Awesome Open-Source Developer Security Tools

⭐ Star us on GitHub

List of awesome open-source developer security tools. Maintained by BoxyHQ, and heavily inspired by MVSP.

It includes security principles and controls relevant to popular compliance certifications (like ISO27001, SOC2, MVSP, etc.). Also check this list of popular compliance frameworks and certifications

Interested in the future of developer security? Join our Discord community to share and collaborate.

We’d love your feedback and contributions to this list. Please submit a GitHub issue or PR.

Business controls
Control	Description	Compliance Controls	Tools
Vulnerability Reports	Publish the point of contact for security reports on your website Respond to security reports within a reasonable time frame	MVSP 1.1 ISO 27001 A.12.6.1 SOC2 CC7.1
Customer Testing	On request, enable your customers or their delegates to test the security of your application Test on a non-production environment if it closely resembles the production environment in functionality Ensure non-production environments do not contain production data	MVSP 1.2 ISO 27001 A.12.6.1 SOC2 CC7.1
External Testing	Contract a security vendor to perform annual, comprehensive penetration tests on your systems	MVSP 1.4 ISO 27001 A.12.6.1 SOC2 CC7.1
Training	Implement role-specific security training for your personnel that is relevant to their business function	MVSP 1.5 ISO 27001 A.7.2.2 SOC2 CC2.2
Compliance	Comply with all industry security standards relevant to your business such as PCI DSS, HITRUST, ISO27001, and SSAE 18 Comply with local laws and regulations in jurisdictions applicable to your company and your customers, such as GDPR, Binding Corporate Rules, and Standard Contractual Clauses	MVSP 1.6 ISO 27001 SOC2	Deepfence ThreatMapper Steampipe Compliance Mods
Incident Management	Notify your customers about a breach without undue delay, no later than 72 hours upon discovery Include the following information in the notification: Relevant point of contact Preliminary technical analysis of the breach Remediation plan with reasonable timelines	MVSP 1.7 ISO 27001 A.16.1 SOC2 CC7.3
Application Design Controls
Control	Description	Compliance Controls	Tools
Single Sign-On	Implement single sign-on using modern and industry standard protocols	MVSP 2.1 ISO 27001 A.9.4.2 SOC2 CC6.1	BoxyHQ SAML Jackson
Access Control	Implement strict access control in your application guarding resources as needed Allow easy provisioning and de-provisioning of users	ISO 27001 A.9.1.1, A.9.2.1 SOC2 CC6.1	Aserto BoxyHQ Directory Sync Casbin Cerbos Keto Oso
HTTPS-Only	Redirect traffic from HTTP protocol (port 80) to HTTPS (port 443) Produce a clear scan using a widely adopted TLS scanning tool Include the Strict-Transport-Security header on all pages with the includeSubdomains directive	MVSP 2.2 ISO 27001 A.10.1.1 SOC2 CC6.7	Steampipe Net Plugin testssl.sh
Dependency Patching	Apply security patches with a severity score of "medium" or higher, or ensure equivalent mitigations are available for all components of the application stack within one month of the patch release	MVSP 2.6 ISO 27001 A.12.6.1 SOC2 CC7.1	OWASP Dependency Check OWASP Dependency Track
Logging	Keep logs of: Users logging in and out Read, write, delete operations on application and system users and objects Security settings changes (including disabling logging) Application owner access to customer data (access transparency) Logs must include user ID, IP address, valid timestamp, type of action performed, and object of this action. Logs must be stored for at least 30 days, and should not contain sensitive data or payloads.	MVSP 2.7 ISO 27001 A.12.4.1 SOC2 CC7.2	BoxyHQ Audit Logs ELK Stack FluentD Steampipe
Backup and Disaster Recovery	Securely back up all data to a different location than where the application is running Maintain and periodically test disaster recovery plans Periodically test backup restoration	MVSP 2.8 ISO 27001 A.17.1 SOC2 A1.3
Encryption	Use available means of encryption to protect sensitive data in transit between systems and at rest in online data storages and backups	MVSP 2.9 ISO 27001 A.10.1 SOC2 CC6.1 GDPR HIPAA	BoxyHQ Privacy Vault (coming soon)
Application Implementation Controls
Control	Description	Compliance controls	Tools
List of Sensitive Data	Maintain a list of sensitive data types that the application is expected to process	MVSP 3.1 ISO 27001 A.10.1 SOC2 CC6.1 GDPR HIPAA	BoxyHQ Privacy Vault (coming soon) Bearer
Data Flow Diagram	Maintain an up-to-date diagram indicating how sensitive data reaches your systems and where it ends up being stored	MVSP 3.2 ISO 27001 A.10.1 SOC2 CC6.1 GDPR HIPAA	BoxyHQ Privacy Vault (coming soon)
Vulnerability Prevention	Train your developers and implement development guidelines to prevent at least the following vulnerabilities: Authorization bypass Insecure session ID Injections Cross-site scripting Cross-site request forgery Use of vulnerable libraries	MVSP 3.3 ISO 27001 A.12.6.1 SOC2 CC7.1	OWASP Top Ten OWASP Zap Steampipe Net Insights mod Wapiti Scanner Bearer
Infrastructure and Cloud Security	Perform audits, continuous monitoring, hardening and forensics readiness for your infrastructure and cloud assets.	ISO 27001 A.12.6.1 SOC2 CC7.1	AirIAM Cloudsploit Deepfence ThreatMapper Kubesec Kubernetes security Prowler for AWS Steampipe Compliance & Security mods Trivy container scanner
Code Security
Control	Description	Compliance controls	Tools
Data Leakage Prevention	Protect secrets from leaking into code, logs and unwanted systems.	ISO 27001 A.12.6.1 SOC2 CC7.1	GitGuardian Gitleaks Steampipe Code Plugin Bearer
Zero Trust Principles	Keep data encrypted from end-to-end and have no listening ports for malware/ransomeware to spread etc.	NIST Special Publication 800-207	OpenZiti (numerous SDKs)