rhetenor/awesome-awesomeness
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
Files
652812eed0d0ae17376945242133acb706f9b01f
awesome-awesomeness/html/devsecops.html
rhetenor 5916c5c074 update lists
2025-07-18 22:22:32 +02:00

800 lines
39 KiB
HTML
Raw Blame History

This file contains ambiguous Unicode characters
This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.
<figure>
<img src="media/banner.png" alt="Awesome" />
<figcaption aria-hidden="true">Awesome</figcaption>
</figure>
<p align="center">
<a href="https://awesome.re">
<img alt="Awesome" src="https://awesome.re/badge-flat.svg"> </a>
</p>
<hr/>
<blockquote>
<p>Curating the best DevSecOps resources and tooling.</p>
</blockquote>
<p><a
href="https://www.rapid7.com/fundamentals/devsecops/">DevSecOps</a> is
an extension of the <a
href="https://www.atlassian.com/devops">DevOps</a> movement that aims to
bring security practices into the development lifecycle through
developer-centric security tooling and processes.</p>
<p>Contributions welcome. Add links through pull requests or create an
issue to start a discussion.</p>
<!-- omit in toc -->
<h2 id="contents">Contents</h2>
<ul>
<li><a href="#resources">Resources</a>
<ul>
<li><a href="#articles">Articles</a></li>
<li><a href="#books">Books</a></li>
<li><a href="#communities">Communities</a></li>
<li><a href="#conferences">Conferences</a></li>
<li><a href="#newsletters">Newsletters</a></li>
<li><a href="#podcasts">Podcasts</a></li>
<li><a href="#secure-development-guidelines">Secure Development
Guidelines</a></li>
<li><a href="#secure-development-lifecycle-framework">Secure Development
Lifecycle Framework</a></li>
<li><a href="#toolchains">Toolchains</a></li>
<li><a href="#training">Training</a></li>
<li><a href="#wikis">Wikis</a></li>
</ul></li>
<li><a href="#tools">Tools</a>
<ul>
<li><a href="#dependency-management">Dependency Management</a></li>
<li><a href="#dynamic-analysis">Dynamic Analysis</a></li>
<li><a href="#infrastructure-as-code-analysis">Infrastructure as Code
Analysis</a></li>
<li><a href="#intentionally-vulnerable-applications">Intentionally
Vulnerable Applications</a></li>
<li><a href="#monitoring">Monitoring</a></li>
<li><a href="#secrets-management">Secrets Management</a></li>
<li><a href="#secrets-scanning">Secrets Scanning</a></li>
<li><a href="#static-analysis">Static Analysis</a></li>
<li><a href="#supply-chain-security">Supply Chain Security</a></li>
<li><a href="#threat-modelling">Threat Modelling</a></li>
</ul></li>
<li><a href="#related-lists">Related Lists</a></li>
</ul>
<h2 id="resources">Resources</h2>
<h3 id="articles">Articles</h3>
<ul>
<li><a
href="https://www.pagerduty.com/blog/security-training-at-pagerduty/">Our
Approach to Employee Security Training</a> - <em>Pager Duty</em> -
Guidelines to running security training within an organisation.</li>
<li><a href="https://spacelift.io/blog/what-is-devsecops">DevSecOps:
Making Security Central To Your DevOps Pipeline</a> - <em>Spacelift</em>
- An article explains what DevSecOps aims to achieve, why its
advantageous, and how the DevSecOps lifecycle looks.</li>
</ul>
<h3 id="books">Books</h3>
<ul>
<li><a
href="https://www.wiley.com/en-gb/Alice+and+Bob+Learn+Application+Security-p-9781119687405">Alice
and Bob Learn Application Security</a> - <em>Tanya Janca</em> - An
accessible and thorough resource for anyone seeking to incorporate, from
the beginning of the System Development Life Cycle, best security
practices in software development.</li>
</ul>
<h3 id="communities">Communities</h3>
<ul>
<li><a href="https://www.devseccon.com/">DevSecCon</a> - <em>Snyk</em> -
A community that runs conferences, a blog, a podcast and a Discord
dedicated to DevSecOps.</li>
<li><a href="https://tag-security.cncf.io/">TAG Security</a> - <em>Cloud
Native Computing Foundation</em> - TAG Security facilitates
collaboration to discover and produce resources that enable secure
access, policy control, and safety for operators, administrators,
developers, and end-users across the cloud native ecosystem.</li>
</ul>
<h3 id="conferences">Conferences</h3>
<ul>
<li><a href="https://appsecday.io/">AppSec Day</a> - <em>OWASP</em> - An
Australian application security conference run by OWASP.</li>
<li><a href="https://www.devseccon.com/">DevSecCon</a> - <em>Snyk</em> -
A network of DevSecOps conferences run by Snyk.</li>
</ul>
<h3 id="newsletters">Newsletters</h3>
<ul>
<li><a href="https://shift-security-left.curated.co/">Shift Security
Left</a> - <em>Cossack Labs</em> - A free biweekly newsletter for
security-aware developers covering application security, secure
architecture, DevSecOps, cryptography, incidents, etc. that can be
useful for builders and (to a lesser extent) for breakers.</li>
</ul>
<h3 id="podcasts">Podcasts</h3>
<ul>
<li><a href="https://absoluteappsec.com/">Absolute AppSec</a> - <em>Seth
Law &amp; Ken Johnson</em> - Discussions about current events and
specific topics related to application security.</li>
<li><a href="https://podcast.securityjourney.com/">Application Security
Podcast</a> - <em>Security Journey</em> - Interviews with industry
experts about specific application security concepts.</li>
<li><a href="https://blog.aquasec.com/devsecops-podcasts">BeerSecOps</a>
- <em>Aqua Security</em> - Breaking down the silos of Dev, Sec and Ops,
discussing topics that span these subject areas.</li>
