SaaSHub helps you find the best software and product alternatives Learn more →
Top 23 Security Open-Source Projects
-
the-book-of-secret-knowledge
A collection of inspiring lists, manuals, cheatsheets, blogs, hacks, one-liners, cli/web tools and more.
-
SaaSHub
SaaSHub - Software Alternatives and Reviews. SaaSHub helps you find the best software and product alternatives
-
Awesome-Hacking
A collection of various awesome lists for hackers, pentesters and security researchers
-
-
PayloadsAllTheThings
A list of useful payloads and bypass for Web Application Security and Pentest/CTF
Project mention: PayloadsAllTheThings: Essential Payloads and Bypass for Web Security and CTFs | news.ycombinator.com | 2024-08-11 -
Sidecar containers: Google Cloud Run has a cool feature where you can run multiple containers next to each other. So for example, if you want to run Caddy or Traefik as a reverse proxy for your ingress container and then have both your web frontend container & backend api container co-located in the same service, you can do that & have everything be super low latency.
-
x64dbg
An open-source user mode debugger for Windows. Optimized for reverse engineering and malware analysis.
Several months have passed since the last part was posted. Maintainers of x64dbg have continued to improve its functionality. They also opened a task to update the development tools. So in this post, we will continue the analysis based on commit f518e50 code and, where possible, we'll compare it with the commit 9785d1a, which is accurate at the time of writing.
-
mitmproxy
An interactive TLS-capable intercepting HTTP proxy for penetration testers and software developers.
Project mention: MitmProxy2Swagger: Automagically reverse-engineer REST APIs | news.ycombinator.com | 2025-01-02Isn't that the point of mitmproxy? https://github.com/mitmproxy/mitmproxy
-
quivr
Opiniated RAG for integrating GenAI in your apps 🧠 Focus on your product rather than the RAG. Easy integration in existing products with customisation! Any LLM: GPT4, Groq, Llama. Any Vectorstore: PGVector, Faiss. Any Files. Anyway you want.
-
Project mention: Penetration Testing | Kali Linux | Metasploitable2 | Hands-on Cybersecurity Lab | dev.to | 2024-10-25
The Metasploit exploit module that we will use to exploit this vulnerability is exploit/multi/samba/usermap_script. You can find the source code and comments for this module at: https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/multi/samba/usermap_script.rb
-
SQL MAP, learning SQL
-
Project mention: Serverless VPN Self-hosted Be your own private on-demand VPN provider | news.ycombinator.com | 2024-12-06
-
CheatSheetSeries
The OWASP Cheat Sheet Series was created to provide a concise collection of high value information on specific application security topics.
Project mention: Preventing CSRF and XSS Attacks with JWT and Fingerprint Cookies in Express | dev.to | 2024-10-01JSON Web Token for Java Cheat Sheet
-
-
hosts
🔒 Consolidating and extending hosts files from several well-curated sources. Optionally pick extensions for porn, social media, and other categories.
Project mention: Show HN: A blocklist to remove spam and bad websites from search results | news.ycombinator.com | 2025-01-14You could get a step closer to that and integrate it into your DNS: https://github.com/StevenBlack/hosts
The upside is that it would go beyond your browser to anything on your machine that makes a DNS request.
> Another great function (not for this plugin) should be the option to "bundle" all search results from the same domain. Stuff them under one collapsible entry.
That would be really cool. Just zip it up if you don't want to see that domain for that specific search.
-
-
Project mention: OpenZeppelin Contracts: Secure Smart Contract Development Made Easy | news.ycombinator.com | 2024-09-29
-
Keycloak GitHub Repository
-
trivy
Find vulnerabilities, misconfigurations, secrets, SBOM in containers, Kubernetes, code repositories, clouds and more
Trivy: security scanner for IaC and dependencies
-
Project mention: All-in-one OSINT tool for analysing any website | news.ycombinator.com | 2024-10-19
-
API-Security-Checklist
Checklist of the most important security countermeasures when designing, testing, and releasing your API
-
Project mention: Authelia: The Single Sign-On Multi-Factor portal for web apps | news.ycombinator.com | 2024-07-11
-
Project mention: SQL powered operating system instrumentation, monitoring, and analytics | news.ycombinator.com | 2024-09-10
-
keepassxc
KeePassXC is a cross-platform community-driven port of the Windows application “Keepass Password Safe”.
Project mention: Passkey marketing is lying to you (it's simple) | news.ycombinator.com | 2025-01-04Oof, I found a whole ton of anti-open-source-software quotes on the related Github issue https://github.com/keepassxreboot/keepassxc/issues/10406 :
> When required, the authenticator must perform user verification (PIN, biometric, or some other unlock mechanism). If this is not possible, the authenticator should not handle the request.
> [A passkey provider certification process] is currently being defined and is almost complete.
> This implementation is not spec compliant and has the potential to be blocked by relying parties.
> Then you should require its use when passkeys are enabled ... [You may be blocked because] you have a passkey provider that is known to not be spec compliant.
> I suspect we'll see [biometrics] required by regulation in some geo-regions.
> I see a lot of misinformation and incorrect guesses about the intentions of various parties in the recent threads. If it would be helpful, I'm willing to have a [private, non-public] call with interested parties to try and answer some of the questions that have been raised to ensure we have a common technical understanding of FIDO/WebAuthn.
I felt reasonably positive about Passkeys while writing this blog post, but continuing to read the spec authors' insistence that only Big Tech may handle these problems is extremely worrying. I really want to like this feature, but the authors are acting like complete jerks and driving me away.
Security discussion
Security related posts
-
Who Needs Roles Anymore? Introducing OpenFGA, the Future of SaaS
-
Ask HN: How to keep Chinese crawlers from taking down my site?
-
Double-Keyed Caching: How Browser Cache Partitioning Changed the Web
-
Getting Started with Keycloak: Understanding the Basics
-
Show HN: Kate's App
-
10 Docker Security Best Practices
-
Zizmor – static analysis for GitHub Actions
-
A note from our sponsor - SaaSHub
www.saashub.com | 17 Jan 2025
Index
What are some of the best open-source Security projects? This list will help you:
# | Project | Stars |
---|---|---|
1 | the-book-of-secret-knowledge | 154,829 |
2 | Awesome-Hacking | 87,733 |
3 | cs-video-courses | 67,749 |
4 | PayloadsAllTheThings | 62,444 |
5 | Caddy | 60,497 |
6 | x64dbg | 45,191 |
7 | mitmproxy | 37,570 |
8 | quivr | 37,103 |
9 | Metasploit | 34,561 |
10 | SQLMap | 33,085 |
11 | algo | 29,131 |
12 | CheatSheetSeries | 28,591 |
13 | nginxconfig.io | 27,914 |
14 | hosts | 27,295 |
15 | setup-ipsec-vpn | 25,629 |
16 | openzeppelin-contracts | 25,195 |
17 | Keycloak | 24,701 |
18 | trivy | 24,333 |
19 | web-check | 23,075 |
20 | API-Security-Checklist | 22,568 |
21 | authelia | 22,287 |
22 | OSQuery | 22,145 |
23 | keepassxc | 21,843 |