Security

Open-source projects categorized as Security | Edit details

Top 23 Security Open-Source Projects

  • GitHub repo the-book-of-secret-knowledge

    A collection of inspiring lists, manuals, cheatsheets, blogs, hacks, one-liners, cli/web tools and more.

    Project mention: The Book Of Secret Knowledge | reddit.com/r/programming | 2021-07-16
  • GitHub repo Awesome-Hacking

    A collection of various awesome lists for hackers, pentesters and security researchers

    Project mention: RN to programmer | reddit.com/r/learnprogramming | 2021-07-01

    Bookmark this: https://github.com/Hack-with-Github/Awesome-Hacking/blob/master/README.md

  • Nanos

    Run Linux Software Faster and Safer than Linux with Unikernels.

  • GitHub repo x64dbg

    An open-source x64/x32 debugger for windows.

    Project mention: CPP projects I can get involved in? | reddit.com/r/cpp | 2021-09-19

    You are welcome to contribute to x64dbg, a user mode debugger for Windows. The codebase isn’t the most modern, but there is a branch with a CMake port and modernization is very welcome! Feel free to hit me up if you’re interested and need some pointers :)

  • GitHub repo Caddy

    Fast, multi-platform web server with automatic HTTPS

    Project mention: Mozilla HTTP Observatory | news.ycombinator.com | 2021-09-20

    > Nothing, probably. In a sane country and legal system doing things like that would be illegal.

    It should, but it isn't always the case. Not only that, but even if it is technically illegal, it still might be done because of a lack of people who'll take the guilty parties to court over it. So, in reality, you cannot avoid viewing that as a well founded risk.

    > But on the other hand forcing HTTPS means that some users will never be able access it due to old browsers and/or hardware.

    In a similar argument about what "should" happen - Google shouldn't just abandon numerous Android devices out there, nor should any other vendor. There should be mechanisms in place to ensure that these devices continue to function for the decades to come.

    But since that's not the case, it's inevitable that you'll cut off a small portion of your potential userbase, same as with many sites simply not functioning because the developers made the choice to require JS. Of course, that is your choice, unless other concerns (like security) force your hand.

    > More likely though is that I mess up the HTTPS certificates, either by mistake or inaction, and lock out everyone who doesn't dare click the correct sequence of "ignore warning" buttons. I've already managed to block access for normal users to several sites, several times, by running too old certbot versions, not integrating things properly and whatnot. It's a good thing I'll never use HSTS and HPKP, or I'll make permanent messes.

    I run a couple of sites through a .dev domain and i do agree with what you're saying, since locking yourself out sooner or later is inevitable, but in my eyes i'd treat it like any other problem out there, much like messing up exposing the correct firewall ports - fix the problem, set up monitoring to be alerted of any problems in the future and move on.

    That's why having development/test/staging environments is really useful and in case you fear rate limits, Let's Encrypt also has a staging environment that you can use before switching over to prod: https://letsencrypt.org/docs/staging-environment/

    Not only that, but there are a few web servers here and there that attempt to improve the situation with ensuring SSL/TLS, like Traefik. Personally, however, i've found Caddy to be the most painless, since with it i don't need to mess around with integrating certbot with Apache/Nginx, but instead can just use it, since it works out of the box for the most part: https://caddyserver.com/

    Apart from that, you can always just expose a version without HTTPS on the server's ports locally, so that you can set up a tunnel through SSH and access it from your device in emergency situations (or just use a self signed certificate for the "private" version).

  • GitHub repo PayloadsAllTheThings

    A list of useful payloads and bypass for Web Application Security and Pentest/CTF

    Project mention: Anyone try 327ing the Texas Hotline? | reddit.com/r/xkcd | 2021-09-03
  • GitHub repo Metasploit

    Metasploit Framework

    Project mention: OWASP Top 10 for Developers: Using Components with Known Vulnerabilities | dev.to | 2021-09-14

    This is one of the most prevalent issues among the OWASP Top 10. The growing reliance on third-party components creates a risk if dependencies aren't kept up to date. There are numerous tools, such as the Metasploit Framework, available to attackers, that allow them to easily identify and exploit known vulnerabilities in applications and operating systems. In many cases, a patch has been released for these vulnerable applications, but the victim organization has been slow to update their dependencies. Additionally, developers may not thoroughly understand the nested dependencies of all of the libraries that are being used in an application.