<li><a href="https://soundcloud.com/owasp-podcast">DevSecOps Podcast
Series</a> - <em>OWASP</em> - Discussions with thought leaders and
practitioners to integrate security into the development lifecycle.</li>
<li><a
href="https://www.mydevsecops.io/the-secure-developer-podcast">The
Secure Developer</a> - <em>Snyk</em> - Discussion about security tools
and best practices for software developers.</li>
</ul>
<h3 id="secure-development-guidelines">Secure Development
Guidelines</h3>
<ul>
<li><a
href="https://owasp.org/www-project-application-security-verification-standard/">Application
Security Verification Standard</a> - <em>OWASP</em> - A framework of
security requirements and controls to help developers design and develop
secure web applications.</li>
<li><a
href="https://wiki.sei.cmu.edu/confluence/display/seccode/SEI+CERT+Coding+Standards">Coding
Standards</a> - <em>CERT</em> - A collection of secure development
standards for C, C++, Java and Android development.</li>
<li><a
href="https://safecode.org/wp-content/uploads/2018/03/SAFECode_Fundamental_Practices_for_Secure_Software_Development_March_2018.pdf">Fundamental
Practices for Secure Software Development</a> - <em>SAFECode</em> -
Guidelines for implementing key secure development practices throughout
the SDLC.</li>
<li><a
href="https://owasp.org/www-project-proactive-controls/">Proactive
Controls</a> - <em>OWASP</em> - OWASPs list of top ten controls that
should be implemented in every software development project.</li>
<li><a
href="https://wiki.mozilla.org/WebAppSec/Secure_Coding_Guidelines">Secure
Coding Guidelines</a> - <em>Mozilla</em> - A guideline containing
specific secure development standards for secure web application
development.</li>
<li><a
href="https://owasp.org/www-pdf-archive/OWASP_SCP_Quick_Reference_Guide_v2.pdf">Secure
Coding Practices Quick Reference Guide</a> - <em>OWASP</em> - A
checklist to verify that secure development standards have been
followed.</li>
</ul>
<h3 id="secure-development-lifecycle-framework">Secure Development
Lifecycle Framework</h3>
<ul>
<li><a href="https://www.bsimm.com/framework.html">Building Security In
Maturity Model (BSIMM)</a> - <em>Synopsys</em> - A framework for
software security created by observing and analysing data from leading
software security initiatives.</li>
<li><a
href="https://www.microsoft.com/en-us/securityengineering/sdl/practices">Secure
Development Lifecycle</a> - <em>Microsoft</em> - A collection of tools
and practices that serve as a framework for the secure development
lifecycle.</li>
<li><a
href="https://csrc.nist.gov/CSRC/media/Publications/white-paper/2019/06/07/mitigating-risk-of-software-vulnerabilities-with-ssdf/draft/documents/ssdf-for-mitigating-risk-of-software-vulns-draft.pdf">Secure
Software Development Framework</a> - <em>NIST</em> - A framework
consisting of practices, tasks and implementation examples for a secure
development lifecycle.</li>
<li><a href="https://github.com/OWASP/samm">Software Assurance Maturity
Model</a> - <em>OWASP</em> - A framework to measure and improve the
maturity of the secure development lifecycle.</li>
</ul>
<h3 id="toolchains">Toolchains</h3>
<ul>
<li><a
href="https://www.sans.org/posters/cloud-security-devsecops-best-practices/">Cloud
Security and DevSecOps Best Practices <em>and</em> Securing Web
Application Technologies (SWAT) Checklist</a> - <em>SANS</em> - A poster
containing the Securing Web Application Technologies (SWAT) Checklist,
SANS Cloud Security Curriculum, Cloud Security Top 10, Top 12 Kubernetes
Threats, and Secure DevOps Toolchain.</li>
<li><a
href="https://xebialabs.com/periodic-table-of-devops-tools/">Periodic
Table of DevOps Tools</a> - <em>XebiaLabs</em> - A collection of
DevSecOps tooling categorised by tool functionality.</li>
</ul>
<h3 id="training">Training</h3>
<ul>
<li><a href="https://github.com/duo-labs/appsec-education">Application
Security Education</a> - <em>Duo Security</em> - Training materials
created by the Duo application security team, including introductory and
advanced training presentations and hands-on labs.</li>
<li><a href="https://www.cybrary.it/">Cybrary</a> - <em>Cybrary</em> -
Subscription based online courses with dedicated categories for
cybersecurity and DevSecOps.</li>
<li><a href="https://pentesterlab.com/">PentesterLab</a> -
<em>PentesterLab</em> - Hands on labs to understand and exploit simple
and advanced web vulnerabilities.</li>
<li><a href="https://www.practical-devsecops.com">Practical
DevSecOps</a> - <em>Practical DevSecOps</em> - Learn DevSecOps concepts,
tools, and techniques from industry experts with practical DevSecOps
using state of the art browser-based labs.</li>
<li><a href="https://academy.safestack.io/">SafeStack</a> -
<em>SafeStack</em> - Security training for software development teams,
designed to be accessible to individuals and small teams as well as
larger organisations.</li>
<li><a href="https://www.securecodewarrior.com/">Secure Code Warrior</a>
- <em>Secure Code Warrior</em> - Gamified and hands-on secure
development training with support for courses, assessments and
tournaments.</li>
<li><a href="https://www.secureflag.com/platform.html">SecureFlag</a> -
<em>OWASP</em> - Hands-on secure coding training for Developers and
Build/Release Engineers.</li>
<li><a href="https://sudo.pagerduty.com/for_engineers/">Security
