Доброго всім дня.
Це невеличкий конспект з допомоги тим, хто хоче вивчати DevSecOps у 2023 році.
Усі посилання зібрані в одній доці.
Перелік не є закінченим. Доповнення і зауваження дуже вітаються.
Також дякую телеграм-спільноті https://t.me/DevOpsMarathon та її очільнику - @edemus, телеграм-спільноті DevOps Geeks та україномовному каналу DevOps 01.
- Resourses
- Tools
- Threat modeling
- SAST
- DAST
- Secrets search
- Аналізатори сторонніх компонентів (SCA)
- Тестування за принципами Behaviour Driven Development
- Сканери Docker образів
- Перевірка Docker / Kubernetes на відповідність
- Безпека Kubernetes
- Container Runtime
- Runtime Security
- IAST
- Fuzzing
- MAST
- Vulnerability Management
- Application Security Orchestration and Correlation (ASOC)
- Compliance-as-code
- IAC Security
- Kubernetes YAML validating
- Порівняння інструментів
Розділ з вивчення побудови безпечного CI/CD.
| Name | URL | Description | Meta/Language |
|---|---|---|---|
| DevSecOps - Implementing Secure CI/CD Pipelines | Youtube | Short videos for beginners in DevSecOps | EN |
| Курсы по кибербезопасности с нуля до аналитика DevSecOps | Youtube | Введення у кібербезпеку | ru |
| Информационная безопасность | Youtube | Підбірка відео з окремих аспектів DevSecOps | ru |
| Name | URL | Description | Meta/Language |
|---|---|---|---|
| Simple Guide for Development and Operation | devsecopsguides.com | The most recommended omprehensive resource for integrating security into the software development lifecycle | EN |
| Ultimate DevSecOps library | github.com/sberdachuk-epam/DevSecOps | Ultimate DevSecOps library |  |
| DevSecOps Roadmap | github.com/hahwul/DevSecOps | Ultimate DevSecOps library |  |
| Awesome DevSecOps | github.com/TaptuIT | Curating the best DevSecOps resources and tooling |  |
| Awesome DevSecOps | github.com/devsecops | A collection of documents, presentations, videos, training materials, tools, services |  |
| Name | URL | Description | Language |
|---|---|---|---|
| OWASP SAMM | owaspsamm.org | The prime maturity model for software assurance | EN |
| OWASP Devsecops Maturity Model | owaspsamm.org | Security measures which are applied when using DevOps strategies and how these can be prioritized | EN |
| Name | URL | Description | Language |
|---|---|---|---|
| How To Secure A Linux Server | github.com/imthenachoman | An evolving how-to guide for securing a Linux server | EN |
| CloudFoxable | github.com/BishopFox | CloudFox helps penetration testers and security professionals find exploitable attack paths in cloud infrastructure | EN |
| CloudGoat | github.com/RhinoSecurityLabs | CloudGoat is Rhino Security Labs' "Vulnerable by Design" AWS deployment tool | EN |
| OWASP ServerlessGoat | github.com/OWASP | Educate on how serverless application layer weaknesses can be exploited | EN |
| OWASP Wrongsecrets | github.com/OWASP | The game is packed with real life examples of how to not store secrets in your software | EN |
| AWS S3 CTF Challenges | n0j.github.io | Series of brief challenges focusing on AWS S3 misconfiguration for the CTF at AppSec USA 2017 and CactusCon 2017 | EN |
| Breaking and Pwning Apps and Servers on AWS and Azure | github.com/appsecco | The training is meant to be a hands-on training with guided walkthroughs, scenario based attacks, coverage of tool that can be used for attacking and auditing | EN |
| Sadcloud | github.com/nccgroup/sadcloud | Sadcloud is a tool for spinning up insecure AWS infrastructure with Terraform | EN |
| Damn Vulnerable Cloud Application | github.com/m6a-UdS/dvca | A demonstration project to show how to do privilege escalation on AWS | EN |
