Top 23 application-security Open-Source Projects

• CheatSheetSeries

  49 26,607 9.2 Python

  The OWASP Cheat Sheet Series was created to provide a concise collection of high value information on specific application security topics.

  

Project mention: Next.js: consequence of AppRouter on your CSP | dev.to | 2024-03-07

Cross Site Scripting Prevention Cheat Sheet from OWASP Cheat Sheet Series

• juice-shop

  21 9,577 9.8 TypeScript

  OWASP Juice Shop: Probably the most modern and sophisticated insecure web application

  

Project mention: Launch HN: Corgea (YC S23) – Auto fix vulnerable code | news.ycombinator.com | 2024-01-09

Hi HN, I’m the founder of Corgea (https://corgea.com). We help companies fix their vulnerable source code using AI.

Originally, we started with a data security product that would detect data leaks at companies. Despite initial successes and customer acquisitions, we frequently heard that highlighting issues wasn't enough; customers wanted proactive fixes. They had hundreds (yes hundreds!) of security tools alerting them about vulnerabilities, but couldn’t afford a dedicated team to go through them all and fix them. One prospect we spoke to had tens of thousands of reported vulnerabilities in their SAST tool. With the rise of AI code generation, we saw an opportunity to give customers what they really wanted.

Having Corgea is like having a security engineer on staff focused on making your code more secure. We want security to be an enabler of engineering rather than a blocker to it, and the reverse to be true. To accomplish this, we built it on top of existing LLMs to issue code fixes.

To show Corgea’s capabilities, we took some popular vulnerable-by-design applications like Juice Shop (https://github.com/juice-shop/juice-shop), scanned them and issued fixes for their vulnerabilities. You can see some of them here: https://demo.corgea.com. Some examples of vulnerabilities it solves are like SQL injection, Path Traversal and XSS.

What makes this tough is that currently LLMs struggle at generalist coding tasks because it has to understand your whole code base, the domain you’re in, and the user’s request to do something. This can lead to a lot of unintended behavior where it codes things incorrectly because it’s giving a best guess at what you want. Adam, one of the founding engineers on the team coined it well: LLMs don’t reason, they fuzz.

We made several decisions that helped the LLM become more deterministic. First, what we’re doing is extremely domain specific: vulnerable code fixes in a limited number of programming languages. There are roughly 900 security vulnerabilities in code, called CWE’s (https://cwe.mitre.org/), that we’ve built into Corgea. An SQL injection vulnerability in a Javascript app is the same regardless if you’re a payments company or a travel booking website. Second, we have no user generated input going into the LLM, because SAST scanners everything needed to issue a fix. This makes it much more predictable and reproducible for us and customers. We can also create robust QA processes and checks.

To illustrate the point, let’s put some of this to the test using some napkin math. Assume you’re serving 5,000 enterprises that ship on average 300 domain specific features a year in 5 different programming languages that each require 30 lines of code changes across multiple files. You’ll have about 300m permutations the product needs to support. What a nightmare!

Using the same napkin math, Corgea needs to support the ~900 vulnerabilities (CWE’s). Most of them require 1 - 2 line changes. It doesn’t need to understand the whole codebase since the problem is usually isolated to a few lines. We want to support the 5 most popular programming languages. If we have 5,000 customers, we have to support ~4,500 permutations (900 issues x 5 different languages). This leads to a massive difference in accuracy. Obviously, this is an oversimplification of the whole thing but it illustrates the point.

What makes this different from Copilot and other code-gen tools is that they do not specialize in security and we’ve seen them inadvertently introduce security issues unbeknownst to the engineer. Additionally, they do not integrate into existing scanning tools that companies are using to resolve those issues. So unless a developer is working on every part of the product, they’re unable to clear security backlogs, which can be in the thousands of tickets.

As for security scanners, the current market is flooded with tools that report and overwhelm security teams and are not effective at fixing what they’re reporting. Most vulnerability scanners do not remediate issues, and if they do they’re mostly limited to upgrading packages from one version to another to reduce a CVSS. If they do offer CWE remediation capabilities their success rates are very low because they’re often based on traditional AI methodologies. Additionally, they do not integrate with each other because they want to only serve their own findings. Enterprises use multiple tools like Snyk, Semgrep, Checkmarx, but also have a penetration testing program, and a bug bounty program. They need a solution that consolidates across their existing tools. They also use Github, Gitlab and Bitbucket for their code repository.

We’re offering a free tier for smaller teams and priced tiers. We believe we can reduce 80% of the engineering effort for security fixes, which would equate to at least $10m a year for enterprises.

We’re really excited to share this with you all and we’d love any thoughts, feedback, and comments!

• InfluxDB

  www.influxdata.com featured

  Power Real-Time Data Analytics at Scale. Get real-time insights from all types of time series data with InfluxDB. Ingest, query, and analyze billions of data points in real-time with unbounded cardinality.

  

• wstg

  27 6,710 7.6 Dockerfile

  The Web Security Testing Guide is a comprehensive Open Source guide to testing the security of web applications and web services.

  

Project mention: Where do you focus your time and energy? | /r/bugbounty | 2023-12-10

At the beginning, I read all things in here https://owasp.org/www-project-web-security-testing-guide/, also gets familiars with owasp top 10. But later on, I focus on a few techniques only.

