Appwrite is an open source backend server that helps you build native iOS applications much faster with realtime APIs for authentication, databases, files storage, cloud functions and much more! Learn more →
Lunasec Alternatives
Similar projects and alternatives to lunasec
-
Apache Log4j 2
Apache Log4j 2 is a versatile, feature-rich, efficient logging API and backend for Java.
-
log4shell-tools
Tool that runs a test to check whether one of your applications is affected by the recent vulnerabilities in log4j: CVE-2021-44228 and CVE-2021-45046
-
Appwrite
Appwrite - The Open Source Firebase alternative introduces iOS support . Appwrite is an open source backend server that helps you build native iOS applications much faster with realtime APIs for authentication, databases, files storage, cloud functions and much more!
-
immudb
immudb - immutable database based on zero trust, SQL and Key-Value, tamperproof, data change history
-
-
-
-
react-payment-inputs
A React Hook & Container to help with payment card input fields.
-
InfluxDB
Access the most powerful time series database as a service. Ingest, store, & analyze all types of time series data in a fully-managed, purpose-built database. Keep data forever with low-cost storage and superior data compression.
-
syft
CLI tool and library for generating a Software Bill of Materials from container images and filesystems
-
-
-
packj
Packj stops :zap: Solarwinds-, ESLint-, and PyTorch-like attacks by flagging malicious/vulnerable open-source dependencies ("weak links") in your software supply-chain
-
ysoserial
A proof-of-concept tool for generating payloads that exploit unsafe Java object deserialization.
-
dependency-track
Dependency-Track is an intelligent Component Analysis platform that allows organizations to identify and reduce risk in the software supply chain.
-
-
-
-
-
log4jshell-pdf
The purpose of this project is to demonstrate the Log4Shell exploit with Log4J vulnerabilities using PDF as delivery channel
-
-
Sonar
Write Clean JavaScript Code. Always.. Sonar helps you commit clean code every time. With over 300 unique rules to find JavaScript bugs, code smells & vulnerabilities, Sonar finds the issues while you focus on the work.
lunasec reviews and mentions
-
Ask HN: Those making $0/month or less on side projects – Show and tell
LunaTrace: https://lunatrace.lunasec.io/
Premise: Open Source[0] alternative to GitHub Dependabot and `npm audit` that focuses on helping you prioritize where to patching first (only 0.1% of CVEs are used in cyber attacks).
Short YouTube demo: https://www.youtube.com/watch?v=ugdSyR2L6sY
A newer video showing off the whole Static Analysis engine: https://www.youtube.com/watch?v=vPd4MSUJ98M
Price: $0 for Open Source repos. We're hoping to charge for private repos in the future, but we need to build out the billing features first lol. (We're at $0 in revenue currently.)
If you are filled with rage because of CVEs spamming you, come vent your frustrations on Discord: https://discord.gg/2EbHdAR5w7
We're looking for early customers that are interested in working with us. My email is on my profile. Cheers!
[0]: Source Code, https://github.com/lunasec-io/lunasec/
-
Log4Shell Still Has Sting in the Tail
(Note: I'm the person that coined the term "Log4Shell")
You may be surprised when I tell you what the Apache Software foundations yearly budget is. You'd think for software that is used by practically every Fortune 500 company and most governments, it would be something reasonable. Maybe a few hundred million dollars a year to pay for a reasonable full-time staff, right?
It turns out... it's about $2 million a year. (Wikipedia[0])
This helps explain to me why the devs of Log4j directly uploaded the file "JNDIExploit.java" (the POC) to GitHub while they were patching. (Here is a full analysis and guide about how to prevent that[1].)
They're not security people. They're volunteers working on this in addition to their full-time job.
What kind of brave soul wants to trudge through and maintain log4j in their spare time for zero compensation? I appreciate the people that are capable of doing that, but I think they are rare!
This whole entire vulnerability was eye opening for everybody and I have actually spent the last year building tooling on GitHub to help fix the problems that Log4Shell exposed.