  • GitHub repo mitmproxy

    An interactive TLS-capable intercepting HTTP proxy for penetration testers and software developers.

    Project mention: How to write a code that activates upon entering specific keywords to prevent a section in Google search from showing up? | reddit.com/r/learnpython | 2021-09-17

    You will need to write your own. Basically this is just a plug in for https://mitmproxy.org/, which has a python API for extending it.

  • Scout APM

    Scout APM: A developer's best friend. Try free for 14-days. Scout APM uses tracing logic that ties bottlenecks to source code so you know the exact line of code causing performance issues and can get back to building a great product faster.

  • GitHub repo cs-video-courses

    List of Computer Science courses with video lectures.

    Project mention: Learning path for Data Structures and Algorithms? | reddit.com/r/AskComputerScience | 2021-08-21

    Here's a list of CS Video Courses you could look at. Here's the section on Data Structures/Algorithms

  • GitHub repo algo

    Set up a personal VPN in the cloud

    Project mention: ExpressVPN CIO Helped United Arab of Emirates Hack Into Phones, Computers | reddit.com/r/tech | 2021-09-16

    But if you know your way around github projects maybe use Algo and Streisand in conjunction with most known protocols to set up your own. Vpns do not protect you, just hide your activity, which is something people confuse with each other. Depending on your needs a vpn might not be worth it at all.

  • GitHub repo SQLMap

    Automatic SQL injection and database takeover tool

    Project mention: TryHackMe- Juicy Details Room | dev.to | 2021-08-14

    Q3)What endpoint was vulnerable to SQL injection? Solution: Line550) ::ffff:192.168.10.5 - - [11/Apr/2021:09:29:14 +0000] "GET /rest/products/search?q=1 HTTP/1.1" 200 - "-" "sqlmap/1.5.2#stable (http://sqlmap.org)"

  • GitHub repo hosts

    🔒 Consolidating and extending hosts files from several well-curated sources. Optionally pick extensions for porn, social media, and other categories.

    Project mention: Arch user looking for a new desktop distro | reddit.com/r/FindMeADistro | 2021-09-18

    If your accounts are precious and can't have a keylogger/malware then any distro , possibly a yubi key or fingerprint, you way also want /etc/hosts based malware blocking cough cough and a secure browser with sandboxing like librewolf with an adblocker like ublockorigin

  • GitHub repo macOS-Security-and-Privacy-Guide

    Guide to securing and improving privacy on macOS

    Project mention: Privacy tips for my first Apple device, MacBook Pro | reddit.com/r/thehatedone | 2021-07-06
  • GitHub repo CheatSheetSeries

    The OWASP Cheat Sheet Series was created to provide a concise collection of high value information on specific application security topics.

    Project mention: Don’t underestimate the value of a secure, seamless ‘forgot password’ flow | dev.to | 2021-09-16

    The constant evolution of best practices. Best practices regarding SSPR workflows are constantly evolving - from manual reset to security questions to email reset to SMS workflows to passwordless logins. You should keep up with these changes to make sure your password reset process stays secure and up-to-date.

  • GitHub repo OSQuery

    SQL powered operating system instrumentation, monitoring, and analytics.

    Project mention: osquery 5 released. Some great new features. | reddit.com/r/blueteamsec | 2021-09-14
  • GitHub repo setup-ipsec-vpn

    Scripts to build your own IPsec VPN server, with IPsec/L2TP, Cisco IPsec and IKEv2

    Project mention: Well it's been sitting on my desk for years now | reddit.com/r/ProgrammerHumor | 2021-09-19

    I use this one: https://github.com/hwdsl2/setup-ipsec-vpn

  • GitHub repo radare2

    UNIX-like reverse engineering framework and command-line toolset

    Project mention: That took a wild turn | reddit.com/r/ProgrammerHumor | 2021-04-15

    True story: there is a project called Radare2 (or r2) which recently has been forked as Rizin. The reasons for the fork were many, but one of the things they changed was renaming occurrences in code of words like "anal", "sex", etc.

  • GitHub repo openzeppelin-contracts

    OpenZeppelin Contracts is a library for secure smart contract development.

    Project mention: Has anyone built a dApp here? If so can you share what you built? Anyone want to build one together? | reddit.com/r/Python | 2021-09-20

    I don't know a good DAO project off the top of my head, but if you've already read through the Solidity documentation, have a look at the OpenZeppelin contracts for some examples of this done well.

