From b94996e470b2dd856af28e28c16812b90b6654c8 Mon Sep 17 00:00:00 2001 From: 4chm3d Date: Fri, 24 May 2019 15:43:48 -0300 Subject: [PATCH 01/19] new section --- README.md | 42 +++++++++++++++++++++++++++--- data/elixir/sast/0001-credo.json | 7 +++++ data/elixir/sast/0002-sobelow.json | 7 +++++ 3 files changed, 53 insertions(+), 3 deletions(-) create mode 100644 data/elixir/sast/0001-credo.json create mode 100644 data/elixir/sast/0002-sobelow.json diff --git a/README.md b/README.md index 77351ff..d33f33c 100644 --- a/README.md +++ b/README.md @@ -62,6 +62,7 @@ from reading [A Gentle Introduction to Application Security](https://paragonie.c * [Juice Shop](#juice-shop) * [Supercar Showdown](#supercar-showdown) * [OWASP NodeGoat](#owasp-nodegoat) + * [OWASP ServerlessGoat](#owasp-serverlessgoat) * [Blogs](#blogs) * [Crypto Fails](#crypto-fails) * [NCC Group - Blog](#ncc-group-blog) @@ -73,13 +74,16 @@ from reading [A Gentle Introduction to Application Security](https://paragonie.c * [Qualys SSL Labs](#qualys-ssl-labs) * [securityheaders.io](#securityheaders-io) * [report-uri.io](#report-uri-io) + * [AWS Lambda](#aws-lambda) + * [Tools](#tools-1) + * [PureSec FunctionShield](#puresec-functionshield) * [Android](#android) * [Books and ebooks](#books-and-ebooks) * [SEI CERT Android Secure Coding Standard](#sei-cert-android-secure-coding-standard-2015) (2015) * [C](#c) * [Books and ebooks](#books-and-ebooks-1) * [SEI CERT C Coding Standard](#sei-cert-c-coding-standard-2006) (2006) - * [Defensive Coding: A Guide to Improving Software Security by the Fedora Security Team](#defensive-coding-a-guide-to-improving-software-security-by-the-fedora-security-team-2018) (2018) + * [Defensive Coding: A Guide to Improving Software Security by the Fedora Security Team](#defensive-coding-a-guide-to-improving-software-security-by-the-fedora-security-team-2019) (2019) * [C++](#c-1) * [Books and ebooks](#books-and-ebooks-2) * [SEI CERT C++ Coding Standard](#sei-cert-c-coding-standard-2006-1) (2006) @@ -144,6 +148,10 @@ from reading [A Gentle Introduction to Application Security](https://paragonie.c * [Ruby](#ruby) * [Books and ebooks](#books-and-ebooks-9) * [Secure Ruby Development Guide](#secure-ruby-development-guide-2014) (2014) + * [Elixir](#elixir) + * [Sast](#sast) + * [rrrene/credo](#rrrenecredo-2015) (2015) + * [nccgroup/sobelow](#nccgroupsobelow-2017) (2017) # General @@ -366,6 +374,10 @@ How to go on the offence before online attackers do. Purposly vulnerable to the OWASP Top 10 Node.JS web application, with [tutorials](https://nodegoat.herokuapp.com/tutorial), [security regression testing with the OWASP Zap API](https://github.com/OWASP/NodeGoat/wiki/NodeGoat-Security-Regression-tests-with-ZAP-API), [docker image](https://github.com/owasp/nodegoat#option-3---run-nodegoat-on-docker). With several options to get up and running fast. +### [OWASP ServerlessGoat](https://www.owasp.org/index.php/OWASP_Serverless_Goat) + +OWASP ServerlessGoat is a deliberately insecure realistic AWS Lambda serverless application, maintained by OWASP and created by [PureSec](https://www.puresec.io/). You can install WebGoat, learn about the vulnerabilities, how to exploit them, and how to remediate each issue. The project also includes documentation explaining the issues and how they should be remediated with best-practices. + ### Blogs #### [Crypto Fails](http://cryptofails.com) @@ -406,6 +418,14 @@ Quickly and easily assess the security of your HTTP response headers. A free CSP