Top 23 Appsec Open-Source Projects

• CheatSheetSeries

  49 26,480 9.1 Python

  The OWASP Cheat Sheet Series was created to provide a concise collection of high value information on specific application security topics.

  

Project mention: Next.js: consequence of AppRouter on your CSP | dev.to | 2024-03-07

Cross Site Scripting Prevention Cheat Sheet from OWASP Cheat Sheet Series

• ZAP

  61 11,987 9.2 Java

  The ZAP core project

  

Project mention: Bruno | news.ycombinator.com | 2024-03-09

I use ZAP [1] with the OAST add-on for this at the moment. I admit the UX isn't perfect, but it serves my purpose.

If I also want control over the responses (e.g. return a 401 status code for every fifth request), I have a custom extender script [2] for that.

[1]: https://www.zaproxy.org/

• InfluxDB

  www.influxdata.com sponsored

  Power Real-Time Data Analytics at Scale. Get real-time insights from all types of time series data with InfluxDB. Ingest, query, and analyze billions of data points in real-time with unbounded cardinality.

  

• dirsearch

  12 11,213 7.9 Python

  Web path scanner

Project mention: Looking for some help with this Python package | /r/learnpython | 2023-08-19

I am new to Python. With the help of several users (thanks u/Diapolo10 and u/shiftybyte)I've been able to install Python and the dirsearch package. Dirsearch (https://github.com/maurosoria/dirsearch) allows for checking website paths with a wordlist. For example, I have a wordlist file with words like "dog", "cat", "bird", etc and I want to check the validity of those words as extensions on a website. Something like "example.com/bird", "example.com/cat", etc. I have a test wordlist in the same directory as dirsearch, but I am confused on how to proceed with the commands. I want to have it check my wordlist as extensions on the example.com website and then save output on if the webpath is valid or not. Just need a little bit of help.

• juice-shop

  21 9,522 9.8 TypeScript

  OWASP Juice Shop: Probably the most modern and sophisticated insecure web application

  

Project mention: Launch HN: Corgea (YC S23) – Auto fix vulnerable code | news.ycombinator.com | 2024-01-09

Hi HN, I’m the founder of Corgea (https://corgea.com). We help companies fix their vulnerable source code using AI.

Originally, we started with a data security product that would detect data leaks at companies. Despite initial successes and customer acquisitions, we frequently heard that highlighting issues wasn't enough; customers wanted proactive fixes. They had hundreds (yes hundreds!) of security tools alerting them about vulnerabilities, but couldn’t afford a dedicated team to go through them all and fix them. One prospect we spoke to had tens of thousands of reported vulnerabilities in their SAST tool. With the rise of AI code generation, we saw an opportunity to give customers what they really wanted.

Having Corgea is like having a security engineer on staff focused on making your code more secure. We want security to be an enabler of engineering rather than a blocker to it, and the reverse to be true. To accomplish this, we built it on top of existing LLMs to issue code fixes.

To show Corgea’s capabilities, we took some popular vulnerable-by-design applications like Juice Shop (https://github.com/juice-shop/juice-shop), scanned them and issued fixes for their vulnerabilities. You can see some of them here: https://demo.corgea.com. Some examples of vulnerabilities it solves are like SQL injection, Path Traversal and XSS.

What makes this tough is that currently LLMs struggle at generalist coding tasks because it has to understand your whole code base, the domain you’re in, and the user’s request to do something. This can lead to a lot of unintended behavior where it codes things incorrectly because it’s giving a best guess at what you want. Adam, one of the founding engineers on the team coined it well: LLMs don’t reason, they fuzz.

We made several decisions that helped the LLM become more deterministic. First, what we’re doing is extremely domain specific: vulnerable code fixes in a limited number of programming languages. There are roughly 900 security vulnerabilities in code, called CWE’s (https://cwe.mitre.org/), that we’ve built into Corgea. An SQL injection vulnerability in a Javascript app is the same regardless if you’re a payments company or a travel booking website. Second, we have no user generated input going into the LLM, because SAST scanners everything needed to issue a fix. This makes it much more predictable and reproducible for us and customers. We can also create robust QA processes and checks.

To illustrate the point, let’s put some of this to the test using some napkin math. Assume you’re serving 5,000 enterprises that ship on average 300 domain specific features a year in 5 different programming languages that each require 30 lines of code changes across multiple files. You’ll have about 300m permutations the product needs to support. What a nightmare!