| AWS Detonation Lab | github.com/sonofagl1tch | Scripts can be used as proof-of-concept to generate a detonation lab via a cloudformation template (AWS) | EN |
| lambhack | github.com/wickett/lambhack | Allows you to take advantage of our tried and true application security problems, namely arbitrary code execution, XSS, injection attacks aand more (AWS) | EN |
| Cfngoat - Vulnerable Cloudformation Template | github.com/bridgecrewio/cfngoat | A learning and training project that demonstrates how common configuration errors can find their way into production cloud environments | EN |
| CdkGoat - Vulnerable AWS CDK Infrastructure | github.com/bridgecrewio/cdkgoat | Another learning and training project that demonstrates how common configuration errors can find their way into production cloud environments | EN |
| AWSGoat : A Damn Vulnerable AWS Infrastructure | github.com/ine-labs/AWSGoat | Learning and training AWS cloud pentesting/red-teaming, auditing IaC, secure coding, detection and mitigation | EN |
| AWSGoat : A Damn Vulnerable Azure Infrastructure | github.com/ine-labs/AzureGoat | Learning and training Azure cloud pentesting/red-teaming, auditing IaC, secure coding, detection and mitigation | EN |
| CONVEX | github.com/Azure/CONVEX | Spins up Capture The Flag environments in your Azure tenant for participants to play through | EN |
| caponeme | github.com/avishayil/caponeme | A vulnerable cloud environment that meant to mock Capital One Breach for educational purposes | EN |
| TerraGoat - Vulnerable Terraform Infrastructure | github.com/bridgecrewio/terragoat | A learning and training project that demonstrates how common configuration errors can find their way into production cloud environments | EN |
| IAM Vulnerable | github.com/BishopFox/iam-vulnerable | Learning how to identify and exploit vulnerable IAM configurations that allow for privilege escalation | EN |
| Web-Check | github.com/Lissy93 | Comprehensive, on-demand open source intelligence for any website | EN |
| Penetration Testing, Beginners To Expert! | github.com/xalgord | Web Application Penetration Testing for everyone | EN |
| TryHackMe | tryhackme.com | Learning cyber security | EN |
| Hack The Box | hackthebox.com | The #1 cybersecurity upskilling platform | EN |
| OWASP Juice Shop | owasp.org | Game/tutorial teaches you in security trainings, awareness demos, CTFs and as a guinea pig for security tools | EN |
| Flaws | flaws.cloud | Game/tutorial teaches you AWS (Amazon Web Services) security concepts | EN |
| Flaws2 | flaws2.cloud | Another game/tutorial teaches you AWS (Amazon Web Services) security concepts | EN |
| AWS Well-Architected Labs | wellarchitectedlabs.com | Through a series of levels you'll learn about common mistakes and gotchas when using Amazon Web Services (AWS) | EN |
| CTF 101 worklab | r00tz-ctf.awssecworkshops.com | Security CTF 101 worklab, sponsored by Amazon Web Services Security | EN |
| Thunder CTF | thunder-ctf.cloud | Thunder CTF allows players to practice attacking vulnerable cloud projects on Google Cloud Platform (GCP) | EN |
| The Big IAM Challenge by Wiz | bigiamchallenge.com | Put yourself to the test with our unique CTF challenge and boost your AWS IAM knowledge | EN |
| PenTesting.Cloud | pentesting.cloud | A free pentesting learning platform | EN |
| GCP Goat | gcpgoat.joshuajebaraj.com | Intentionally vulnerable GCP environment to learn and practice GCP Security | EN |
| Name | URL | Description | Language |
|---|---|---|---|
| How Secrets Leak in CI/CD Pipelines | trufflesecurity.com | How to searh Secrets in CI/CD | EN |
Інструменти, які використовуються у DevSecOps.
