Free Tools and Add-Ons to Explore for Applying DevSecOps in Your Organization

Today, I'm hosting a webinar on "How to Build a DevSecOps Program that Works for Developers AND Security" and hope you’ll tune in. As I prepped for the session, I realized it might be useful to the broader community to offer up the references and tools I’ve collected on my journey to DevSecOps.

So without further ado, here are some of my favorite free, built-in, and open-source tools, as well as great reference material that can help you plan your move to DevSecOps. Check out the DevOps Lifecycle graphic below to see where each of these free tools fits into your process. This is far from a full list, but it’s a good starting point to try within your environment.

PLAN

• Defining your security requirements

  • OWASP Application Security Verification Standard (ASVS)
    https://owasp.org/www-project-application-security-verification-standard/
    
  • WASP Software Assurance Maturity Model (SAMM)
    https://owaspsamm.org/
    
    

• Threat Modeling guides and tools

  • Threat Modeling Manifesto
    https://www.threatmodelingmanifesto.org
    
  • OWASP Application Threat Modeling
    https://owasp.org/www-community/Application_Threat_Modeling/
    
  • OWASP Threat Dragon
    https://owasp.org/www-project-threat-dragon/

CODE & BUILD

• Free static analysis, dependency checkers, linters, and pre-commit hooks

• • SpotBugs (Java) https://spotbugs.github.io/
  • Security Code Scan (.NET) https://security-code-scan.github.io/
  • Brakeman (Ruby). https://brakemanscanner.org/
  • Bandit (Python). https://pypi.org/project/bandit/
  • Clang Static Analyzer (C/C++) https://clang-analyzer.llvm.org/
  • LGTM.com. https://lgtm.com/
  • Staticcheck (Go) https://staticcheck.io/
  • OWASP Dependency-Check https://owasp.org/www-project-dependency-check/
  • Dependabot https://dependabot.com/
  • Pylint (Python). https://www.pylint.org/
  • npm audit (JavaScript). https://docs.npmjs.com/auditing-package-dependencies-for-security-vulnerabilities
  • pre-commit Framework https://pre-commit.com/
  • Terraform hooks to be used with pre-commit framework: https://github.com/antonbabenko/pre-commit-terraform
  • Docker scan https://docs.docker.com/engine/scan/
  • GitLab container scanning https://docs.gitlab.com/ee/user/application_security/container_scanning/

TEST

• Free Dynamic Scanners

  • OWASP ZAP 
  • OWASP PurpleTeam https://owasp.org/www-project-purpleteam/
  • Arachni https://www.arachni-scanner.com/
  • Sec-helpers https://github.com/vwt-digital/sec-helpers/tree/master
    
    

• Free IAST Scanner

  • Contrast Community Edition (commercial not open-source) https://www.contrastsecurity.com/contrast-community-edition
    
    

• OWASP Web Security Testing Guide Checklist

  • https://github.com/OWASP/wstg/tree/master/checklist (good for developing manual unit tests)

RELEASE AND DEPLOY

• Free tools to validate platform security

  • AWS CloudFormation Guard https://github.com/aws-cloudformation/cloudformation-guard
  • Azure Tenant Security Solution (AzTS) https://github.com/azsk/AzTS-docs

OPERATE & MONITOR

• OWASP Top 10 Considerations for Incident Response https://owasp.org/www-pdf-archive/Top10ConsiderationsForIncidentResponse.pdf
• GitLab Incident Management https://docs.gitlab.com/ee/operations/incident_management/index.html
• Prometheus https://prometheus.io/docs/introduction/overview/

ADDITIONAL RESOURCES

MozDef

Mozilla Enterprise Defense Platform https://github.com/mozilla/MozDef

DevSecOps Webinars:

• On-demand DevSecOps Webinar by Tom Eston:
  DevSecOps and Application Penetration Testing: Defying the Myth
• June 24, 2021 DevSecOps Webinar by Tom Eston:
  How to Build a DevSecOps Program that Works for Developers AND Security
  

More DevSecOps Blogs:

• Applying DevSecOps in Your Organization