• awesome-appsec

  6 6,110 0.0 PHP

  A curated list of resources for learning about application security

  

• WhatWeb

  1 5,110 0.0 Ruby

  Next generation web scanner

• security-study-plan

  3 4,117 6.4

  Complete Practical Study Plan to become a successful cybersecurity engineer based on roles like Pentest, AppSec, Cloud Security, DevSecOps and so on...

• command-injection-payload-list

  2 2,582 0.0

  🎯 Command Injection Payload List

  

• SaaSHub

  www.saashub.com featured

  SaaSHub - Software Alternatives and Reviews. SaaSHub helps you find the best software and product alternatives

  

• content

  7 2,091 10.0 Shell

  Security automation content in SCAP, Bash, Ansible, and other formats (by ComplianceAsCode)

  

Project mention: Oracle linux CIS benchmark | /r/ansible | 2023-06-07

• metlo

  21 1,569 6.0 TypeScript

  Metlo is an open-source API security platform.

  

Project mention: Using Metlo to Secure My Personal Finance App | dev.to | 2023-06-29

So far, I’ve been using Metlo's protection features to initially test out its capabilities on my app, but there’s still a whole other Testing feature that it has that I'm starting to look into. Everything I’ve tried out has been pretty quick and easy so hopefully I can play around with the Testing more to help me catch any other authentication or authorization vulnerabilities that might exist in my app. If this is something that interests you, you can check it out at https://metlo.com .

• learn365

  1 1,513 0.0

  This repository is about @harshbothra_'s 365 days of Learning Tweets & Mindmaps collection.

• awesome-devsecops

  2 1,253 1.3

  Curating the best DevSecOps resources and tooling. (by TaptuIT)

  

• Androl4b

  0 1,070 0.0

  A Virtual Machine For Assessing Android applications, Reverse Engineering and Malware Analysis

• awesome-php-security

  2 927 0.0

  Awesome PHP Security Resources 🕶🐘🔐

  

• Autorize

  3 886 4.7 Python

  Automatic authorization enforcement detection extension for burp suite written in Jython developed by Barak Tawily in order to ease application security people work and allow them perform an automatic authorization tests

Project mention: Autorize – The most popular tool to discover AuthZ/AuthN flaws | news.ycombinator.com | 2023-12-28

• openappsec

  23 679 8.8 C++

  open-appsec is an open-source machine learning security engine that preemptively and automatically prevents threats against Web Application & APIs. It is available for NGINX, NGINX Ingress, Envoy (Soon), Kong (Soon), Ambassador (Soon).

  

Project mention: Seeking contributors for a security open-source project | /r/developersIndia | 2023-09-16

If someone in the community is interested in doing these projects, we will be happy to guide and help you. The contributions guidelines are available here: https://github.com/openappsec/openappsec/blob/main/CONTRIBUTING.md

• Application-Security-Engineer-Interview-Questions

  4 604 0.0

  Some of the questions which i was asked when i was giving interviews for Application/Product Security roles. I am sure this is not an exhaustive list but i felt these questions were important to be asked and some were challenging to answer

• Damn-Vulnerable-Bank

  3 606 4.7 Java

  Damn Vulnerable Bank is designed to be an intentionally vulnerable android application. This provides an interface to assess your android application security hacking skills.

• Spoofy

  2 542 5.4 Python

  Spoofy is a program that checks if a list of domains can be spoofed based on SPF and DMARC records.

• Awesome-Android-Reverse-Engineering

  3 525 4.4

  A curated list of awesome Android Reverse Engineering training, resources, and tools.

• awesome-ios-security

  3 436 0.0

  A curated list of awesome iOS application security resources.

• faction

  1 356 9.4 JavaScript

  Pen Test Report Generation and Assessment Collaboration

  

Project mention: Open Source Security Assessment Collaboration Platform | /r/RedSec | 2023-11-29

• continuous-threat-modeling

  1 288 0.0

  A Continuous Threat Modeling methodology

  

• ThreatPlaybook

  2 267 0.0 Python

  A unified DevSecOps Framework that allows you to go from iterative, collaborative Threat Modeling to Application Security Test Orchestration

  

• SaaSHub

  www.saashub.com featured

  SaaSHub - Software Alternatives and Reviews. SaaSHub helps you find the best software and product alternatives

  

application-security related posts

• ETag and HTTP Caching

  4 projects | news.ycombinator.com | 10 Apr 2024

• Show HN: Clace – Nginx Unit alternative – app server for internal apps

  2 projects | news.ycombinator.com | 10 Apr 2024

• Show HN: Clace – Platform for hypermedia driven internal web tools

  1 project | news.ycombinator.com | 29 Mar 2024

• The End of Airplane.dev

  2 projects | news.ycombinator.com | 6 Mar 2024

• Launch HN: Corgea (YC S23) – Auto fix vulnerable code

  5 projects | news.ycombinator.com | 9 Jan 2024

• I think I will have to write a web site even though I'm not a web developer

  1 project | /r/webdev | 7 Dec 2023

• Python Is Easy. Go Is Simple. Simple = Easy

  5 projects | news.ycombinator.com | 27 Nov 2023
• A note from our sponsor - InfluxDB
  www.influxdata.com | 10 May 2024

  Get real-time insights from all types of time series data with InfluxDB. Ingest, query, and analyze billions of data points in real-time with unbounded cardinality. Learn more →

Index

Sponsored

SaaSHub - Software Alternatives and Reviews

SaaSHub helps you find the best software and product alternatives

www.saashub.com