Моделювання загроз у контексті Secure Development Lifecycle - це процес аналізу архітектури ПЗ щодо наявності в ній потенційних уразливостей та небезпечних технологій. Воно потрібне для впровадження процесу перевірок ІБ ще на етапі проектування архітектури. На цьому ж етапі формуються вимоги з боку фахівців з безпеки додатків, які надалі йдуть у backlog.
| Name | URL | Description | Language |
|---|---|---|---|
| Awesome Threat Modeling | github.com/hysnsec | A curated list of threat modeling resources (books, courses - free and paid, videos, tools, tutorials and workshop to practice on) for learning | EN |
Open-source
| Name | URL | Description | Language |
|---|---|---|---|
| OWASP Threat Dragon | owasp.org | Modeling tool used to create threat model diagrams as part of a secure development lifecycle | EN |
| Microsoft Threat Modeling Tool | learn.microsoft.com | The Threat Modeling Tool is a core element of the Microsoft Security Development Lifecycle (SDL) | EN |
| pytm: A Pythonic framework for threat modeling | github.com/izarg | Shift threat modeling to the left, making threat modeling more automated and developer-centric | EN |
| materialize threats | github.com/secmerc | Developers and security practitioners who want to perform 'graph' analysis on data flow diagrams - using SQL | EN |
| threatspec | github.com/threatspec | Developers and security practitioners who want to threat modeling annotations as comments inside source code | EN |
| The Raindance Project | github.com/devsecops | The attack map process for identifying target surface and adversary attack strategies that lead to exploit and compromise | EN |
| threagile | github.com/Threagile | The open-source toolkit for agile threat modeling | EN |
Paid (enterprise)
| Name | URL | Description | Language |
|---|---|---|---|
| Iriusrisk | iriusrisk.com | Modeling platform automates the threat modeling process, enabling developers to design and build secure software | EN |
| Iriusrisk | threatmodeler.com | Modeling platform can securely design, build and validate from development through deployment | EN |
Статичний аналізатор коду - інструмент, що повідомляє про вразливість програми, орієнтуючись на її вихідні коди.
SAST in details
| Name | URL | Description | Language |
|---|---|---|---|
| OWASP Source Code Analysis Tools | owasp.org | SAST tools for all programming languages | EN |
| Static Analysis Tools | github.com/analysis-tools-dev | Static analysis tools for all programming languages, build tools, config files and more | EN |
Open-source
| Name | URL | Description | Language |
|---|---|---|---|
| ShiftLeft Scan | github.com/ShiftLeftSecurity | Scan can detect various kinds of security flaws in your application, and infrastructure code without any remote server | EN |
| Salus | github.com/coinbase | A tool for coordinating the execution of security scanners | EN |
| HuskyCI | github.com/globocom | An open source tool that orchestrates security tests and centralizes all results into a database for further analysis and metrics | EN |
| Graudit | github.com/wireghoul | A simple script and signature sets that allows you to find potential security flaws in source code using the GNU utility grep | EN |
| RIPS | github.com/robocoder | A static source code analyser for vulnerabilities in PHP scripts | EN |
| Joern | github.com/joernio | Platform for analyzing source code, bytecode, and binary executables | EN |
| CodeQL | securitylab.github.com | CodeQL lets you query code as though it were data | EN |
| Semgrep | semgrep.dev | Platform for analyzing source code, bytecode, and binary executables | EN |
| RIPS | github.com/robocoder | A static source code analyser for vulnerabilities in PHP scripts | EN |
Paid (enterprise)
| Name | URL | Description | Language |
|---|---|---|---|
| Checkmarx | checkmarx.com | Platform for securing every phase of development | EN |
| PT AI | ptsecurity.com | Only source code analyzer providing analysis and convenient tools to automatically confirm vulnerabilities | EN |
| Veracode Static Analysis | veracode.com | Only source code analyzer providing analysis and convenient tools to automatically confirm vulnerabilities | EN |
| Veracode Static Analysis | veracode.com | Scan code at each development stage with IDE, Pipeline, and Policy scans | EN |
Динамічний аналізатор коду - інструмент, що повідомляє про вразливість програми, орієнтуючись на відповіді сервера по завданим запитам.
