Top 23 Security Open-Source Projects
A collection of inspiring lists, manuals, cheatsheets, blogs, hacks, one-liners, cli/web tools and more.Project mention: The Book Of Secret Knowledge | reddit.com/r/programming | 2021-07-16
A collection of various awesome lists for hackers, pentesters and security researchersProject mention: RN to programmer | reddit.com/r/learnprogramming | 2021-07-01
Bookmark this: https://github.com/Hack-with-Github/Awesome-Hacking/blob/master/README.md
Run Linux Software Faster and Safer than Linux with Unikernels.
An open-source x64/x32 debugger for windows.Project mention: CPP projects I can get involved in? | reddit.com/r/cpp | 2021-09-19
You are welcome to contribute to x64dbg, a user mode debugger for Windows. The codebase isn’t the most modern, but there is a branch with a CMake port and modernization is very welcome! Feel free to hit me up if you’re interested and need some pointers :)
Fast, multi-platform web server with automatic HTTPSProject mention: Mozilla HTTP Observatory | news.ycombinator.com | 2021-09-20
> Nothing, probably. In a sane country and legal system doing things like that would be illegal.
It should, but it isn't always the case. Not only that, but even if it is technically illegal, it still might be done because of a lack of people who'll take the guilty parties to court over it. So, in reality, you cannot avoid viewing that as a well founded risk.
> But on the other hand forcing HTTPS means that some users will never be able access it due to old browsers and/or hardware.
In a similar argument about what "should" happen - Google shouldn't just abandon numerous Android devices out there, nor should any other vendor. There should be mechanisms in place to ensure that these devices continue to function for the decades to come.
But since that's not the case, it's inevitable that you'll cut off a small portion of your potential userbase, same as with many sites simply not functioning because the developers made the choice to require JS. Of course, that is your choice, unless other concerns (like security) force your hand.
> More likely though is that I mess up the HTTPS certificates, either by mistake or inaction, and lock out everyone who doesn't dare click the correct sequence of "ignore warning" buttons. I've already managed to block access for normal users to several sites, several times, by running too old certbot versions, not integrating things properly and whatnot. It's a good thing I'll never use HSTS and HPKP, or I'll make permanent messes.
I run a couple of sites through a .dev domain and i do agree with what you're saying, since locking yourself out sooner or later is inevitable, but in my eyes i'd treat it like any other problem out there, much like messing up exposing the correct firewall ports - fix the problem, set up monitoring to be alerted of any problems in the future and move on.
That's why having development/test/staging environments is really useful and in case you fear rate limits, Let's Encrypt also has a staging environment that you can use before switching over to prod: https://letsencrypt.org/docs/staging-environment/
Not only that, but there are a few web servers here and there that attempt to improve the situation with ensuring SSL/TLS, like Traefik. Personally, however, i've found Caddy to be the most painless, since with it i don't need to mess around with integrating certbot with Apache/Nginx, but instead can just use it, since it works out of the box for the most part: https://caddyserver.com/
Apart from that, you can always just expose a version without HTTPS on the server's ports locally, so that you can set up a tunnel through SSH and access it from your device in emergency situations (or just use a self signed certificate for the "private" version).
A list of useful payloads and bypass for Web Application Security and Pentest/CTFProject mention: Anyone try 327ing the Texas Hotline? | reddit.com/r/xkcd | 2021-09-03
Metasploit FrameworkProject mention: OWASP Top 10 for Developers: Using Components with Known Vulnerabilities | dev.to | 2021-09-14
This is one of the most prevalent issues among the OWASP Top 10. The growing reliance on third-party components creates a risk if dependencies aren't kept up to date. There are numerous tools, such as the Metasploit Framework, available to attackers, that allow them to easily identify and exploit known vulnerabilities in applications and operating systems. In many cases, a patch has been released for these vulnerable applications, but the victim organization has been slow to update their dependencies. Additionally, developers may not thoroughly understand the nested dependencies of all of the libraries that are being used in an application.
An interactive TLS-capable intercepting HTTP proxy for penetration testers and software developers.Project mention: How to write a code that activates upon entering specific keywords to prevent a section in Google search from showing up? | reddit.com/r/learnpython | 2021-09-17
You will need to write your own. Basically this is just a plug in for https://mitmproxy.org/, which has a python API for extending it.
Scout APM: A developer's best friend. Try free for 14-days. Scout APM uses tracing logic that ties bottlenecks to source code so you know the exact line of code causing performance issues and can get back to building a great product faster.
List of Computer Science courses with video lectures.Project mention: Learning path for Data Structures and Algorithms? | reddit.com/r/AskComputerScience | 2021-08-21
Here's a list of CS Video Courses you could look at. Here's the section on Data Structures/Algorithms
Set up a personal VPN in the cloudProject mention: ExpressVPN CIO Helped United Arab of Emirates Hack Into Phones, Computers | reddit.com/r/tech | 2021-09-16
But if you know your way around github projects maybe use Algo and Streisand in conjunction with most known protocols to set up your own. Vpns do not protect you, just hide your activity, which is something people confuse with each other. Depending on your needs a vpn might not be worth it at all.