Training for Engineers</a> - <em>Pager Duty</em> - A presentation
created and open-sourced by PagerDuty to provide security training to
software engineers.</li>
<li><a href="https://sudo.pagerduty.com/for_everyone/">Security Training
for Everyone</a> - <em>Pager Duty</em> - A presentation created and
open-sourced by PagerDuty to provide security training employees.</li>
<li><a href="https://academy.semgrep.dev/">Semgrep Academy</a> -
<em>Semgrep</em> - Free, on-demand courses covering topics including API
security, secure coding and application security.<br />
</li>
<li><a href="https://portswigger.net/web-security">Web Security
Academy</a> - <em>PortSwigger</em> - A set of materials and labs to
learn and exploit common web vulnerabilities.</li>
<li><a href="https://wehackpurple.com/">WeHackPuple</a> -
<em>WeHackPurple</em> - Online courses that teach application security
theory and hands-on technical lessons.</li>
</ul>
<h3 id="wikis">Wikis</h3>
<ul>
<li><a href="https://snyk.io/devsecops/">DevSecOps Hub</a> -
<em>Snyk</em> - Introduction to key DevSecOps concepts, processes and
technologies.</li>
<li><a href="https://knowledge-base.secureflag.com/">SecureFlag
Knowledge Base</a> - <em>OWASP</em> - A repository of information about
software vulnerabilities and how to prevent them.</li>
</ul>
<h2 id="tools">Tools</h2>
<h3 id="dependency-management">Dependency Management</h3>
<p>Open source software packages can speed up the development process by
allowing developers to implement functionality without having to write
all of the code. However, with the open source code comes open source
vulnerabilities. Dependency management tools help manage vulnerabilities
in open source packages by identifying and updating packages with known
vulnerabilities.</p>
<ul>
<li><a href="https://github.com/deepfence/ThreatMapper">Deepfence
ThreatMapper</a> - Apache v2, powerful runtime vulnerability scanner for
kubernetes, virtual machines and serverless.</li>
<li><a href="https://dependabot.com/">Dependabot</a> - <em>GitHub</em> -
Automatically scan GitHub repositories for vulnerabilities and create
pull requests to merge in patched dependencies.</li>
<li><a
href="https://owasp.org/www-project-dependency-check/">Dependency-Check</a>
- <em>OWASP</em> - Scans dependencies for publicly disclosed
vulnerabilities using CLI or build server plugins.</li>
<li><a href="https://dependencytrack.org/">Dependency-Track</a> -
<em>OWASP</em> - Monitor the volume and severity of vulnerable
dependencies across multiple projects over time.</li>
<li><a href="https://jfrog.com/xray/">JFrog XRay</a> - <em>JFrog</em> -
Security and compliance analysis for artifacts stored in JFrog
Artifactory.</li>
<li><a href="https://docs.npmjs.com/cli/audit">NPM Audit</a> -
<em>NPM</em> - Vulnerable package auditing for node packages built into
the npm CLI.</li>
<li><a href="https://renovate.whitesourcesoftware.com/">Renovate</a> -
<em>WhiteSource</em> - Automatically monitor and update software
dependencies for multiple frameworks and languages using a CLI or git
repository apps.</li>
<li><a href="https://requires.io/">Requires.io</a> - <em>Olivier Mansion
&amp; Alexis Tabary</em> - Automated vulnerable dependency monitoring
and upgrades for Python projects.</li>
<li><a
href="https://snyk.io/product/open-source-security-management/">Snyk
Open Source</a> - <em>Snyk</em> - Automated vulnerable dependency
monitoring and upgrades using Snyks dedicated vulnerability
database.</li>
</ul>
<h3 id="dynamic-analysis">Dynamic Analysis</h3>
<p>Dynamic Analysis Security Testing (DAST) is a form of black-box
security testing where a security scanner interacts with a running
instance of an application, emulating malicious activity to find common
vulnerabilities. DAST tools are commonly used in the initial phases of a
penetration test, and can find vulnerabilities such as cross-site
scripting, SQL injection, cross-site request forgery and information
disclosure.</p>
<ul>
<li><a
href="https://github.com/imperva/automatic-api-attack-tool">Automatic
API Attack Tool</a> - <em>Imperva</em> - Perform automated security
scanning against an API based on an API specification.</li>
<li><a href="https://portswigger.net/burp/enterprise">BurpSuite
Enterprise Edition</a> - <em>PortSwigger</em> - BurpSuites web
application vulnerability scanner used widely by penetration testers,
modified with CI/CD integration and continuous monitoring over multiple
web applications.</li>
<li><a href="https://github.com/gauntlt/gauntlt">Gauntlt</a> -
<em>Gauntlt</em> - A Behaviour Driven Development framework to run
security scans using common security tools and test output, defined
using Gherkin syntax.</li>
<li><a href="https://github.com/spectralops/netz">Netz</a> -
<em>Spectral</em> - Discover internet-wide misconfigurations, using
zgrab2 and others.</li>
<li><a href="https://github.com/microsoft/restler-fuzzer">RESTler</a> -
<em>Microsoft</em> - A stateful RESTful API scanner based on
peer-reviewed research papers.</li>
<li><a href="https://github.com/ssllabs/ssllabs-scan">SSL Labs Scan</a>
- <em>SSL Labs</em> - Automated scanning for SSL / TLS configuration
issues.</li>
<li><a href="https://github.com/zaproxy/zaproxy">Zed Attack Proxy
(ZAP)</a> - <em>OWASP</em> - An open-source web application
