Squid's (not the game)

When I develop code, I have never gotten it write first time. This is compounded when you work integration tooling. With integration it is also about sending and receiving data from heterogeneous sources. Often you don't really know what you have to send, and often you don't know what your integration tool is actually sending. Especially when the tool might add addressing details, or security tokens, or format the data it's preferred way.

To help when doing this work, one of the easiest ways of understanding what data is flowing is to proxy all the requests.

TCPMon is still quite popular tool for this. But there are others such as BurpSuite.

Mostly these are used as part of debugging in development or trouble shooting.

There are other legitimate uses for proxies that you might come across. Particularly if you need to send data through some chain of networks outside your organization. There can be a need to do this from both on premise (with older style deployments), but also from the public cloud, where you would most likely have stricter controls on how applications can access and authenticate to data outside the software configured network or organization.

There's an IBM article here on how to setup authentication for out going proxy.

https://www.ibm.com/docs/en/integration-bus/10.0?topic=security-routing-requests-through-http-proxy-server-that-has-authentication-enabled

So to help make sure that only "proper" proxying is left in the code, and it's not configuration that a developer has forgotten to remove, we have added a new rule:

R504 – A non HTTPS proxy is being used (WMB)

As I mentioned, there are legitimate proxies that can be used. These wouldn't be common, and generally you wouldn't expect to have multiple proxies used. Each proxy would require separate configuration. If you were setting up Palo-Alto, or Squid, you are likely to prefer having a single network device to configure rather then having multiple egress points.

Having more then one proxy might be an indication of excessive complexity in your network, or also possible developer misconfiguration.

So to catch when developers have more then one proxy being used, we added a new rule:

R505 - Multiple proxies have been used (WMB)

We also summarize all the proxies found in the HTML summary page that we generate for your code, like below:

So you can keep track of what proxies that we do identify in your code.

More information on our products and on pricing can be found on our website:

https://bettercodingtools.com

You can also reach me via email at:

[email protected]

Or contact me via the contact page on our website:

www.bettercodingtools.com/contact

Regards

Richard