Top 23 Security Open-Source Projects
A collection of inspiring lists, manuals, cheatsheets, blogs, hacks, one-liners, cli/web tools and more.Project mention: Collection of manuals, cheatsheets,blogs,one-liners,CLI/web tools | news.ycombinator.com | 2021-02-19
Fast, multi-platform web server with automatic HTTPSProject mention: How can we automate NGINX Certificates everytime it expires? | reddit.com/r/selfhosted | 2021-02-27
I recommend using Caddy, which has automated certificate management built-in. https://caddyserver.com/
Get performance insights in less than 4 minutes. Scout APM uses tracing logic that ties bottlenecks to source code so you know the exact line of code causing performance issues and can get back to building a great product faster.
Metasploit FrameworkProject mention: wp_admin_shell_upload | reddit.com/r/HowToHack | 2021-02-14
A list of useful payloads and bypass for Web Application Security and Pentest/CTFProject mention: Resources to get you started in Cybersecurity (for free). | dev.to | 2021-02-22
An interactive TLS-capable intercepting HTTP proxy for penetration testers and software developers.Project mention: What's the best book or other resource on webAPI pentesting? | reddit.com/r/Pentesting | 2021-02-23
API testing has some interesting overlap with mobile pentesting too. You can proxy your phone with a tool like MITMProxy and look at the HTTP Method Requests going to the server from your device. If you're handy with Python MITMproxy has some extensibility capabilities and you could even get it to behave like a janky Burpsuite clone. If i'm not mistaken, projects like McBroken which find broken McDonalds Ice Cream Machines were only possible because Mobile application actions were sniffed and mapped to create the appropriate responses and aggregate the data necessary.
List of Computer Science courses with video lectures.Project mention: I built a collaborative list of resources for developers | reddit.com/r/learnprogramming | 2021-02-04
Cs Video Courses: Developer-Y/cs-video-courses: List of Computer Science courses with video lectures. (github.com)
Set up a personal VPN in the cloudProject mention: VPN setup? | reddit.com/r/Ubiquiti | 2021-02-17
If you haven’t already looked into what to use on the other side to terminate the VPN in AWS (or wherever) I highly recommend AlgoVPN for both the ease of provisioning and deployment and the “pretty darn hard to deploy it insecurely” factor. It supports only IKEv2 and WireGuard very deliberately
Automatic SQL injection and database takeover toolProject mention: Iam building a form with a database and try to validate and make it secure. But how can I test it/hack my own form? | reddit.com/r/PHPhelp | 2021-02-10
sqlmap can be used to test for SQL injections.
Guide to securing and improving privacy on macOSProject mention: Spy pixels in emails 'have become endemic' | news.ycombinator.com | 2021-02-16
macOS Mail.app -> Preferences -> Viewing -> Uncheck "Load remote content in messages"
Privacy defaults come down to usability vs. privacy; Apple making this so easy to toggle is fine by me as I care about privacy and tracking.
Now, it would be great if every macOS application walked you through privacy settings right after installation in the same way that I am offered a tour of the new features. Since there is no such "privacy tour", the community has discussed ways in which macOS can be hardened , .
SQL powered operating system instrumentation, monitoring, and analytics.Project mention: Antivirus solutions? | reddit.com/r/gsuite | 2021-02-03
Consolidating and extending hosts files from several well-curated sources. You can optionally pick extensions to block pornography, social media, and other categories.Project mention: Question for Christian Women about How You'd React to a Confession | reddit.com/r/christiandatingadvice | 2021-03-02
You can install a filter on your router or phone to help block such content from reaching you (e.g. Steven Black's Hostfile), but ultimately it is a heart issue. I'm sure you've heard of the verses about looking with lust is the same as committing adultery (Matthew 5:28). It would be lame to have to tell your future spouse that you love her, but not enough to stop getting thrills from hired sex slaves over cams. That is a real turn off.