vulnerability scanner, including an API for CI/CD integration.</li>
</ul>
<h3 id="infrastructure-as-code-analysis">Infrastructure as Code
Analysis</h3>
<p>Infrastructure as Code allows applications to be deployed reliably to
a consistent environment. This not only ensures that infrastructure is
consistently hardened, but also provides an opportunity to statically
and dynamically analyse infrastructure definitions for vulnerable
dependencies, hard-coded secrets, insecure configuration and
unintentional changes in security configuration. The following tools
facilitate this analysis.</p>
<h4 id="multi-platform">Multi-Platform</h4>
<ul>
<li><a href="https://github.com/bridgecrewio/checkov">Checkov</a> -
<em>Bridgecrew</em> - Scan Terraform, AWS CloudFormation and Kubernetes
templates for insecure configuration.</li>
<li><a href="https://github.com/Checkmarx/kics">KICS</a> -
<em>Checkmarx</em> - Find security vulnerabilities, compliance issues,
and infrastructure misconfigurations early in the development
cycle.</li>
<li><a
href="https://spectralops.io/blog/spectral-launches-deepconfig-to-ensure-no-misconfiguration-at-all-layers-of-software/">Spectral
DeepConfig</a> - <em>Spectral</em> - Find misconfiguration both in
infrastructure as well as apps as early as commit time.</li>
<li><a href="https://github.com/accurics/terrascan">Terrascan</a> -
<em>Accurics</em> - Detect compliance and security violations across
Infrastructure as Code to mitigate risk before provisioning cloud native
infrastructure.</li>
</ul>
<!-- omit in toc -->
<h4 id="cloud-formation">Cloud Formation</h4>
<ul>
<li><a href="https://github.com/stelligent/cfn_nag">Cfn Nag</a> -
<em>Stelligent</em> - Scan AWS CloudFormation templates for insecure
configuration.</li>
</ul>
<!-- omit in toc -->
<h4 id="containers">Containers</h4>
<ul>
<li><a href="https://github.com/quay/clair">Clair</a> - <em>Red Hat</em>
- Scan App Container and Docker containers for publicly disclosed
vulnerabilities.</li>
<li><a href="https://github.com/eliasgranderubio/dagda/">Dagda</a> -
<em>Elías Grande</em> - Compares OS and software dependency versions
installed in Docker containers with public vulnerability databases, and
also performs virus scanning.</li>
<li><a
href="https://github.com/docker/docker-bench-security">Docker-Bench-Security</a>
- <em>Docker</em> - The Docker Bench for Security is a script that
checks for dozens of common best-practices around deploying Docker
containers in production.</li>
<li><a href="https://github.com/anchore/grype/">Grype</a> -
<em>Anchore</em> - An easy-to-integrate open source vulnerability
scanning tool for container images and filesystems.</li>
<li><a href="https://github.com/hadolint/hadolint">Hadolint</a> -
<em>Hadolint</em> - Checks a Dockerfile against known rules and
validates inline bash code in RUN statements.</li>
<li><a
href="https://snyk.io/product/container-vulnerability-management/">Snyk
Container</a> - <em>Snyk</em> - Scan Docker and Kubernetes applications
for security vulnerabilities during CI/CD or via continuous
monitoring.</li>
<li><a href="https://github.com/aquasecurity/trivy">Trivy</a> - <em>Aqua
Security</em> - Simple and comprehensive vulnerability scanner for
containers.</li>
</ul>
<!-- omit in toc -->
<h4 id="terraform">Terraform</h4>
<ul>
<li><a href="https://github.com/fugue/regula">Regula</a> -
<em>Fugue</em> - Evaluate Terraform infrastructure-as-code for potential
security misconfigurations and compliance violations prior to
deployment.</li>
<li><a href="https://terraform-compliance.com/">Terraform Compliance</a>
- <em>terraform-compliance</em> - A lightweight, security and compliance
focused test framework against terraform to enable negative testing
capability for your infrastructure-as-code.</li>
<li><a href="https://github.com/liamg/tfsec">Tfsec</a> - <em>Liam
Galvin</em> - Scan Terraform templates for security misconfiguration and
noncompliance with AWS, Azure and GCP security best practice.</li>
</ul>
<!-- omit in toc -->
<h4 id="kubernetes">Kubernetes</h4>
<ul>
<li><a href="https://kubescape.io/">Kubescape</a> - <em>Cloud Native
Computing Foundation</em> - An open-source Kubernetes security platform
for your IDE, CI/CD pipelines, and clusters.</li>
<li><a href="https://github.com/zegl/kube-score">Kube-Score</a> -
<em>Gustav Westling</em> - Scan Kubernetes object definitions for
security and performance misconfiguration.</li>
<li><a href="https://github.com/controlplaneio/kubectl-kubesec">Kubectrl
Kubesec</a> - <em>ControlPlane</em> - Plugin for kubesec.io to perform
security risk analysis for Kubernetes resources.</li>
</ul>
<h4 id="ansible">Ansible</h4>
<ul>
<li><a
href="https://github.com/ansible-community/ansible-lint">Ansible-Lint</a>
- <em>Ansible Community</em> - Checks playbooks for practices and
behaviour that could potentially be improved. As a community backed
project ansible-lint supports only the last two major versions of
Ansible.</li>
</ul>
<h3 id="intentionally-vulnerable-applications">Intentionally Vulnerable
Applications</h3>
<p>Intentionally vulnerable applications are often useful when
developing security tests and tooling to provide a place you can run
tests and make sure they fail correctly. These applications can also be
useful for understanding how common vulnerabilities are introduced into
applications and let you practice your skills at exploiting them.</p>