Using the same napkin math, Corgea needs to support the ~900 vulnerabilities (CWE’s). Most of them require 1 - 2 line changes. It doesn’t need to understand the whole codebase since the problem is usually isolated to a few lines. We want to support the 5 most popular programming languages. If we have 5,000 customers, we have to support ~4,500 permutations (900 issues x 5 different languages). This leads to a massive difference in accuracy. Obviously, this is an oversimplification of the whole thing but it illustrates the point.

What makes this different from Copilot and other code-gen tools is that they do not specialize in security and we’ve seen them inadvertently introduce security issues unbeknownst to the engineer. Additionally, they do not integrate into existing scanning tools that companies are using to resolve those issues. So unless a developer is working on every part of the product, they’re unable to clear security backlogs, which can be in the thousands of tickets.

As for security scanners, the current market is flooded with tools that report and overwhelm security teams and are not effective at fixing what they’re reporting. Most vulnerability scanners do not remediate issues, and if they do they’re mostly limited to upgrading packages from one version to another to reduce a CVSS. If they do offer CWE remediation capabilities their success rates are very low because they’re often based on traditional AI methodologies. Additionally, they do not integrate with each other because they want to only serve their own findings. Enterprises use multiple tools like Snyk, Semgrep, Checkmarx, but also have a penetration testing program, and a bug bounty program. They need a solution that consolidates across their existing tools. They also use Github, Gitlab and Bitbucket for their code repository.

We’re offering a free tier for smaller teams and priced tiers. We believe we can reduce 80% of the engineering effort for security fixes, which would equate to at least $10m a year for enterprises.

We’re really excited to share this with you all and we’d love any thoughts, feedback, and comments!

• wstg

  27 6,661 7.6 Dockerfile

  The Web Security Testing Guide is a comprehensive Open Source guide to testing the security of web applications and web services.

  

Project mention: Where do you focus your time and energy? | /r/bugbounty | 2023-12-10

At the beginning, I read all things in here https://owasp.org/www-project-web-security-testing-guide/, also gets familiars with owasp top 10. But later on, I focus on a few techniques only.

• awesome-web-hacking

  2 5,432 5.4

  A list of web application security

• WhatWeb

  1 5,096 0.0 Ruby

  Next generation web scanner

• WorkOS

  workos.com sponsored

  The modern identity platform for B2B SaaS. The APIs are flexible and easy-to-use, supporting authentication, user identity, and complex enterprise features like SSO and SCIM provisioning.

  

• Go-SCP

  1 4,706 3.7 Go

  Golang Secure Coding Practices guide

  

• faraday

  8 4,615 5.0 Python

  Open Source Vulnerability Management Platform (by infobyte)

  

• w3af

  1 4,409 0.0 Python

  w3af: web application attack and audit framework, the open source web vulnerability scanner.

Project mention: HoneyPot – I Made a Text Field Only Bots Use – Heres What Happened | news.ycombinator.com | 2023-11-18

Yes, a lot of tools, including some like w3af do:

https://github.com/andresriancho/w3af/blob/fb345a5/w3af/core...

This one sends the payload reversed as a test to see if the delay is due to the SQLi attempt

• security-study-plan

  3 4,108 6.4

  Complete Practical Study Plan to become a successful cybersecurity engineer based on roles like Pentest, AppSec, Cloud Security, DevSecOps and so on...

• payloads

  1 3,519 0.0 Shell

  Git All the Payloads! A collection of web attack payloads. (by foospidy)

• django-DefectDojo

  6 3,384 9.9 HTML

  DevSecOps, ASPM, Vulnerability Management. All on one platform.

  

• Security-101

  1 3,291 7.9

  8 Lessons, Kick-start Your Cybersecurity Learning.

  

Project mention: Microsoft Security-101: Open-Source curriculum | news.ycombinator.com | 2024-02-29

• interactsh

  9 3,097 9.2 Go

  An OOB interaction gathering server and client library

  

• dependency-track

  18 2,315 9.8 Java

  Dependency-Track is an intelligent Component Analysis platform that allows organizations to identify and reduce risk in the software supply chain.

  

Project mention: Show HN: Pre-alpha tool for analyzing spdx SBOMs generated by GitHub | news.ycombinator.com | 2024-04-21

I've become interested in SBOM recently, and found there were great tools like https://dependencytrack.org/ for CycloneDX SBOMs, but all I have is SPDX SBOMs generated by GitHub.