The OWASP Cheat Sheet Series was created to provide a concise collection of high value information on specific application security topics.Project mention: OWASP Cheat Sheet Series | reddit.com/r/patient_hackernews | 2021-02-15
Scripts to build your own IPsec VPN server, with IPsec/L2TP, Cisco IPsec and IKEv2Project mention: Sinceramente,¿que tan cierto es esto? Y ¿de plano hay que eliminar whatsapp? | reddit.com/r/mexico | 2021-01-16
Si no crees que esto es seguro, entonces montante un servidor VPN IPSec con https://github.com/hwdsl2/setup-ipsec-vpn, conectado en tu teléfono y en el servidor usando la terminal instala un monitor de trafico para que veas como viaja tu contenido que entra y sale, si envías un mensaje por WhatsApp veras que los bloques están cifrados con símbolos y texto aleatorio.
An evolving how-to guide for securing a Linux server.Project mention: How to actually start selfhosting? | reddit.com/r/selfhosted | 2021-02-12
- Secure your server
Tink is a multi-language, cross-platform, open source library that provides cryptographic APIs that are secure, easy to use correctly, and hard(er) to misuse.Project mention: Building a Secure Signed JWT | reddit.com/r/programming | 2021-01-15
appears to be focused on cryptography and not token signing. Maybe more of a complement? I did see a section about digital signing: https://github.com/google/tink/blob/master/docs/PRIMITIVES.md#digital-signatures and don't see any reason you couldn't integrate tink to sign JWTs.
OpenID Certified™ OpenID Connect and OAuth Provider written in Go - cloud native, security-first, open source API security for your infrastructure. SDKs for any language. Compatible with MITREid.Project mention: Ory Hydra 1.9: Open-source Golang OAuth2 provider | reddit.com/r/patient_hackernews | 2021-01-13
Free cross-platform password manager compatible with KeePassProject mention: KeeWeb? | reddit.com/r/KeePass | 2021-03-02
In terms of safety, I would pose such questions to the developer: GitHub or About the dev website. There's also this: Hackmanit penetration test.
DockerSlim (docker-slim): Don't change anything in your Docker container image and minify it by up to 30x (and for compiled languages even more) making it secure too! (free and open source)Project mention: Minimal base images roundup | reddit.com/r/kubernetes | 2021-02-21
Yeah in the end distroless is likely always going to be the smallest image, as it really cuts out everything that's not necessary to run your app. You might experiment with taking a debian-slim or minideb image and running it through docker-slim to see if it gets closer to the distroless output: https://github.com/docker-slim/docker-slim
This is a collection of tutorials for learning how to use Docker with various tools. Contributions welcome.Project mention: Hardening Docker and Kubernetes with seccomp | dev.to | 2021-01-15
These JSON profiles can use quite a few options and can become very complex, so the one above is really trimmed it down to bare minimum. To see how real profile would look like you can check out Dockers profile here.
The Rogue Access Point FrameworkProject mention: Create a Wi-Fi hotspot for data interception | reddit.com/r/Hacking_Tutorials | 2021-02-10
You could do almost the same thing with this https://github.com/wifiphisher/wifiphisher, it's a great tool to clone a wifi asking you the password while disauth the original hostpot.
OpenZeppelin Contracts is a library for secure smart contract development.Project mention: Help auditing a simple ERC20 "Project Hydro" scam coin | reddit.com/r/ethdev | 2021-02-28
On the one hand, it is common for an ERC20 to implement a burn operation. The burn is typical in certain DeFi tokens that essentially commit a stock buy back. The problem with this implementation, is onlyOwner and contracts that pass the whitelisting modifier can burn from anyone's address. This is pretty bad. Standard practice seems to be burning only from the caller address. A good example is OpenZeppelin's Burnable implementation here: https://github.com/OpenZeppelin/openzeppelin-contracts/blob/master/contracts/token/ERC20/extensions/ERC20Burnable.sol#L34-L39.
Unified access for SSH servers, Kubernetes, web applications, and databases written in GoProject mention: Ask HN: Who is hiring? (March 2021) | news.ycombinator.com | 2021-03-01
Exploitation Framework for Embedded DevicesProject mention: [Discussion] Anyone managed to get RouterSploit working on iOS? Or know something that works? | reddit.com/r/jailbreak | 2021-01-04
What are some of the best open-source Security projects? This list will help you:
|18||Lean and Mean Docker containers||9,725|