Free AppSec Tools for Open Source (like Accumulo)

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

Free AppSec Tools for Open Source (like Accumulo)

Dave Wichers
I sent you some suggestions before, which inspired me to create this OWASP
page:
https://www.owasp.org/index.php/Free_for_Open_Source_Application_Security_Tools

Let me know what you think. Useful? Any suggested changes/additions?

I know you are using Spot Bugs with the FindSecBugs plugin. Maybe you can
start using one of the Open Source Component Vulnerability Checking tools?
I know you didn't want to use Snyk because it wanted write access to your
github repo to create pull requests. However, you can instead use their
Command Line Interface, which doesn't require write access AND the results
are kept private to you, which is ALSO important :-)  I'd love for your
team to give that a whirl and see if it works.

Let me know if you try to use any of these other tools and how well they
do/do not work for you. Happy to help if your team needs any.

I've never shown this to anyone else by the way. Your team is the first :-)

Thanks, Dave
Reply | Threaded
Open this post in threaded view
|

Re: Free AppSec Tools for Open Source (like Accumulo)

Mike Miller-2
Hi Dave,

I ran the Snyk CLI tool on our two main branches a few weeks ago.  See attached for the results.

On Tue, Oct 23, 2018 at 5:15 PM Dave Wichers <[hidden email]> wrote:
I sent you some suggestions before, which inspired me to create this OWASP
page:
https://www.owasp.org/index.php/Free_for_Open_Source_Application_Security_Tools

Let me know what you think. Useful? Any suggested changes/additions?

I know you are using Spot Bugs with the FindSecBugs plugin. Maybe you can
start using one of the Open Source Component Vulnerability Checking tools?
I know you didn't want to use Snyk because it wanted write access to your
github repo to create pull requests. However, you can instead use their
Command Line Interface, which doesn't require write access AND the results
are kept private to you, which is ALSO important :-)  I'd love for your
team to give that a whirl and see if it works.

Let me know if you try to use any of these other tools and how well they
do/do not work for you. Happy to help if your team needs any.

I've never shown this to anyone else by the way. Your team is the first :-)

Thanks, Dave

snyk-results-1.9.txt (66K) Download Attachment
snyk-results-2.0.txt (6K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Free AppSec Tools for Open Source (like Accumulo)

Dave Wichers
In reply to this post by Dave Wichers
Has anyone tried to use any additional tools since I sent this out? If so,
let me know how it goes. Another cloud service I just ran across, which I
just added to this page is:

LGTM: https://lgtm.com/help/lgtm/about-lgtm

Apparently you can set it up to monitor the main branch of your project and
it will do security analysis on each commit. Not sure if it will go back
and analyze ALL the code as an initial first step or not.  Anyway, thought
it might be a useful service to set up to monitor the open source projects
you are working on.

-Dave


On Tue, Oct 23, 2018 at 5:14 PM Dave Wichers <[hidden email]> wrote:

> I sent you some suggestions before, which inspired me to create this OWASP
> page:
> https://www.owasp.org/index.php/Free_for_Open_Source_Application_Security_Tools
>
> Let me know what you think. Useful? Any suggested changes/additions?
>
> I know you are using Spot Bugs with the FindSecBugs plugin. Maybe you can
> start using one of the Open Source Component Vulnerability Checking tools?
> I know you didn't want to use Snyk because it wanted write access to your
> github repo to create pull requests. However, you can instead use their
> Command Line Interface, which doesn't require write access AND the results
> are kept private to you, which is ALSO important :-)  I'd love for your
> team to give that a whirl and see if it works.
>
> Let me know if you try to use any of these other tools and how well they
> do/do not work for you. Happy to help if your team needs any.
>
> I've never shown this to anyone else by the way. Your team is the first :-)
>
> Thanks, Dave
>
>