DAST in details
| Name | URL | Description | Language |
|---|---|---|---|
| Awesome DAST | github.com/analysis-tools-dev | DAST tools for all programming languages | EN |
Open-source
| Name | URL | Description | Language |
|---|---|---|---|
| Arachni | github.com/Arachni | Ruby framework aimed towards helping penetration testers and administrators evaluate the security of web applications | EN |
| OWASP ZAP | github.com/zaproxy | Automatically find security vulnerabilities in your web applications | EN |
| w3af | github.com/andresriancho | Open source web application security scanner | EN |
| Nikto | github.com/sullo | Web server scanner | EN |
| N.E.R.V.E | github.com/PaytmLabs | Vulnerability scanner tailored to find low-hanging fruit level vulnerabilities | EN |
| Nuclei | github.com/projectdiscovery | Scanning for a variety of protocols, including TCP, DNS, HTTP, SSL, File, Whois, Websocket, Headless | EN |
| Automatic API Attack Tool | github.com/imperva | API attack tool | EN |
| Wapiti | github.com/wapiti-scanner | Web vulnerability scanner written in Python | EN |
| Vega | github.com/subgraph | Web vulnerability scanner written in Java | EN |
Paid (enterprise)
| Name | URL | Description | Language |
|---|---|---|---|
| PortSwigger Burp Suite | portswigger.net | The enterprise-enabled dynamic web vulnerability scanner | EN |
| NetSparker | nvicti.com | Application security testing for enterprise | EN |
| Acunetix | acunetix.com | Automate application security testing | EN |
| WebInspect | microfocus.com | Automated dynamic testing solution that provides comprehensive vulnerability detection | EN |
| PT AI | ptsecurity.com | Source code analyzer providing high-quality analysis and convenient tools to automatically confirm vulnerabilities | EN |
| Veracode | veracode.com | Dynamic testing tool Crashtest Security showing a growing focus in DAST | EN |
| Tenable Web App Scanning | tenable.com | Simple, Scalable and Automated Vulnerability Scanning for Web Applications | EN |
Інструменти для пошуку чутливої інформації.
Open-source
| Name | URL | Description | Language |
|---|---|---|---|
| git-secrets | github.com/awslabs | Prevents you from committing passwords and other sensitive information to a git repository | EN |
| Gitrob | github.com/michenriksen | Find potentially sensitive files pushed to public repositories on Github | EN |
| Gitleaks | github.com/gitleaks | SAST tool for detecting and preventing hardcoded secrets like passwords, api keys, and tokens in git repos | EN |
| TruffleHog | github.com/trufflesecurity | Tool for detecting and preventing secrets in GitHub Repo/S3 bucket | EN |
| TruffleHog | github.com/trufflesecurity | Tool for detecting and preventing secrets in GitHub Repo/S3 bucket | EN |
| Talisman | github.com/thoughtworks | Tool that installs a hook to your repository to ensure that potential secrets or sensitive information | EN |
| Slack Watchman | github.com/PaperMtn | Monitoring and enumerating Slack for exposed secrets | EN |
| GitLab Watchman | github.com/PaperMtn | Application that uses the GitLab API to detect exposed secrets and personal data | EN |
| Rusty Hog | github.com/newrelic | Set of scanners that use regular expressions to try and detect the presence of sensitive information, such as API keys, passwords, and personal information | EN |
| Rusty Hog | github.com/newrelic | Set of scanners that use regular expressions to try and detect the presence of sensitive information, such as API keys, passwords, and personal information | EN |
| detect-secrets | github.com/Yelp | Aptly named module for detecting secrets within a code base | EN |
| repo-supervisor | github.com/auth0 | Tool that helps you to detect secrets and passwords in your code | EN |
Paid (enterprise)
| Name | URL | Description | Language |
|---|---|---|---|
| GitGuardian | gitguardian.com | Scan and fix hardcoded secrets in source code, CI/CD pipelines, and developer productivity tools | EN |
| SpectralOps | spectralops.io | Monitor, classify, and protect your code, assets, and infrastructure for exposed API keys, tokens, credentials, and high-risk security misconfigurations | EN |
Аналізатор сторонніх компонентів - інструмент, що здійснює пошук вразливостей у сторонніх open-source компонентах, які підключені до проекту
| Name | URL | Description | Language |
|---|---|---|---|
| OWASP Composition Analysis | owasp.org | OWASP Tools Listing | EN |
Open-source
| Name | URL | Description | Language |
|---|---|---|---|