Automatic SQL injection and database takeover toolProject mention: TryHackMe- Juicy Details Room | dev.to | 2021-08-14
Q3)What endpoint was vulnerable to SQL injection? Solution: Line550) ::ffff:192.168.10.5 - - [11/Apr/2021:09:29:14 +0000] "GET /rest/products/search?q=1 HTTP/1.1" 200 - "-" "sqlmap/1.5.2#stable (http://sqlmap.org)"
🔒 Consolidating and extending hosts files from several well-curated sources. Optionally pick extensions for porn, social media, and other categories.Project mention: Arch user looking for a new desktop distro | reddit.com/r/FindMeADistro | 2021-09-18
If your accounts are precious and can't have a keylogger/malware then any distro , possibly a yubi key or fingerprint, you way also want /etc/hosts based malware blocking cough cough and a secure browser with sandboxing like librewolf with an adblocker like ublockorigin
Guide to securing and improving privacy on macOSProject mention: Privacy tips for my first Apple device, MacBook Pro | reddit.com/r/thehatedone | 2021-07-06
The OWASP Cheat Sheet Series was created to provide a concise collection of high value information on specific application security topics.Project mention: Don’t underestimate the value of a secure, seamless ‘forgot password’ flow | dev.to | 2021-09-16
The constant evolution of best practices. Best practices regarding SSPR workflows are constantly evolving - from manual reset to security questions to email reset to SMS workflows to passwordless logins. You should keep up with these changes to make sure your password reset process stays secure and up-to-date.
SQL powered operating system instrumentation, monitoring, and analytics.Project mention: osquery 5 released. Some great new features. | reddit.com/r/blueteamsec | 2021-09-14
Scripts to build your own IPsec VPN server, with IPsec/L2TP, Cisco IPsec and IKEv2Project mention: Well it's been sitting on my desk for years now | reddit.com/r/ProgrammerHumor | 2021-09-19
I use this one: https://github.com/hwdsl2/setup-ipsec-vpn
UNIX-like reverse engineering framework and command-line toolsetProject mention: That took a wild turn | reddit.com/r/ProgrammerHumor | 2021-04-15
True story: there is a project called Radare2 (or r2) which recently has been forked as Rizin. The reasons for the fork were many, but one of the things they changed was renaming occurrences in code of words like "anal", "sex", etc.
OpenZeppelin Contracts is a library for secure smart contract development.Project mention: Has anyone built a dApp here? If so can you share what you built? Anyone want to build one together? | reddit.com/r/Python | 2021-09-20
I don't know a good DAO project off the top of my head, but if you've already read through the Solidity documentation, have a look at the OpenZeppelin contracts for some examples of this done well.
An evolving how-to guide for securing a Linux server.Project mention: If I run my own Matrix Home server, what actions do I need to do such that it is secury? I'm no security expert. Do I need to monitor actively or can I just set it up and use it for the next few years? | reddit.com/r/matrixdotorg | 2021-07-28
Not a comprehensive guide by any means, but this might be a good starting place for you: link.
Tink is a multi-language, cross-platform, open source library that provides cryptographic APIs that are secure, easy to use correctly, and hard(er) to misuse.Project mention: Harmony Crypto: Multi-process Encrypted SharedPreferences | reddit.com/r/androiddev | 2021-06-01
Also, given that Google used Tink for Encrypted SharedPreferences, I had to make some modifications there to allow proper usage of Harmony Crypto. The problem I ran into was that Tink used Android SharedPreference to store keys, but didn't allow for any SharedPreference object to be passed in, which meant that Tink was not process safe. That led to making this PR (https://github.com/google/tink/pull/493), but working around the problem for the meantime by creating custom classes within the Tink package space to be used in the Harmony Crypto project.
OpenID Certified™ OpenID Connect and OAuth Provider written in Go - cloud native, security-first, open source API security for your infrastructure. SDKs for any language. Compatible with MITREid.Project mention: Simplest way to handle authentication WITHOUT a third party? Please any advice really helps | reddit.com/r/reactjs | 2021-07-27
Check this OpenSource OAuth server: https://github.com/ory/hydra
DockerSlim (docker-slim): Don't change anything in your Docker container image and minify it by up to 30x (and for compiled languages even more) making it secure too! (free and open source)Project mention: Creating Production-Ready Containers - The Basics | dev.to | 2021-06-03
There are many ways to slim a container, from basic security to fully automated open-source tools like DockerSlim. Full disclosure: I work for Slim.AI, a company founded on the DockerSlim open source project. Let's look at some of the common ways developers create production-ready container images today.
The Swiss Army knife for 802.11, BLE, IPv4 and IPv6 networks reconnaissance and MITM attacks.Project mention: Finding Vulnerabilities On WiFi Network | reddit.com/r/hacking | 2021-08-08
Bettercap/Ettercap are also powerful tools: https://www.bettercap.org/
Free cross-platform password manager compatible with KeePassProject mention: Help me understand SSL/TLS | reddit.com/r/sysadmin | 2021-08-28
The dockerfile for keeweb runs entrypont.sh. You can read that script in the same GitHub repo. It generates DH parameters and a self-signed SSL certificate if those files don't already exist. Generating SSL certificates is not something that nginx does itself.
What are some of the best open-source Security projects? This list will help you:
|21||Lean and Mean Docker containers||10,625|
Are you hiring? Post a new remote job listing for free.