README
¶
TOC
Why collect the tools?
Spending a lot of time on applying DevSecOps is searching, comparing, and making decisions about tools. These tool lists are a good way to help you reduce unnecessary time and apply them quickly 😎
List of Tools
| Type | Name | Description | Popularity | Language |
|---|---|---|---|---|
| Planning/Governance/Assessment | Sammwise | The mission of OWASP Software Assurance Maturity Model (SAMM) is to be the prime maturity model for software assurance that provides an effective and measurable way for all types of organizations to analyze and improve their software security posture. |  |
 |
| Build/SAST/DAST/SCA | Synk | Snyk (pronounced sneak) is a developer security platform for securing code, dependencies, containers, and infrastructure as code. |  |
|
| Build/Behavior Analysis & Machine Learning/Security Applications | Lacework | Lacework is the data-driven security platform for the cloud. The Lacework Cloud Security Platform, powered by Polygraph, automates cloud security at scale so our customers can innovate with speed and safety. Polygraph is the only security solution that can collect, analyze and accurately correlate data across an organization’s AWS, Azure, GCP, and Kubernetes environments, and narrow it down to the handful of security events that matter. | |
|
| Build/SAST/DAST/SCA | VeraCode | Veracode empowers organizations to confidently develop software by reducing the risk of security breach through comprehensive analysis, developer enablement, and AppSec governance. | |
|
| Build/SAST | Checkmarx | Checkmarx Provides highly accurate, flexible automatic scans of uncompiled source code, enabling organizations to identify hundreds of potential security vulnerabilities in the most common coding languages and frameworks. | |
|
| Build/SAST | Secure Code Warrior | Secure Code Warrior makes secure coding a positive and engaging experience for developers as they increase their software security skills. | |
|
| Training Platform | SecurFlag | SecureFlag provides a powerful yet user-friendly way for enterprises to strengthen their secure coding practices. Developers learn secure coding at their own pace with updated examples and hands-on practice that improves their competency and prepares the organization to confidently achieve its business goals. | |
|
| DAST/XDR/SIEM | Rapid7 | The Rapid7 Insight Platform collects data from across your environment, making it easy for teams to manage vulnerabilities, monitor for malicious behavior, investigate and shut down attacks, and automate your operations. | |
|
| CNAPP/CSPM | Palo Alto Prisma | Prisma Cloud leverages cloud service provider APIs to provide visibility and control over public cloud environments while extending security to hosts, containers and serverless functions with a single, unified agent framework. With support for hybrid and multi-cloud environments, this is comprehensive cloud native security. | |
|
| RBVM/ASOC | ARMada | RiskSense®, Inc. provides vulnerability management and remediation prioritization to measure and control cybersecurity risk. The cloud-based RiskSense platform delivers Risk-Based Vulnerability Management, Application Security Orchestration and Correlation. | |
|
| Build/SAST | SonarQube | SonarQube is an open-source platform for continuous inspection of code quality to perform automatic reviews with static analysis of code to detect bugs, code smells, and security vulnerabilities on 20+ programming languages. | |
|
| Build/SCA | Dependabot | Dependabot can fix vulnerable dependencies for you by raising pull requests with security updates. |  |
|
| Build/SAST | TruffleHog | TruffleHog Searches through git repositories for high entropy strings and secrets, digging deep into commit history |  |
 |
| Build/SAST | codeql | CodeQL |  |
 |
| Build/SAST | semgrep | Lightweight static analysis for many languages. Find bug variants with patterns that look like source code. |  |
 |
| Build/SAST | sonarcloud-github-action | Integrate SonarCloud code analysis to GitHub Actions |  |
 |
| Build/SECRET-MANAGE | kamus | An open source, git-ops, zero-trust secret encryption and decryption solution for Kubernetes applications |  |
 |
| Build/SECRET-MANAGE | secrets-sync-action | A Github Action that can sync secrets from one repository to many others. |  |
 |
| Build/SECRET-MANAGE | vault-action | A GitHub Action that simplifies using HashiCorp Vault ™ secrets as build variables. |  |
 |
| Design/THREAT | owasp-threat-dragon-desktop | An installable desktop variant of OWASP Threat Dragon |  |
 |
| Design/THREAT | pytm | A Pythonic framework for threat modeling |  |
 |
| Design/THREAT | seasponge | SeaSponge is an accessible threat modelling tool from Mozilla |  |
 |
| Design/THREAT | threagile | Agile Threat Modeling Toolkit |  |
 |
| Operate and Monitor/COMPONENT-ANALYSIS | dependency-track | Dependency-Track is an intelligent Component Analysis platform that allows organizations to identify and reduce risk in the software supply chain. |  |
 |
| Operate and Monitor/K8S | kube-hunter | Hunt for security weaknesses in Kubernetes clusters |  |
 |
| Test/DAST | action-baseline | A GitHub Action for running the OWASP ZAP Baseline scan |  |
 |
| Test/DAST | action-dalfox | XSS scanning with Dalfox on Github-action |  |
 |
| Test/DAST | action-full-scan | A GitHub Action for running the OWASP ZAP Full scan |  |
 |
| Test/DAST | zaproxy | The OWASP ZAP core project |  |
 |
| Test/PENTEST | faraday | Collaborative Penetration Test and Vulnerability Management Platform |  |
 |
| Test/PENTEST | metasploit-framework | Metasploit Framework |  |
 |
| Test/PENTEST | monkey | Infection Monkey - An automated pentest tool |  |
 |
| Test/PENTEST | ptf | The Penetration Testers Framework (PTF) is a way for modular support for up-to-date tools. |  |
 |
Want to Contribute
Please read the Contributing document!
Documentation
¶
There is no documentation for this package.
Source Files
Click to show internal directories.
Click to hide internal directories.