| Dependency check | github.com/jeremylong | SCA tool that attempts to detect publicly disclosed vulnerabilities contained within a project's dependencies | EN |
| Dependency Track | dependencytrack.org | Continuous SBOM Analysis Platform | EN |
| Nexus Vulnerability Scanner | sonatype.com | Tool to find out if your software has any open source security vulnerabilities | EN |
| ClearlyDefined | clearlydefined.io | Search and check SCA in one platform | EN |
| Renovate | mend.io | Scans your software, discovers dependencies, automatically checks to see if an updated version exists, and helps you by submitting automated pull requests | EN |
Paid (enterprise)
| Name | URL | Description | Language |
|---|---|---|---|
| Sonatype Nexus IQ | sonatype.com | Open Source Components Analyzed | EN |
| Veracode SCA | veracode.com | Strong Performer in SCA Wave | EN |
| Snyk Open Source | snyk.io | Tool provides advanced software composition analysis (SCA) backed by industry-leading security and application intelligence | EN |
| WhiteSource for Developers | mend.io | Keep your open source components secure and compliant throughout the development lifecycle from inside your environments | EN |
| JFrog XRay | jfrog.com | End-to-End Software Supply Chain Security powered by the JFrog Platform | EN |
| Black Duck | synopsys.com | Tool helps manage the security, quality, and license compliance risks that come from the use of open source and third-party code in applications and containers | EN |
Фреймворки, що дозволяють описувати перевірки за методологією BDD
Open-source
| Name | URL | Description | Language |
|---|---|---|---|
| BDD-Security | github.com/iriusrisk | Security testing framework that uses Behaviour Driven Development concepts to create self-verifying security specifications | EN |
| Gauntlt | github.com/michenriksen | Ruggedization framework that enables security testing that is usable by devs, ops and security | EN |
Інструменти, спрямовані на пошук вразливостей в образах контейнерів
| Name | URL | Description | Language |
|---|---|---|---|
| 29 Docker security tools compared | sysdig.com | Alphabetical index of Docker Security tools | EN |
| Awesome Container Security | github.com/kai5263499 | A collection of container related security resources | EN |
| Awesome Docker Security | github.com/myugan | List of awesome resources about docker security included books, blogs, video, tools and cases | EN |
Open-source
| Name | URL | Description | Language |
|---|---|---|---|
| Clair | github.com/quay | Open Source project for the static analysis of vulnerabilities in application containers | EN |
| Trivy | github.com/aquasecurity | Comprehensive and versatile security scanner | EN |
| Anchore | github.com/anchore | Command line interface on top of the Anchore Engine REST API | EN |
| Dagda | github.com/eliasgranderubio | Tool to perform static analysis of known vulnerabilities, trojans, viruses, malware & other malicious threats in docker images | EN |
| whalescan | github.com/nccgroup | Vulnerability scanner for Windows containers, which performs several benchmark checks, as well as checking for CVEs/vulnerable packages on the container | EN |
| grype | github.com/nccgroup | Vulnerability scanner for container images and filesystems | EN |
| syft | github.com/anchore | CLI tool and Go library for generating a Software Bill of Materials (SBOM) from container images and filesystems | EN |
Paid (enterprise)
| Name | URL | Description | Language |
|---|---|---|---|
| Snyk Container | snyk.io | Container and Kubernetes security that helps developers and DevOps find, prioritize, and fix vulnerabilities throughout the SDLC | EN |
| TrendMicro SmartCheck | trendmicro.com | Simplify security for your cloud-native applications with advanced container image scanning | EN |
| WhiteSource for containers | mend.io | Scans container images for multiple sources of risk, including open source vulnerabilities (CVEs), license policy violations, and exposed secret | EN |
| Sonatype Container | sonatype.com | Run automated tests for security compliance to ensure you catch vulnerabilities early in the container development cycle | EN |
Інструменти для перевірки Docker / Kubernetes ресурсу на відповідність CIS/PCI DSS
Open-source
| Name | URL | Description | Language |
|---|---|---|---|
| Docker bench | github.com/docker | Open-source utility so the Docker community can have an easy way to self-assess their hosts and Docker containers against this benchmark | EN |
| Dockle | github.com/goodwithtech | Container image linter for security, helping build the best-practice Docker Image | EN |