and HPKP reporting service. +# AWS Lambda + +## Tools + +### [PureSec FunctionShield](https://www.puresec.io/function-shield) + +FunctionShield is a 100% free AWS Lambda security and Google Cloud Functions security library that equips developers with the ability to easily enforce strict security controls on serverless runtimes. + # Android ## Books and ebooks @@ -426,9 +446,9 @@ A community-maintained Wiki detailing secure coding standards for Android develo A community-maintained Wiki detailing secure coding standards for C programming. -### [Defensive Coding: A Guide to Improving Software Security by the Fedora Security Team](https://docs.fedoraproject.org/en-US/Fedora_Security_Team/1/html/Defensive_Coding/index.html) (2018) +### [Defensive Coding: A Guide to Improving Software Security by the Fedora Security Team](https://docs.fedoraproject.org/en-US/Fedora_Security_Team/1/html/Defensive_Coding/index.html) (2019) -**Released**: July 30, 2018 +**Released**: May 24, 2019 Provides guidelines for improving software security through secure coding. Covers common programming languages and libraries, and focuses on concrete recommendations. @@ -675,3 +695,19 @@ A wiki maintained by the OWASP Python Security project. **Released**: March 10, 2014 A guide to secure Ruby development by the Fedora Security Team. Also available on [Github](https://github.com/jrusnack/secure-ruby-development-guide). + +# Elixir + +## Sast + +### [rrrene/credo](https://github.com/rrrene/credo) (2015) + +**Released**: November 24, 2015 + +Credo is a static code analysis tool for the Elixir language with a focus on teaching and code consistency. + +### [nccgroup/sobelow](https://github.com/nccgroup/sobelow) (2017) + +**Released**: May 12, 2017 + +Security-focused static analysis for the Phoenix framework. diff --git a/data/elixir/sast/0001-credo.json b/data/elixir/sast/0001-credo.json new file mode 100644 index 0000000..4d8effc --- /dev/null +++ b/data/elixir/sast/0001-credo.json @@ -0,0 +1,7 @@ +{ + "date": "2015-11-24", + "free": true, + "name": "rrrene/credo", + "remark": "Credo is a static code analysis tool for the Elixir language with a focus on teaching and code consistency.", + "url": "https://github.com/rrrene/credo" +} diff --git a/data/elixir/sast/0002-sobelow.json b/data/elixir/sast/0002-sobelow.json new file mode 100644 index 0000000..ca94311 --- /dev/null +++ b/data/elixir/sast/0002-sobelow.json @@ -0,0 +1,7 @@ +{ + "date": "2017-05-12", + "free": true, + "name": "nccgroup/sobelow", + "remark": "Security-focused static analysis for the Phoenix framework.", + "url": "https://github.com/nccgroup/sobelow" +} From ef44f23de24be374ef824c9f2dd266e5bc810af1 Mon Sep 17 00:00:00 2001 From: 4chm3d Date: Fri, 24 May 2019 15:49:10 -0300 Subject: [PATCH 02/19] Example (#52) --- README.md | 6 +++--- data/C/books-and-ebooks/0002-fedora-defensive-coding.json | 4 ++-- 2 files changed, 5 insertions(+), 5 deletions(-) diff --git a/README.md b/README.md index d33f33c..c5ac292 100644 --- a/README.md +++ b/README.md @@ -83,7 +83,7 @@ from reading [A Gentle Introduction to Application Security](https://paragonie.c * [C](#c) * [Books and ebooks](#books-and-ebooks-1) * [SEI CERT C Coding Standard](#sei-cert-c-coding-standard-2006) (2006) - * [Defensive Coding: A Guide to Improving Software Security by the Fedora Security Team](#defensive-coding-a-guide-to-improving-software-security-by-the-fedora-security-team-2019) (2019) + * [Defensive Coding: A Guide to Improving Software Security by