If you have 2 seconds to try that out or just Star the repo[2], it would be very helpful!
0: Log4j revenue https://en.wikipedia.org/wiki/The_Apache_Software_Foundation
1: "How to Discuss and Fix Vulnerabilities in Open Source" https://www.lunasec.io/docs/blog/how-to-mitigate-open-source...
2: GitHub project building better dependency patching tools https://github.com/lunasec-io/lunasec
-
Dozens of malicious PyPI packages discovered targeting developers
It is possible to set your registry in NPM via the "npmrc" file. That will let you hit the specified HTTP server whenever you run commands like "npm install".
I know this is also possible for Python because we did it at Uber. I don't remember the specific details anymore though.
In either case though, a lot of people have written proxies for this use case (I helped write one for NPM at Uber). Companies like Bytesafe and Artifactory also exist in this space.
We're working on something similar that's on GitHub here: https://github.com/lunasec-io/lunasec
Proxy support isn't built out yet but the data is all there already.
-
Preventing the bait and switch by open core software companies
The current system is broken. I don't think I agree with everything in the post, but I'm excited to see movement in this space given that this is a space I spend a lot of time thinking about. (I'll expand on that below)
Even if I disagree with parts of this, this is still one of the most interesting things that I've read around OSS licensing in a minute! Having actual VC money behind this movement is awesome.
For context: I run an Open Source company that's YC + VC-backed. We use are using a hybrid of Apache and Business Source License (BSL, a "non-compete" license that converts to Apache in 2-3 years). Our license file[0] has context about my thought process around this, but I still am not totally happy with it. (BSL isn't an "OSI-Compatible", even if it does feel like the "best" license currently.)
To come to that conclusion, I've read both Heather Meeker's book, "Open (Source) for Business"[1], multiple times now and I've also blogged about this topic[2] before.
All of that is to say, it's complicated and there are some perverse incentives that can prevent you from always "doing the right thing".
Problem #1: You lose control. You may begin with Apache but, as OP states, you eventually end up with the incentive to "rug pull" by switching the license because of market forces/VC influence. (I'm the founder of my company and I would resist it, but eventually our investors might control the board and make that happen anyway by replacing me.)
Problem #2: The hardest part of building a company is getting traction. Just getting anybody to care about you takes a ton of effort and having a permissive license makes it way easier to get that early adoption. And, by the time you have adoption and you decide to go raise VC money, you now end up with Problem #1.
Problem #3: If you start with a copyleft license like GPL/AGPL, then you make Problem #2 harder. Many companies simply won't adopt your software if you're using that. (Linux is a notable exception here, but even companies using AGPL like MongoDB have switched away from copyleft.)
We are using BSL because it feels like the best compromise (it becomes Apache 2.0 eventually). I do still think a lot about switching to Apache though. I just really hate the idea of "rug pulling" and I'd rather be honest from the beginning with a license like BSL, even if it is more difficult to get that initial momentum.
Does anybody else have thoughts to share about this?
0: https://github.com/lunasec-io/lunasec/blob/master/LICENSE.md
1: Open (Source) for Business: A Practical Guide to Open Source Software Licensing - Third Edition https://a.co/8SLjVZI
2: https://www.lunasec.io/docs/blog/how-to-build-an-open-source...
-
Ask HN: How do you deploy your weekend project in 2022?
https://github.com/lunasec-io/lunasec/blob/master/lunatrace/...
It's more complicated now but if you look at the history of that "backend-cdk" folder then it's simpler a few months ago.
The important bit is the "ecs-patterns" library. That's the one that is magical and deals with setting up the load balancer, cluster, etc for you. And the way we shove the Docker images in I found to be quite straightforward. (And deploys are one line)
-
Cdk8s: CNCF-Backed Infrastructure-as-Code (IaC) for Kubernetes
I saw this last night while trying to setup Flux on EKS. I wanted to share this and see what other tools people are using too.