| Kubebench | github.com/aquasecurity | Tool that checks whether Kubernetes is deployed securely by running the checks documented in the CIS Kubernetes Benchmark | EN |
Інструменти для перевірки безпеки Kubernetes
| Name | URL | Description | Language |
|---|---|---|---|
| Kubernetes Security Checklist and Requirements - All in One | github.com/Vinum-Security | Way to make your cluster secure | EN |
| Awesome Kubernetes Security | github.com/ksoclabs | A curated list of awesome Kubernetes security resources | EN |
| Awesome k8s Security | github.com/magnologan | A curated list for Kubernetes (K8s) Security resources such as articles, books, tools, talks and videos | EN |
Open-source
| Name | URL | Description | Language |
|---|---|---|---|
| Kubehunter | github.com/aquasecurity | Increase awareness and visibility for security issues in Kubernetes environments | EN |
| KubiScan | github.com/cyberark | A tool for scanning Kubernetes cluster for risky permissions in Kubernetes's Role-based access control (RBAC) authorization model | EN |
| Krane | github.com/appvia | Kubernetes RBAC static analysis tool | EN |
| Statboard | github.com/aquasecurity | Security tools in the cloud native world for identifying and informing about security issues in Kubernetes | EN |
| Kubeaudit | github.com/Shopify | Command line tool and a Go package to audit Kubernetes clusters for various different security concerns | EN |
| Kubesec | github.com/controlplaneio | Security risk analysis for Kubernetes resources | EN |
| audit2rbac | github.com/liggitt | Tool takes a Kubernetes audit log and username as input, and generates RBAC role and binding objects that cover all the API requests made by that user | EN |
| KubeClarity | github.com/openclarity | Tool for detection and management of Software Bill Of Materials (SBOM) and vulnerabilities of container images and filesystems | EN |
| Kubestriker | github.com/vchinnipilli | Tool designed to tackle Kuberenetes cluster security issues due to misconfigurations and will help strengthen the overall IT infrastructure of any organisation | EN |
| CDK - Zero Dependency Container Penetration Toolkit | github.com/cdk-team | Open-sourced container penetration toolkit, designed for offering stable exploitation in different slimmed containers without any OS dependency | EN |
Paid (enterprise)
| Name | URL | Description | Language |
|---|---|---|---|
| Veracode IAST | veracode.com | Integrate container security seamlessly into your existing pipeline | EN |
Інструменти для слідкування за поведінкою контейнерів у Runtime
Open-source
| Name | URL | Description | Language |
|---|---|---|---|
| Sysdig Falco | github.com/falcosecurity | Сloud native runtime security tool for Linux operating systems | EN |
| Deepfence Runtime Threat Mapper | github.com/deepfence | Сombination of agent-based inspection and agent-less monitoring to provide the widest possible coverage to detect threats | EN |
| Stackrox | github.com/stackrox | Сontainer security platform reduces the attack surface, ensures compliance, and stops attacks | EN |
Paid Cloud Native Security Platform (enterprise)
| Name | URL | Description | Language |
|---|---|---|---|
| Aqua CSP | aquasec.com | Accelerate secure innovation and protect your entire development lifecycle from code to cloud and back | EN |
| Aqua CSPM | aquasec.com | Identify, prioritize, and remediate the most critical cloud security risks in real-time | EN |
| Prisma Cloud Compute | paloaltonetworks.com | Prisma Cloud secures applications from code to cloud | EN |
| NeuVector | suse.com | Continuously scan throughout the container lifecycle | EN |
| Sysdig | sysdig.com | Find and prioritize vulnerabilities, detect and respond to threats and anomalies and manage configurations, permissions, and compliance | EN |
| Tenable.io Container Security | tenable.com | Apply, monitor and report on security and compliance policies across multi-cloud environments | EN |
| Skyhigh | skyhighsecurity.com | Secure corporate data in cloud applications from exfiltration to unauthorized users or devices while keeping your employees productive | EN |
| TrendMicro CloudOne | trendmicro.com | Advanced container image scanning, policy-based admission control, and container runtime protection | EN |
| Qualys Container Security | qualys.com | Discover, track and continuously secure containers – from build to runtime | EN |
Інструменти для перевірки веб-застосунків у Runtime
Open-source
