Tools to detect security vulnerabilities

[jonathanbossenger]

Details

• Content type (Online Workshop, Lesson, Course, Tutorial, or Lesson Plan): Lesson
• Content title: Tools to detect security vulnerabilities
• Topic description: Discuss tools and resources to help detect and prevent security vulnerabilities
• Audience (User, Developer, Designer, Contributor, etc.): Developer
• Experience Level (Beginner, Intermediate, Advanced, Any): Beginner

Learning Objectives

• Identify plugin solutions that can test plugins or themes for vulnerabilities
• Install a command line tool that can scan for vulnerabilities
• Define tools that can be installed in code editors to check for vulnerabilities
• Identify online resources to keep up to date with changing web security

Related Resources and Other Notes

• https://github.com/WordPress/plugin-check
• https://wordpress.org/plugins/theme-check/
• https://github.com/PHPCSStandards/PHP_CodeSniffer
• https://github.com/WordPress/WordPress-Coding-Standards
• https://www.sonarsource.com/open-source-editions/.
• https://owasp.org/about/

Automation Code

[smileBeda]

I am adding this here as it seems most appropriate:

A potential instruction as of how to incorporate wpcs into development workflow would possibly deserve a place here. The plugin review plugin is surely good but imo it’s better to just develop safely from the start, in the IDE, not go forth and back with scanners post-development. Also another tool that has saved my belated posterior a several times already is sonar cloud scanner. It’s free and has a few good things wpcs doesn’t look directly for.

[jonathanbossenger]

Thanks @smileBeda this is the perfect spot to add it.

I was thinking that renaming this lesson from just being focused on the plugin security checker, and rather "Useful tools to detect security vulnerabilities" would be a good switch, and then we can include these tools.

Concerning the Sonar Cloud Scanner, I will need to check with the training team. We do have specific guidelines about suggesting paid services (I know there's a free trial, but ultimately it's a paid product, and I have to follow those guidelines.

[smileBeda]

Sonar Cloud is 100% free, forever (And easily integrated to VS Code, etc, for free too). It is only paid (10 USD per month) if you require scans on private repositories.

However, it is not a necessity to mention that service... if we can even just bring WPCS more to the dev attention it is already a huge gain.

[jonathanbossenger]

Sonar Cloud is 100% free, forever

Thanks, can you point me to a link that shows that, I can't find that anywhere on the website.

Edit: Oh, wait, found it https://www.sonarsource.com/open-source-editions/.

[jonathanbossenger]

https://github.com/WordPress/Learn/assets/180629/1144ded3-f0fe-44cd-a60d-e5f05ed69c27

Video ready for review

Please follow the Guidelines for reviewing content to review this lesson.

[ironnysh]

Tutorial/Lessons Review Checklist

• [x] Learning outcomes/objectives are clear.
• [x] Technical concepts introduced in the content are accurate.
• [x] The speed of demonstrations are easy to follow.
• [x] The narration audio matches what is shown visually.
• [x] Spelling and grammar are correct.
• [x] Sound quality is consistent throughout the video.
• [ ] Brand Usage Guidelines and Promotional Guidelines are being followed.
• [ ] Media assets are all in the public domain (CC0).

Great tutorial, @Jonathan! Provides a solid closure to this miniseries.

[jonathanbossenger]

https://wordpress.tv/2024/05/11/tools-to-detect-security-vulnerabilities/

[pricelessopoku]

Please tick all items you've confirmed:

• [x] Learning outcomes/objectives are clear.
• [x] Technical concepts introduced in the content are accurate.
• [x] The speed of demonstrations are easy to follow.
• [x] The narration audio matches what is shown visually.
• [x] Spelling and grammar are correct.
• [x] Sound quality is consistent throughout the video.
• [ ] Brand Usage Guidelines and Promotional Guidelines are being followed.
• [ ] Media assets are all in the public domain (CC0).

Great video @jonathanbossenger, Clear, concise, and easy to follow.

[jonathanbossenger]

https://learn.wordpress.org/lesson/tools-to-detect-security-vulnerabilities/

[jonathanbossenger]

//publish