<ul>
<li><a href="https://github.com/chromium/badssl.com">Bad SSL</a> -
<em>The Chromium Project</em> - A container running a number of
webservers with poor SSL / TLS configuration. Useful for testing
tooling.</li>
<li><a href="https://github.com/bridgecrewio/cfngoat">Cfngoat</a> -
<em>Bridgecrew</em> - Cloud Formation templates for creating stacks of
intentionally insecure services in AWS. Ideal for testing the Cloud
Formation Infrastructure as Code Analysis tools above.</li>
<li><a href="https://github.com/cider-security-research/cicd-goat">CI/CD
Goat</a> - <em>Cider Security</em> - A deliberately vulnerable CI/CD
environment. Learn CI/CD security through multiple challenges.</li>
<li><a href="http://www.dvwa.co.uk/">Damn Vulnerable Web App</a> -
<em>Ryan Dewhurst</em> - A web application that provides a safe
environment to understand and exploit common web vulnerabilities.</li>
<li><a href="https://github.com/bkimminich/juice-shop">Juice Shop</a> -
<em>OWASP</em> - A web application containing the OWASP Top 10 security
vulnerabilities and more.</li>
<li><a href="https://github.com/madhuakula/kubernetes-goat">Kubernetes
Goat</a> - <em>Madhu Akula</em> - Intentionally vulnerable cluster
environment to learn and practice Kubernetes security.</li>
<li><a href="https://github.com/OWASP/NodeGoat">NodeGoat</a> -
<em>OWASP</em> - A Node.js web application that demonstrates and
provides ways to address common security vulnerabilities.</li>
<li><a href="https://pentest-ground.com/">Pentest-Ground</a> -
<em>Pentest-Tools.com</em> - Pentest-Ground is a free playground with
deliberately vulnerable web applications and network services.</li>
<li><a href="https://github.com/bridgecrewio/terragoat">Terragoat</a> -
<em>Bridgecrew</em> - Terraform templates for creating stacks of
intentionally insecure services in AWS, Azure and GCP. Ideal for testing
the Terraform Infrastructure as Code Analysis tools above.</li>
<li><a
href="https://owasp.org/www-project-vulnerable-web-applications-directory">Vulnerable
Web Apps Directory</a> - <em>OWASP</em> - A collection of vulnerable web
applications for learning purposes.</li>
<li><a href="https://github.com/OWASP/wrongsecrets">WrongSecrets</a> -
<em>OWASP</em> - Vulnerable app with examples showing how to not use
secrets</li>
</ul>
<h3 id="monitoring">Monitoring</h3>
<p>Its not enough to test and harden our software in the lead up to a
release. We must also monitor our production software for usage,
performance and errors to capture malicious behavior and potential
security flaws that we may need to respond to or address. A wide variety
of tools are available to monitor different aspects of production
software and infrastructure.</p>
<ul>
<li><a href="https://csper.io/report-uri">Csper</a> - <em>Csper</em> - A
set of Content Security Policy tools that can test policies, monitor CSP
reports and provide metrics and alerts.</li>
<li><a href="https://streamdal.com">Streamdal</a> - <em>Streamdal</em> -
Embed privacy controls in your application code to detect and monitor
PII as it enters and leaves your systems, preventing it from reaching
unintended databases, data streams, or pipelines.</li>
</ul>
<h3 id="secrets-management">Secrets Management</h3>
<p>The software we write needs to use secrets (passwords, API keys,
certificates, database connection strings) to access resources, yet we
cannot store secrets within the codebase as this leaves them vulnerable
to compromise. Secret management tools provide a means to securely
store, access and manage secrets.</p>
<ul>
<li><a
href="https://docs.ansible.com/ansible/latest/user_guide/vault.html">Ansible
Vault</a> - <em>Ansible</em> - Securely store secrets within Ansible
pipelines.</li>
<li><a href="https://aws.amazon.com/kms/">AWS Key Management Service
(KMS)</a> - <em>Amazon AWS</em> - Create and manage cryptographic keys
in AWS.</li>
<li><a href="https://aws.amazon.com/secrets-manager/">AWS Secrets
Manager</a> - <em>Amazon AWS</em> - Securely store retrievable
application secrets in AWS.</li>
<li><a
href="https://azure.microsoft.com/en-au/services/key-vault/">Azure Key
Vault</a> - <em>Microsoft Azure</em> - Securely store secrets within
Azure.</li>
<li><a href="https://github.com/StackExchange/blackbox">BlackBox</a> -
<em>StackExchange</em> - Encrypt credentials within your code
repository.</li>
<li><a href="https://github.com/chef/chef-vault">Chef Vault</a> -
<em>Chef</em> - Securely store secrets within Chef.</li>
<li><a href="https://github.com/fugue/credstash">CredStash</a> -
<em>Fugue</em> - Securely store secrets within AWS using KMS and
DynamoDB.</li>
<li><a
href="https://www.cyberark.com/products/privileged-account-security-solution/application-access-manager/">CyberArk
Application Access Manager</a> - <em>CyberArk</em> - Secrets management
for applications including secret rotation and auditing.</li>
<li><a href="https://docs.docker.com/engine/swarm/secrets/">Docker
Secrets</a> - <em>Docker</em> - Store and manage access to secrets
within a Docker swarm.</li>
<li><a href="https://github.com/awslabs/git-secrets">Git Secrets</a> -
<em>Amazon AWS</em> - Scan git repositories for secrets committed within
code or commit messages.</li>
<li><a href="https://github.com/gopasspw/gopass">Gopass</a> -
<em>Gopass</em> - Password manager for teams relying on Git and gpg.
