested fixes.
Mind you, the system seems to use a vulnerability database, so if you manage to create a brand new, no-one’s-seen-this-before security hole, it probably won’t help. You don’t want to use this app to replace your security experts. You’d want to use it to make their jobs a lot easier.
Pricing is very reasonable. For open source projects, it’s free, and it always will be. For private projects, the plans start at 19 USD per month for up to five projects. From there, the price goes up to 349 USD per month, and you can also negotiate a custom Enterprise plan if you need to.