Whether you call it shifting left, modern application security, or DevSecOps, integrating security testing throughout the software development and deployment pipeline is not a single project—it’s a continuing effort.
Open-source tools can help immensely. Not only are they a good way to get started, allowing companies and DevOps teams to gain experience in integrating security tooling into the pipeline, but they can help companies create the structure they need to incorporate security into development.
Shannon Lietz, team leader and director of DevSecOps at financial software and services firm Intuit, frequently evaluates open-source tools for use by the company’s estimated 4,500 developers. Open-source applications-security tools often are perfect for filling a niche, she said.
“The open-source community is really smart because, in terms of the capability that you can get from the tools, it’s a single-function gap that they are filling. But a lot of times they have limitations or only work in certain environments.”
Corresponding to the seven general steps of DevOps—design, develop, build, test, stage, deploy, and monitor—Lietz recommends seven security steps that should be integrated into the process:
Design: Attack mapping, or threat modeling
Develop: Code analysis, or static application security testing (SAST)
Build: Dependency checking, or software composition analysis (SCA)
Test: Artifact analysis
Stage: Degradation monitoring
Deploy: Security regression
Monitor: Adversary monitoring, or threat intelligence
Here are the top tools for each step in the DevSecOps pipeline. While these tools are not all strictly open source, every tool does have a free version that can be used.
1. Threat Modeling
OWASP Threat Dragon
Threat modeling should be the first security step, because it informs the design of the application and can give developers an idea of what security threats might affect their application. OWASP Threat Dragon is an open-source threat modeling tool that can be used through a web application or an installable version for the Windows, macOS, and Linux operating systems.
The downside of OWASP Threat Dragon is that the tool is hooked extensively into GitHub, so if you use a different repository system, you will likely have to find an alternate tool.
Microsoft Threat Modeling Tool
pytm: A Pythonic framework for threat modeling
2. Static Application Security Testing (SAST)
SonarQube is an open-source source-code analysis tool that has community-supported development, but also has paid tiers for companies. While OWASP maintains a list of source-code analysis tools, including many open-source projects, most tools only support a few, or a single, programming language, and many tools have not been well maintained.
SonarQube shines with its support for many languages—27, at last count—making it a strong common platform for companies to use for analysis. “There are often plugins for [your IDE] that are individual for specific languages, but I generally default to SonarQube, because it is multi-language, and I often end up in multi-language projects,” Lietz said.
Bandit: A security linter for Python that uses Abstract Syntax Trees (ASTs) to find flaws
Graudit: A simple static tool with more than 20 languages supported
3. Software Composition Analysis
OWASP Dependency Track
SonaType Nexus Open Source: The open-source SCA tool supporting a dozen different component ecosystems
4. Security Testing
While Threat Playbook is threat modeling software (see No. 1), the tool also turns threat models into code that can be used as security test cases to run in a continuous integration/continuous deployment (CI/CD) environment. The tool shines with its collaborative capabilities and is intended to plug into a DevOps software pipeline.
“Their model focuses on what your stories are, what your threat model is, and whether it has been tested,” Lietz said. “This is helping to figure out if you did all the work to build a component part or good set of component parts that work together.”
Arachni: Open-source framework for web application security scanning
Zed Attack Proxy (ZAP): The popular OWASP project for automated web application scanning
5. Degradation monitoring
Deepfence Threat Mapper Community Edition
When staging applications for testing, DevOps teams need to ensure that errors have not crept into their configuration files and infrastructure—that is, that they have not degraded. Threat Mapper helps by giving teams the ability to visualize their cloud infrastructure and provides vulnerability management for all infrastructure components. The software ties into Kubernetes to automate coverage.
Anchore Engine allows the inspection, analysis, and certification of container images
Clair: Static analysis of applications staged in Docker containers
6. Security regression
Faraday allows DevOps teams to move from threat models to a red-team approach to regression testing. Faraday manages testing by integrating with a variety of tools normally used in vulnerability assessments and penetration tests.
“Faraday has been out for a very long time, and red teamers really like it,” Lietz said. “They give you a lot of options to do more than security regression, but I would just use that one.”
ArcherySec: A well-known open-source tool for vulnerability assessment and management
DefectDojo: An OWASP project that allows automated vulnerability assessment and management
7. Adversary monitoring
Panther allows DevOps teams to analyze the logs of running applications to determine what attackers may be doing in real time. Like security information and event management (SIEM) systems used by analysts in security operations centers (SOCs), the software combines log data with indicators of compromise and threat intelligence to alert teams to potential attacks and compromises.
“It is tightly integrated with the cloud, so it is not like you are going to download this and work anywhere else than the cloud … although it’s tightly integrated with AWS,” Lietz said. “They give you the ability to build the notion of what could go wrong with your application and add a compliance view to that.”