| Name | URL | Description | Language |
|---|---|---|---|
| RASP | github.com/baidu | Tool can monitor various events including database queries, file operations and network requests etc | EN |
| Modsecurity | github.com/SpiderLabs | Cross platform web application firewall (WAF) engine for Apache, IIS and Nginx | EN |
| Dynatrace Community Edition | github.com/Dynatrace | Analytics and automation platform powered by causal AI. It has a paid version | EN |
Paid (enterprise)
| Name | URL | Description | Language |
|---|---|---|---|
| Dynatrace Community Edition | dynatrace.com | Paid version of Dynatrace - Analytics and automation platform powered by causal AI | EN |
| Datadog | datadoghq.com | Production visibility and security for your web applications and APIs | EN |
| Waratek | waratek.com | The Application Security platform for enterprise Java applications and APIs | EN |
Інструменти, що поєднують практики SAST та DAST
Open-source
| Name | URL | Description | Language |
|---|---|---|---|
| Contrast | contrastsecurity.com | Ignite innovation velocity on the only unified security platform built to get secure code moving through the entire application development pipeline (for Java & .NET apps) | EN |
Paid (enterprise)
| Name | URL | Description | Language |
|---|---|---|---|
| Checkmarx IAST | checkmarx.com | Discover the runtime vulnerabilities in your applications that other solutions just can’t find | EN |
| Synopsys IAST | synopsys.com | IAST solution with active verification and sensitive-data tracking for web-based applications | EN |
| Acunetix IAST | acunetix.com | IAST solution works with applications written in Node.js, PHP, Java (including the Spring framework), and ASP.NET | EN |
| Burp IAST | portswigger.net | Tool for instrumenting target web applications in order to facilitate testing using Burp Scanner for enterprise Java & .NET applications | EN |
Практика тестування програми, коли на вхід програмі подаються дані, які можуть призвести до невизначеної поведінки
| Name | URL | Description | Language |
|---|---|---|---|
| Awesome Fuzzing | github.com/cpuu | A curated list of references to awesome Fuzzing for security testing | EN |
| Fuzzing Paper Collection | github.com/0xricksanchez | Academic papers related to fuzzing, binary analysis, IoT security, and general exploitation | EN |
| Fuzzing Papper | github.com/wcventure | This website is only used for collecting and grouping the related paper | EN |
| OSS-Fuzz від Google | github.com/google | OSS-Fuzz aims to make common open source software more secure and stable by combining modern fuzzing techniques with scalable, distributed execution | EN |
Open-source
| Name | URL | Description | Language |
|---|---|---|---|
| AFL++ | github.com/AFLplusplus | AFL++ is a superior fork to Google's AFL - more speed, more and better mutations, more and better instrumentation, custom module support | EN |
| Syzkaller | github.com/google | A coverage-guided fuzzer | EN |
| restler-fuzzer | github.com/microsoft | REST API fuzzing tool for automatically testing cloud services through their REST APIs and finding security and reliability bugs in these services | EN |
| Skipfish | github.com/spinkham | An active web application security reconnaissance tool | EN |
| LibFuzzer | llvm.org | LibFuzzer is an in-process, coverage-guided, evolutionary fuzzing engine | EN |
Інструменти для перевірки мобільних застосунків
Open-source
| Name | URL | Description | Language |
|---|---|---|---|
| MobSF | github.com/MobSF | Automated, all-in-one mobile application (Android/iOS/Windows) pen-testing, malware analysis and security assessment framework capable of performing static and dynamic analysis | EN |
| Drozer | github.com/WithSecureLabs | Tools to help you use, share and understand public Android exploits | EN |
Paid (enterprise)
| Name | URL | Description | Language |
|---|---|---|---|
| Appknox | appknox.com | Automated mobile app security checks | EN |
Інструменти що збирають та агрегують результати перевірки сторонніх інструментів
Open-source
| Name | URL | Description | Language |
|---|---|---|---|
| DefectDojo | github.com/DefectDojo | Security orchestration and vulnerability management platform | EN |
| Secure code Box | github.com/secureCodeBox | Kubernetes based, modularized toolchain for continuous security scans of your software project | EN |
| Faraday | github.com/infobyte | Open source vulnerability manager | EN |
| Archery | archerysec.github.io | Continuous integration/continuous delivery (CI/CD) toolchains to specify testing, and control the release of a given build based on results | EN |