Manages secrets in encrypted files and repositories.</li>
<li><a href="https://cloud.google.com/kms">Google Cloud Key Management
Service (KMS)</a> - <em>Google Cloud Platform</em> - Securely store
secrets within GCP.</li>
<li><a href="https://www.vaultproject.io/">HashiCorp Vault</a> -
<em>HashiCorp</em> - Securely store secrets via UI, CLI or HTTP
API.</li>
<li><a href="https://github.com/SpectralOps/keyscope">Keyscope</a> -
<em>Spectral</em> - Keyscope is an open source key and secret workflow
tool (validation, invalidation, etc.) built in Rust.</li>
<li><a href="https://github.com/pinterest/knox">Pinterest Knox</a> -
<em>Pinterest</em> - Securely store, rotate and audit secrets.</li>
<li><a href="https://github.com/mozilla/sops">Secrets Operations
(SOPS)</a> - <em>Mozilla</em> - Encrypt keys stored within YAML, JSON,
ENV, INI and BINARY files.</li>
<li><a href="https://github.com/spectralops/teller">Teller</a> -
<em>Spectral</em> - A secrets management tool for developers - never
leave your command line for secrets.</li>
</ul>
<h3 id="secrets-scanning">Secrets Scanning</h3>
<p>Source control is not a secure place to store secrets such as
credentials, API keys or tokens, even if the repo is private. Secrets
scanning tools can scan and monitor git repositories and pull-requests
for secrets, and can be used to prevent secrets from being committed, or
to find and remove secrets that have already been committed to source
control.</p>
<ul>
<li><a
href="https://secdevtools.azurewebsites.net/helpcredscan.html">CredScan</a>
- <em>Microsoft</em> - A credential scanning tool that can be run as a
task in Azure DevOps pipelines.</li>
<li><a href="https://github.com/Yelp/detect-secrets">Detect Secrets</a>
- <em>Yelp</em> - An aptly named module for (surprise, surprise)
detecting secrets within a code base.</li>
<li><a href="https://www.gitguardian.com/">GitGuardian</a> -
<em>GitGuardian</em> - A web-based solution that scans and monitors
public and private git repositories for secrets.</li>
<li><a href="https://github.com/zricethezav/gitleaks">Gitleaks</a> -
<em>Zachary Rice</em> - Gitleaks is a SAST tool for detecting hardcoded
secrets like passwords, api keys, and tokens in git repositories.</li>
<li><a href="https://github.com/awslabs/git-secrets">git-secrets</a> -
<em>AWS Labs</em> - Scans commits, commit messages and merges for
secrets. Native support for AWS secret patterns, but can be configured
to support other patterns.</li>
<li><a
href="https://nightfall.ai/solutions/product/github">Nightfall</a> -
<em>Nightfall</em> - A web-based platform that monitors for sensitive
data disclosure across several SDLC tools, including GitHub
repositories.</li>
<li><a
href="https://github.com/auth0/repo-supervisor">Repo-supervisor</a> -
<em>Auth0</em> - Secrets scanning tool that can run as a CLI, as a
Docker container or in AWS Lambda.</li>
<li><a href="https://spectralops.io">SpectralOps</a> - <em>Spectral</em>
- Automated code security, secrets, tokens and sensitive data
scanning.</li>
<li><a
href="https://github.com/trufflesecurity/truffleHog">truffleHog</a> -
<em>Truffle Security</em> - Searches through git repositories for
secrets, digging deep into commit history and branches.</li>
</ul>
<h3 id="static-analysis">Static Analysis</h3>
<p>Static Analysis Security Testing (SAST) tools scan software for
vulnerabilities without executing the target software. Typically, static
analysis will scan the source code for security flaws such as the use of
unsafe functions, hard-coded secrets and configuration issues. SAST
tools often come in the form of IDE plugins and CLIs that can be
integrated into CI/CD pipelines.</p>
<!-- omit in toc -->
<h4 id="multi-language-support">Multi-Language Support</h4>
<ul>
<li><a href="https://github.com/microsoft/DevSkim">DevSkim</a> -
<em>Microsoft</em> - A set of IDE plugins, CLIs and other tools that
provide security analysis for a number of programming languages.</li>
<li><a href="https://github.com/wireghoul/graudit/">Graudit</a> -
<em>Eldar Marcussen</em> - Grep source code for potential security flaws
with custom or pre-configured regex signatures.</li>
<li><a href="https://github.com/hawkeyesec/scanner-cli">Hawkeye</a> -
<em>Hawkeyesec</em> - Modularised CLI tool for project security,
vulnerability and general risk highlighting.</li>
<li><a href="https://lgtm.com/">LGTM</a> - <em>Semmle</em> - Scan and