I decided to have a go at writing my own dependency track esque tool aiming to integrate with the APIs GitHub provides.

It's pretty limited in functionality so far, but can give a high level summary of the types of licenses your repository dependencies use, and let you drill down into potentially problematic ones.

Written in NextJS + mui + sqlite, and using another project of mine to generate most of the API boilerplate/glue (https://github.com/mnahkies/openapi-code-generator)

• ziti

  84 2,071 9.8 Go

  The parent project for OpenZiti. Here you will find the executables for a fully zero trust, application embedded, programmable network @OpenZiti

  

Project mention: Show HN: OpenZiti (Apache 2.0, P2P, E2E encrypted, full mesh overlay) is now 1.0 | news.ycombinator.com | 2024-04-23

• kics

  13 1,896 9.9 Open Policy Agent

  Find security vulnerabilities, compliance issues, and infrastructure misconfigurations early in the development cycle of your infrastructure-as-code with KICS by Checkmarx.

  

Project mention: A Deep Dive Into Terraform Static Code Analysis Tools: Features and Comparisons | dev.to | 2024-04-16

KICS (stands for "Keeping Infrastructure as Code Secure"): Owner/Maintainer: Checkmarx Age: First released on GitHub on November 30th, 2020 License: Apache License 2.0

• cicd-goat

  17 1,807 5.0 Python

  A deliberately vulnerable CI/CD environment. Learn CI/CD security through multiple challenges.

  

Project mention: CI/CD Access All Areas? | dev.to | 2023-09-23

In this blog post, we want to explore what happens if a development machine gets compromised, granting an attacker write access to source code repositories. To experience this first-hand, we're using CI/CD Goat, and one of the CTF challenges to play through the scenario of an attacker gaining access to sensitive data within build infrastructure.

• bearer

  18 1,736 9.6 Go

  Code security scanning tool (SAST) to discover, filter and prioritize security and privacy risks.

  

Project mention: Show HN: Bearer Code Security Scanner Add Support for Java, PHP, Go, and Python | news.ycombinator.com | 2023-10-26

• awesome-threat-modelling

  2 1,247 1.3 Dockerfile

  A curated list of threat modeling resources (Books, courses - free and paid, videos, tools, tutorials and workshops to practice on ) for learning Threat modeling and initial phases of security review.

  

• mutillidae

  5 1,171 7.8 PHP

  OWASP Mutillidae II is a free, open-source, deliberately vulnerable web application providing a target for web-security training. This is an easy-to-use web hacking environment designed for labs, security enthusiasts, classrooms, CTF, and vulnerability assessment tool targets.

Project mention: If you're looking for resources pertaining to hands-on practical demonstrations of learned skills and tools/techniques, look no further. | /r/Kalilinux | 2023-11-15

There's also a bunch of intentionally vulnerable Webapps and VMs aimed at demonstrating potential footholds and common exploits leading to owning of the host including but not limited to: bWAPP, Damn Vulnerable Web App, WebGoat, Metasploitable 3, Mutillidae, Juice Shop

• writeups

  22 1,147 0.0
  

• SaaSHub

  www.saashub.com sponsored

  SaaSHub - Software Alternatives and Reviews. SaaSHub helps you find the best software and product alternatives

  

Appsec related posts

• Show HN: OpenZiti (Apache 2.0, P2P, E2E encrypted, full mesh overlay) is now 1.0
  1 project | news.ycombinator.com | 23 Apr 2024
• Show HN: Pre-alpha tool for analyzing spdx SBOMs generated by GitHub
  3 projects | news.ycombinator.com | 21 Apr 2024
• SQL Injection Isn't Dead Yet
  2 projects | dev.to | 15 Apr 2024
• Microsoft Security-101: Open-Source curriculum
  3 projects | news.ycombinator.com | 29 Feb 2024
• Dependency-Track
  1 project | news.ycombinator.com | 27 Oct 2023
• Show HN: Bearer Code Security Scanner Add Support for Java, PHP, Go, and Python
  1 project | news.ycombinator.com | 26 Oct 2023
• CI/CD Access All Areas?
  1 project | dev.to | 23 Sep 2023
• A note from our sponsor - WorkOS
  workos.com | 26 Apr 2024

  The APIs are flexible and easy-to-use, supporting authentication, user identity, and complex enterprise features like SSO and SCIM provisioning. Learn more →

Index

Sponsored

SaaSHub - Software Alternatives and Reviews

SaaSHub helps you find the best software and product alternatives

www.saashub.com