Paid (enterprise)
| Name | URL | Description | Language |
|---|---|---|---|
| ThreatFix | coalfire.com | Over 40 different security and development tools and integrations helping you to track vulnerabilities from discovery to resolution | EN |
| Cisco Vulnerability Management | cisco.com | Contextual insight and threat intelligence needed to intercept the next exploit and respond with precision | EN |
Інструменти що оркеструють перевірки сторонніх інструментів
Open-source
| Name | URL | Description | Language |
|---|---|---|---|
| Orchestron | github.com/we45 | Application vulnerability management and correlation Tool | EN |
Paid (enterprise)
| Name | URL | Description | Language |
|---|---|---|---|
| Kondukto | kondukto.io | Security testing tool, automated vulnerability remediation workflows and managsng risks | EN |
Практика представлення вимог безпеки через декларативний опис у вигляді коду з подальшою безпрерервною оцінкою на відповідність
Open-source
| Name | URL | Description | Language |
|---|---|---|---|
| Chef InSpec | github.com/inspec | Open-source testing framework for infrastructure for specifying compliance, security and policy requirements | EN |
| Compliance Masonry | github.com/opencontrol | Сommand-line interface (CLI) that allows users to construct certification documentation using the OpenControl Schema | EN |
Практика тестування декларативного опису шнфраструктури через конфігураційний файл на відповідність до вимог безпеки
Open-source
| Name | URL | Description | Language |
|---|---|---|---|
| Cfn Nag | github.com/stelligent | Open-source tool looks for patterns in CloudFormation templates that may indicate insecure infrastructures | EN |
| Checkov | github.com/bridgecrewio | Static code analysis tool for infrastructure as code (IaC) and also a software composition analysis (SCA) tool for images and open source packages | EN |
| Terrascan | github.com/tenable | Open-source static code analyzer for Infrastructure as Code | EN |
| Tfsec | github.com/aquasecurity | Static analysis of your terraform code to spot potential misconfigurations | EN |
| kics | kics.io | Open source solution for static code analysis of Infrastructure as Code | EN |
| ScoutSuite | github.com/nccgroup | Open source multi-cloud security-auditing tool, which enables security posture assessment of cloud environments | EN |
| Name | URL | Description | Language |
|---|---|---|---|
| Kubeval | github.com/instrumenta | Tool for validating a Kubernetes YAML or JSON configuration file | EN |
| Kube-score | github.com/zegl | Tool that performs static code analysis of your Kubernetes object definitions | EN |
| Config-lint | github.com/stelligent | A command line tool to validate configuration files using rules specified in YAML | EN |
| Copper | github.com/cloud66-oss | Useful tool with Kubernetes configuration files to enforce best practices, apply policies and compliance requirements | EN |
| Conftest | github.com/open-policy-agent | Open source tool helps you write tests against structured configuration data | EN |
| Polaris | github.com/FairwindsOps | Open source policy engine for Kubernetes | EN |
| Name | URL | Description | Language |
|---|---|---|---|
| tool-compare | github.com/iacsecurity | The goal of this repository is to help compare the different options so that users can choose the tool that best fits their own needs | EN |
| compares tools to validate and score Kubernetes YAML files | earnk8s.io | The article compares six static tools to validate and score Kubernetes YAML files for best practices and compliance | EN |
| Name | URL | Description | Language |
|---|---|---|---|
| tool-compare | github.com/iacsecurity | The goal of this repository is to help compare the different options so that users can choose the tool that best fits their own needs | EN |
| compares tools to validate and score Kubernetes YAML files | earnk8s.io | The article compares six static tools to validate and score Kubernetes YAML files for best practices and compliance | EN |
| Name | URL | Description | Language |
|---|---|---|---|
| tool-compare | github.com/iacsecurity | The goal of this repository is to help compare the different options so that users can choose the tool that best fits their own needs | EN |
| compares tools to validate and score Kubernetes YAML files | earnk8s.io | The article compares six static tools to validate and score Kubernetes YAML files for best practices and compliance | EN |