monitor code for security vulnerabilities using custom or built-in
CodeQL queries.</li>
<li><a href="https://www.ripstech.com/">RIPS</a> - <em>RIPS
Technologies</em> - Automated static analysis for PHP, Java and Node.js
projects.</li>
<li><a href="https://semgrep.dev/">SemGrep</a> - <em>r2c</em> - Semgrep
is a fast, open-source, static analysis tool that finds bugs and
enforces code standards at editor, commit, and CI time.</li>
<li><a href="https://www.sonarlint.org/">SonarLint</a> -
<em>SonarSource</em> - An IDE plugin that highlights potential security
security issues, code quality issues and bugs.</li>
<li><a href="https://www.sonarqube.org/">SonarQube</a> -
<em>SonarSource</em> - Scan code for security and quality issues with
support for a wide variety of languages.</li>
</ul>
<!-- omit in toc -->
<h4 id="c-c">C / C++</h4>
<ul>
<li><a
href="https://github.com/david-a-wheeler/flawfinder">FlawFinder</a> -
<em>David Wheeler</em> - Scan C / C++ code for potential security
weaknesses.</li>
</ul>
<!-- omit in toc -->
<h4 id="c">C</h4>
<ul>
<li><a href="https://github.com/pumasecurity/puma-scan">Puma Scan</a> -
<em>Puma Security</em> - A Visual Studio plugin to scan .NET projects
for potential security flaws.</li>
</ul>
<!-- omit in toc -->
<h4 id="configuration-files">Configuration Files</h4>
<ul>
<li><a href="https://github.com/instrumenta/conftest">Conftest</a> -
<em>Instrumenta</em> - Create custom tests to scan any configuration
file for security flaws.</li>
<li><a href="https://github.com/selefra/selefra">Selefra</a> -
<em>Selefra</em> - An open-source policy-as-code software that provides
analytics for multi-cloud and SaaS.</li>
</ul>
<!-- omit in toc -->
<h4 id="java">Java</h4>
<ul>
<li><a href="https://discotek.ca/deepdive.xhtml">Deep Dive</a> -
<em>Discotek.ca</em> - Static analysis for JVM deployment units
including Ear, War, Jar and APK.</li>
<li><a href="https://github.com/find-sec-bugs/find-sec-bugs/">Find
Security Bugs</a> - <em>OWASP</em> - SpotBugs plugin for security audits
of Java web applications. Supports Eclipse, IntelliJ, Android Studio and
SonarQube.</li>
<li><a href="https://github.com/spotbugs/spotbugs">SpotBugs</a> -
<em>SpotBugs</em> - Static code analysis for Java applications.</li>
</ul>
<!-- omit in toc -->
<h4 id="javascript">JavaScript</h4>
<ul>
<li><a href="https://eslint.org/">ESLint</a> - <em>JS Foundation</em> -
Linting tool for JavaScript with multiple security linting rules
available.</li>
</ul>
<!-- omit in toc -->
<h4 id="go">Go</h4>
<ul>
<li><a href="https://github.com/securego/gosec">Golang Security
Checker</a> - <em>securego</em> - CLI tool to scan Go code for potential
security flaws.</li>
</ul>
<!-- omit in toc -->
<h4 id="net">.NET</h4>
<ul>
<li><a
href="https://github.com/security-code-scan/security-code-scan">Security
Code Scan</a> - <em>Security Code Scan</em> - Static code analysis for
C# and VB.NET applications.</li>
</ul>
<!-- omit in toc -->
<h4 id="php">PHP</h4>
<ul>
<li><a href="https://github.com/phan/phan">Phan</a> - <em>Phan</em> -
Broad static analysis for PHP applications with some support for
security scanning features.</li>
<li><a
href="https://github.com/FloeDesignTechnologies/phpcs-security-audit">PHPCS
Security Audit</a> - <em>Floe</em> - PHP static analysis with rules for
PHP, Drupal 7 and PHP related CVEs.</li>
<li><a href="https://github.com/designsecurity/progpilot">Progpilot</a>
- <em>Design Security</em> - Static analysis for PHP source code.</li>
</ul>
<!-- omit in toc -->
<h4 id="python">Python</h4>
<ul>
<li><a href="https://github.com/PyCQA/bandit">Bandit</a> - <em>Python
Code Quality Authority</em> - Find common security vulnerabilities in
Python code.</li>
</ul>
<!-- omit in toc -->
<h4 id="ruby">Ruby</h4>
<ul>
<li><a href="https://github.com/presidentbeef/brakeman">Brakeman</a> -
<em>Justin Collins</em> - Static analysis tool which checks Ruby on
Rails applications for security vulnerabilities.</li>
<li><a href="https://github.com/thesp0nge/dawnscanner">DawnScanner</a> -
<em>Paolo Perego</em> - Security scanning for Ruby scripts and web
application. Supports Ruby on Rails, Sinatra and Padrino
frameworks.</li>
</ul>
<h3 id="supply-chain-security">Supply Chain Security</h3>
<p>Supply chain attacks come in different forms, targeting parts of the
SDLC that are inherently 3rd party: tools in CI, external code thats
been executed, and more. Supply chain security tooling can defend
