security.md

Security

Security is banging!

• Education
  • Secure Development Processes
  • Awareness of Security Risks
  • Vulnerable Target Testing
• Tools and Resources
  • Application Testing Tools
    • SAST (Static Application Security Testing)
    • DAST (Dynamic Application Security Testing)
    • IAST (Interactive Application Security Testing)
  • Kubernetes Tools
  • Infrastructure Tools
• Awesome Lists

Education

Secure Development Processes

• OWASP secure coding practices
• Go-SCP - Golang specific secure coding practices

Awareness of Security Risks

• OWASP Top 10 - Top 10 security risks from OWASP 2017

Vulnerable Target Testing

• Metasploitable - Vulnerable Linux image for testing
• NodeGoat - Vulnerable NodeJS app for testing

Tools and Resources

Application Testing Tools

SAST (Static Application Security Testing)

SAST tools analyse source code to look for security issues in an application during non-running state, and are supported by a large number of languages. They usually have quite a high false positive rate, due to the fact they cannot track data through an app, instead using a bit of guesswork to determine if flaws exist.

• Snyk - Dependency scanning, JS and Go
• auditjs - Dependency scanning, JS
• clair - Container vulnerability scanning, Docker
• Container Registry - Container vulnerability scanning, Docker
• Github Security Alerts - Dependency scanning, multiple languages
• gosec - Golang
• NodeJsScan - JS

DAST (Dynamic Application Security Testing)

DAST tools run automated penetration testing scans against a running service as a blackbox. It tries to hack into the service using well known vulnerabilities, however scans can take a while due to the vast number, as well as crawling services to find all the endpoints.

• OWASP ZAP

IAST (Interactive Application Security Testing)

IAST tools run security tests while the application is in use in production, working by using instrumentation. They have much lower false positive rates as they analyse real data running through the system, and provide immediate feedback.

• None we've tried yet

Kubernetes Tools

• Kubesec.io - Quantifies risk for Kubernetes resources
• Sysdig Falco - Container runtime security, alerts to potential security risks using defined rules

Infrastructure Tools

• OpenVAS - Vulnerability scanner of servers, internally and externally
• Gauntlt - BDD-style vulnerability tester using multiple tools, good for regression testing
• OWASP OWTF - Penetration testing tool
• Forseti Security - Google Cloud Platform specific security scanner
• John the Ripper - Password cracking tool
• Sysdig Inspect - Capturing and analysis of kernel level instrumentation

## Other Tooling

• Social Engineering Toolkit
• Kali Linux - SecOps Linux OS with multiple tools available for use

Awesome Lists

• Awesome DevSecOps
• Awesome Static Analysis
• Awesome Kubernetes