Free Tools and Add-Ons to Explore for Applying DevSecOps in Your Organization
Today, I'm hosting a webinar on "How to Build a DevSecOps Program that Works for Developers AND Security" and hope you’ll tune in. As I prepped for the session, I realized it might be useful to the broader community to offer up the references and tools I’ve collected on my journey to DevSecOps.
So without further ado, here are some of my favorite free, built-in, and open-source tools, as well as great reference material that can help you plan your move to DevSecOps. Check out the DevOps Lifecycle graphic below to see where each of these free tools fits into your process. This is far from a full list, but it’s a good starting point to try within your environment.
PLAN
-
Defining your security requirements
- OWASP Application Security Verification Standard (ASVS)
https://owasp.org/www-project-application-security-verification-standard/ - WASP Software Assurance Maturity Model (SAMM)
https://owaspsamm.org/
- OWASP Application Security Verification Standard (ASVS)
-
Threat Modeling guides and tools
- Threat Modeling Manifesto
https://www.threatmodelingmanifesto.org - OWASP Application Threat Modeling
https://owasp.org/www-community/Application_Threat_Modeling/ - OWASP Threat Dragon
https://owasp.org/www-project-threat-dragon/
- Threat Modeling Manifesto
CODE & BUILD
-
Free static analysis, dependency checkers, linters, and pre-commit hooks
-
- SpotBugs (Java) https://spotbugs.github.io/
- Security Code Scan (.NET) https://security-code-scan.github.io/
- Brakeman (Ruby). https://brakemanscanner.org/
- Bandit (Python). https://pypi.org/project/bandit/
- Clang Static Analyzer (C/C++) https://clang-analyzer.llvm.org/
- LGTM.com. https://lgtm.com/
- Staticcheck (Go) https://staticcheck.io/
- OWASP Dependency-Check https://owasp.org/www-project-dependency-check/
- Dependabot https://dependabot.com/
- Pylint (Python). https://www.pylint.org/
- npm audit (JavaScript). https://docs.npmjs.com/auditing-package-dependencies-for-security-vulnerabilities
- pre-commit Framework https://pre-commit.com/
- Terraform hooks to be used with pre-commit framework: https://github.com/antonbabenko/pre-commit-terraform
- Docker scan https://docs.docker.com/engine/scan/
- GitLab container scanning https://docs.gitlab.com/ee/user/application_security/container_scanning/
TEST
-
Free Dynamic Scanners
- OWASP ZAP
- OWASP PurpleTeam https://owasp.org/www-project-purpleteam/
- Arachni https://www.arachni-scanner.com/
- Sec-helpers https://github.com/vwt-digital/sec-helpers/tree/master
-
Free IAST Scanner
- Contrast Community Edition (commercial not open-source) https://www.contrastsecurity.com/contrast-community-edition
- Contrast Community Edition (commercial not open-source) https://www.contrastsecurity.com/contrast-community-edition
-
OWASP Web Security Testing Guide Checklist
-
https://github.com/OWASP/wstg/tree/master/checklist (good for developing manual unit tests)
-
RELEASE AND DEPLOY
-
Free tools to validate platform security
- AWS CloudFormation Guard https://github.com/aws-cloudformation/cloudformation-guard
- Azure Tenant Security Solution (AzTS) https://github.com/azsk/AzTS-docs
OPERATE & MONITOR
- OWASP Top 10 Considerations for Incident Response https://owasp.org/www-pdf-archive/Top10ConsiderationsForIncidentResponse.pdf
- GitLab Incident Management https://docs.gitlab.com/ee/operations/incident_management/index.html
- Prometheus https://prometheus.io/docs/introduction/overview/
ADDITIONAL RESOURCES
MozDef
Mozilla Enterprise Defense Platform https://github.com/mozilla/MozDef
DevSecOps Webinars:
- On-demand DevSecOps Webinar by Tom Eston:
DevSecOps and Application Penetration Testing: Defying the Myth - June 24, 2021 DevSecOps Webinar by Tom Eston:
How to Build a DevSecOps Program that Works for Developers AND Security
More DevSecOps Blogs:
Subscribe to Bishop Fox's Security Blog
Be first to learn about latest tools, advisories, and findings.
Thank You! You have been subscribed.