  • GitHub repo How-To-Secure-A-Linux-Server

    An evolving how-to guide for securing a Linux server.

    Project mention: If I run my own Matrix Home server, what actions do I need to do such that it is secury? I'm no security expert. Do I need to monitor actively or can I just set it up and use it for the next few years? | reddit.com/r/matrixdotorg | 2021-07-28

    Not a comprehensive guide by any means, but this might be a good starting place for you: link.

  • GitHub repo Tink

    Tink is a multi-language, cross-platform, open source library that provides cryptographic APIs that are secure, easy to use correctly, and hard(er) to misuse.

    Project mention: Harmony Crypto: Multi-process Encrypted SharedPreferences | reddit.com/r/androiddev | 2021-06-01

    Also, given that Google used Tink for Encrypted SharedPreferences, I had to make some modifications there to allow proper usage of Harmony Crypto. The problem I ran into was that Tink used Android SharedPreference to store keys, but didn't allow for any SharedPreference object to be passed in, which meant that Tink was not process safe. That led to making this PR (https://github.com/google/tink/pull/493), but working around the problem for the meantime by creating custom classes within the Tink package space to be used in the Harmony Crypto project.

  • GitHub repo hydra

    OpenID Certified™ OpenID Connect and OAuth Provider written in Go - cloud native, security-first, open source API security for your infrastructure. SDKs for any language. Compatible with MITREid.

    Project mention: Simplest way to handle authentication WITHOUT a third party? Please any advice really helps | reddit.com/r/reactjs | 2021-07-27

    Check this OpenSource OAuth server: https://github.com/ory/hydra

  • GitHub repo Lean and Mean Docker containers

    DockerSlim (docker-slim): Don't change anything in your Docker container image and minify it by up to 30x (and for compiled languages even more) making it secure too! (free and open source)

    Project mention: Creating Production-Ready Containers - The Basics | dev.to | 2021-06-03

    There are many ways to slim a container, from basic security to fully automated open-source tools like DockerSlim. Full disclosure: I work for Slim.AI, a company founded on the DockerSlim open source project. Let's look at some of the common ways developers create production-ready container images today.

  • GitHub repo bettercap

    The Swiss Army knife for 802.11, BLE, IPv4 and IPv6 networks reconnaissance and MITM attacks.

    Project mention: Finding Vulnerabilities On WiFi Network | reddit.com/r/hacking | 2021-08-08

    Bettercap/Ettercap are also powerful tools: https://www.bettercap.org/

  • GitHub repo KeeWeb

    Free cross-platform password manager compatible with KeePass

    Project mention: Help me understand SSL/TLS | reddit.com/r/sysadmin | 2021-08-28

    The dockerfile for keeweb runs entrypont.sh. You can read that script in the same GitHub repo. It generates DH parameters and a self-signed SSL certificate if those files don't already exist. Generating SSL certificates is not something that nginx does itself.

NOTE: The open source projects on this list are ordered by number of github stars. The number of mentions indicates repo mentiontions in the last 12 Months or since we started tracking (Dec 2020). The latest post mention was on 2021-09-20.

Index

What are some of the best open-source Security projects? This list will help you:

Project Stars
1 the-book-of-secret-knowledge 48,050
2 Awesome-Hacking 45,843
3 x64dbg 37,366
4 Caddy 34,606
5 PayloadsAllTheThings 30,087
6 Metasploit 25,079
7 mitmproxy 24,617
8 cs-video-courses 24,070
9 algo 21,489
10 SQLMap 21,105
11 hosts 18,692
12 macOS-Security-and-Privacy-Guide 18,369
13 CheatSheetSeries 18,340
14 OSQuery 18,227
15 setup-ipsec-vpn 16,381
16 radare2 14,906
17 openzeppelin-contracts 12,254
18 How-To-Secure-A-Linux-Server 11,662
19 Tink 11,588
20 hydra 11,427
21 Lean and Mean Docker containers 10,625
22 bettercap 10,351
23 KeeWeb 10,337
Find remote jobs at our new job board 99remotejobs.com. There are 24 new remote jobs listed recently.
Are you hiring? Post a new remote job listing for free.
SaaSHub - Software Alternatives and Reviews
SaaSHub helps you find the best software and product alternatives
www.saashub.com