I forgot the codez...

So I was on a project without sonar. Oh my. Well, it was an OSGI project, so the problems couldn't be that bad, right? But how good were they (and what things were bad?) I found Stan4j , a code analysis tool for eclipse, which draws nice graphs and can handle osgi pretty well it seems. Now I can see that dependencies/bundle names aren't properly aligned (even though OSGI doesn't complain), etc.

Well, web security is tricky. However, Mozilla can go to the rescue! They have the observatory ( https://observatory.mozilla.org/) It can scan a webpage for you and give it a bit of a rating. Its just a static check, on headers, etc. But it shows how far you've narrowed down your attack surface. Of course, it doesn't say anything against actual attacks (get ZAP for that)