against these kinds of attacks.</p>
<ul>
<li><a href="https://github.com/step-security/harden-runner">Harden
Runner GitHub Action</a> - <em>StepSecurity</em> - installs a security
agent on the GitHub-hosted runner (Ubuntu VM) to prevent exfiltration of
credentials, detect compromised dependencies and build tools, and detect
tampering of source code during the build.</li>
<li><a href="https://github.com/os-scar/overlay">Overlay</a> -
<em>SCAR</em> - a browser extension helping developers evaluate open
source packages before picking them.</li>
<li><a href="https://github.com/spectralops/preflight">Preflight</a> -
<em>Spectral</em> - helps you verify scripts and executables to mitigate
supply chain attacks in your CI and other systems, such as in the recent
<a
href="https://spectralops.io/blog/credentials-risk-supply-chain-lessons-from-the-codecov-breach/">Codecov
hack</a>.</li>
<li><a href="https://www.sigstore.dev/">Sigstore</a> - sigstore is a set
of free to use and open source tools, including <a
href="https://github.com/sigstore/fulcio">fulcio</a>, <a
href="https://github.com/sigstore/cosign">cosign</a> and <a
href="https://github.com/sigstore/rekor">rekor</a>, handling digital
signing, verification and checks for provenance needed to make it safer
to distribute and use open source software.</li>
<li><a href="https://github.com/anchore/syft/">Syft</a> -
<em>Anchore</em> - A CLI tool for generating a Software Bill of
Materials (SBOM) from container images and filesystems.</li>
</ul>
<h3 id="threat-modelling">Threat Modelling</h3>
<p>Threat modelling is an engineering exercise that aims to identify
threats, vulnerabilities and attack vectors that represent a risk to
something of value. Based on this understanding of threats, we can
design, implement and validate security controls to mitigate threats.
The following list of tools assist the threat modelling process.</p>
<ul>
<li><a
href="https://github.com/hysnsec/awesome-threat-modelling">Awesome
Threat Modelling</a> - <em>Practical DevSecOps</em> - A curated list of
threat modelling resources.</li>
<li><a href="https://www.foreseeti.com/">SecuriCAD</a> -
<em>Forseeti</em> - Treat modelling and attack simulations for IT
infrastructure.</li>
<li><a href="https://iriusrisk.com/">IriusRisk</a> - <em>IriusRisk</em>
- Draw threat models and capture threats and countermeasures and manage
risk.</li>
<li><a href="https://github.com/devsecops/raindance">Raindance
Project</a> - <em>DevSecOps</em> - Use attack maps to identify attack
surface and adversary strategies that may lead to compromise.</li>
<li><a
href="https://www.securitycompass.com/sdelements/threat-modeling/">SD
Elements</a> - <em>Security Compass</em> - Identify and rank threats,
generate actionable tasks and track related tickets.</li>
<li><a href="https://owasp.org/www-project-threat-dragon/">Threat
Dragon</a> - <em>OWASP</em> - Threat model diagramming tool.</li>
<li><a
href="https://www.microsoft.com/en-us/securityengineering/sdl/threatmodeling">Threat
Modelling Tool</a> - <em>Microsoft</em> - Threat model diagramming
tool.</li>
<li><a href="https://threatspec.org/">Threatspec</a> -
<em>Threatspec</em> - Define threat modelling as code.</li>
</ul>
<h2 id="related-lists">Related Lists</h2>
<ul>
<li><a
href="https://github.com/analysis-tools-dev/dynamic-analysis/">Awesome
Dynamic Analysis</a> - <em>Matthias Endler</em> - A collection of
dynamic analysis tools and code quality checkers.</li>
<li><a
href="https://github.com/shospodarets/awesome-platform-engineering/">Awesome
Platform Engineering</a> - A curated list of solutions, tools and
resources for <em>Platform Engineering</em></li>
<li><a
href="https://github.com/analysis-tools-dev/static-analysis/">Awesome
Static Analysis</a> - <em>Matthias Endler</em> - A collection of static
analysis tools and code quality checkers.</li>
<li><a
href="https://github.com/hysnsec/awesome-threat-modelling">Awesome
Threat Modelling</a> - <em>Practical DevSecOps</em> - A curated list of
threat modeling resources.</li>
<li><a
href="https://owasp.org/www-project-vulnerable-web-applications-directory">Vulnerable
Web Apps Directory</a> - <em>OWASP</em> - A collection of vulnerable web
applications for learning purposes.</li>
</ul>
<p><a href="https://github.com/TaptuIT/awesome-devsecops">devsecops.md
Github</a></p>
Reference in New Issue View Git Blame Copy Permalink