Is it possible for Kubernetes to be startup-friendly? (We're using ECS right now via the normal CDK[0]).
0: https://github.com/lunasec-io/lunasec/blob/master/lunatrace/...
-
Vulnerability Management for Go
This is really cool to see because this is the #1 problem with current tools (as you said). I call it "alert fatigue" in my head because it's meaningless when you have 100+ vulns to fix but they're 99% unexploitable.
I have a bit of a bone to pick with this space: I've been working on this problem for a few months now (link to repo[0] and blog[1]).
My background is Application Security and, as is often the case with devs, rage fuels me in my desire to fix this space. Log4Shell helped too.
As another comment said, doing this in a language agnostic way is a big PITA and we haven't fully built it yet. We are using SemGrep to do very basic ststic analysis (see if vulnerable function is ever imported + called). But we're not doing fancy Inter-process taint analysis like CodeQL can.
(We have a big Merkle tree that represents the dependency tree and that's how we are able to make the CI/CD check take only a few seconds because we can pre-compute.)
Anyway, if you have a second to help, we have a GitHub App[1] that you can install to test this out + help us find bugs. It's best at NPM now but we have basic support for other languages (no dep te analysis yet).
There are so many edge cases with the ways that repos are setup so just have more scans coming in helps a ton. (Well, it breaks stuff, but we already determined that rage sustains me.)
Thank you. climbs off of soap box
0: https://github.com/lunasec-io/lunasec
1: https://www.lunasec.io/docs/blog/the-issue-with-vuln-scanner...
-
Log4j: The Pain Just Keeps Going and Going
This is compliance vs security. Finding vulns checks a box for SOC2, but in reality detection is the easy part. Figuring out what to fix, based on real-world usage and risk, requires much more work and is often ignored.
I'm sorry you're on the receiving end of this problem!
Shill notice: I'm working on an Open Source tool[0] that makes this problem less horrible. My colleague wrote a post about our hypothesis[1] about how we can avoid this false positive trap.
I'd love to chat with anybody feeling this pain (even just as therapy lol).
0: https://github.com/lunasec-io/lunasec
1: https://www.lunasec.io/docs/blog/the-issue-with-vuln-scanner...
-
Microsoft open sources Salus software bill of materials (SBOM) generation tool
Just to expand on this a bit: One of the largest fallouts from the Log4Shell vulnerability was that companies realized how hard it was to identify where they had log4j in their infrastructure in the first place.
I've spoken with dozens of companies and it was a very similar story: Writing a detection script and then SSH'ing into every box, applying a Helm chart to scan every running container, putting the script into every CI job... Which takes weeks to months of manual effort to deal with.
And that's not even dealing with the "once you found it, who goes in and patches it?" Which is it's own can of worms.
For context: I helped deal with the fallout of Log4Shell by writing a blog post about it (I gave it that name). Since then, we've been working on an Open Source SBOM database called LunaTrace[0] to help fix what I wrote above.
0: https://github.com/lunasec-io/lunasec/tree/master/lunatrace
-
Show HN: Miniboss, versatile local container management with Python
Have you thought about taking an approach similar to the AWS CDK with CloudFormation? Aka the whole "infrastructure as code" movement?
I'm not sure how that would work with the whole "lifecycle hooks" you've mentioned a few times, but maybe it would be easier than trying to compete with Docker Compose yourself by simply wrapping it.
I posted in another comment here too but we wrote a bunch of code to deal with programmatic generation of Docker Compose files, and it was really sweet to use! I've honestly thought about making that code[0] a stand-alone library because of how valuable it was.
0: https://github.com/lunasec-io/lunasec/blob/master/js/sdks/pa...
-
A note from our sponsor - Appwrite
appwrite.io | 29 Mar 2023
Stats
lunasec-io/lunasec is an open source project licensed under GNU General Public License v3.0 or later which is an OSI approved license.