Figma (online blackboard)

For several years I have been working remotely in a fully distributed team. Working in a distributed team means that sometimes we need tools that we would not normally need. An example of such a situation is the simultaneous work of several people at the blackboard.

Everyone who has worked in a programming team knows how useful a blackboard can be, where two or more developers can come and start writing and explaining various problems at the same time.

One of the tools that is trying to replace the table for distributed teams is the Figma application. We used it yesterday in our Scrum retrospective and it generally worked. The team decided that the tool is ok and it lived up to its opinion, so I leave a note on the blog here if I ever look for a name for this solution in the future.

Links:

• Project website
• Wikipedia page

OWASP ZAP

Yesterday I was at a local .net group meeting. One of the presentations was about automatic tools for improving code quality. The first of the presented tools was the SonarQube that is a tool for static code analize that I know and use. The second presented tool for dynamic UI testing in terms of security was OWASP ZAP. It is a "proxy" tool, i.e. it is used to place it between the browser and the visited page, which can view or modify information sent from / to the browser. If anyone has used Fiddler, know what a "browser proxy" is (same type of tool but improved).

OWASP ZAP in the default mode is used to make the user use the page in "normal" mode, and the tool underneath checks for any security vulnerabilities. If someone uses Selenium for automatic tests, then by connecting OWASP ZAP gets additional safety tests.

It is also possible to run OWASP ZAP from the script level, which makes it possible to insert it into the CI / CD tool or to generate a weekly report. It is recommended to test on a different instance than production / test because full tests can take a long time and generate server load.

Tool is Open Source and supported by Community.

Summary:

We have 3 main modes: 

• the user clicks on the page himself (useful when we have an automatic tester using Selenium) 
• basic scanning mode (useful to plug into a CI / CD tool and test automatically, e.g. with a larger deploy)
• full scan mode (takes a long time, so it should be done on a separate server in a night task mode).

Linki:

• Wikipedia
  
• Project web page
  
• Project source code (github)
  
• OWASP fundation page (fundation for web security upgrade)
  

SonarQube

SonarQube is a tool for static analise of code. It detects bugs, security issues, copied code blocks, unit test covarege and other code smells. It have a great feature for multiple work configuration, in example "full project" and "new code" analise. This is a great option for supporting and attaching this for old software written years ago. 

In my current project we have integrated this tool into Azure Pipelines so we run this on each merge on branch master (what is a good solution). SonarQube also have a plugin into Visual Studio that we can see our bugs when we code.

My opinion: This is a tool that we needed few years ago in one of my previous companies. I regret that I don't know this tool earlier.

Links:

Official website

Project page on wikipedia