the Fedora Security Team](#defensive-coding-a-guide-to-improving-software-security-by-the-fedora-security-team-2013) (2013) * [C++](#c-1) * [Books and ebooks](#books-and-ebooks-2) * [SEI CERT C++ Coding Standard](#sei-cert-c-coding-standard-2006-1) (2006) @@ -446,9 +446,9 @@ A community-maintained Wiki detailing secure coding standards for Android develo A community-maintained Wiki detailing secure coding standards for C programming. -### [Defensive Coding: A Guide to Improving Software Security by the Fedora Security Team](https://docs.fedoraproject.org/en-US/Fedora_Security_Team/1/html/Defensive_Coding/index.html) (2019) +### [Defensive Coding: A Guide to Improving Software Security by the Fedora Security Team](https://docs.fedoraproject.org/en-US/Fedora_Security_Team/1/html/Defensive_Coding/index.html) (2013) -**Released**: May 24, 2019 +**Released**: March 1, 2013 Provides guidelines for improving software security through secure coding. Covers common programming languages and libraries, and focuses on concrete recommendations. diff --git a/data/C/books-and-ebooks/0002-fedora-defensive-coding.json b/data/C/books-and-ebooks/0002-fedora-defensive-coding.json index 350c65e..fbab311 100644 --- a/data/C/books-and-ebooks/0002-fedora-defensive-coding.json +++ b/data/C/books-and-ebooks/0002-fedora-defensive-coding.json @@ -1,7 +1,7 @@ { - "date": "2012", + "date": "2013-03", "free": true, "name": "Defensive Coding: A Guide to Improving Software Security by the Fedora Security Team", "remark": "Provides guidelines for improving software security through secure coding. Covers common programming languages and libraries, and focuses on concrete recommendations.", "url": "https://docs.fedoraproject.org/en-US/Fedora_Security_Team/1/html/Defensive_Coding/index.html" -} \ No newline at end of file +} From b8dfadc9b2f7405d3ad6ae78d737f32b039e3c33 Mon Sep 17 00:00:00 2001 From: 4chm3d Date: Fri, 24 May 2019 15:50:29 -0300 Subject: [PATCH 03/19] #52 - Using date from the initial publication --- README.md | 2 +- data/C/books-and-ebooks/0002-fedora-defensive-coding.json | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index c5ac292..2aa062c 100644 --- a/README.md +++ b/README.md @@ -448,7 +448,7 @@ A community-maintained Wiki detailing secure coding standards for C programming. ### [Defensive Coding: A Guide to Improving Software Security by the Fedora Security Team](https://docs.fedoraproject.org/en-US/Fedora_Security_Team/1/html/Defensive_Coding/index.html) (2013) -**Released**: March 1, 2013 +**Released**: March 7, 2013 Provides guidelines for improving software security through secure coding. Covers common programming languages and libraries, and focuses on concrete recommendations. diff --git a/data/C/books-and-ebooks/0002-fedora-defensive-coding.json b/data/C/books-and-ebooks/0002-fedora-defensive-coding.json index fbab311..dec5b7b 100644 --- a/data/C/books-and-ebooks/0002-fedora-defensive-coding.json +++ b/data/C/books-and-ebooks/0002-fedora-defensive-coding.json @@ -1,5 +1,5 @@ { - "date": "2013-03", + "date": "2013-03-07", "free": true, "name": "Defensive Coding: A Guide to Improving Software Security by the Fedora Security Team", "remark": "Provides guidelines for improving software security through secure coding. Covers common programming languages and libraries, and focuses on concrete recommendations.", From 557450e6f2b5ebd2dbe5c3ffd93b3ef416d56615 Mon Sep 17 00:00:00 2001 From: 4chm3d Date: Fri, 24 May 2019 16:03:44 -0300 Subject: [PATCH 04/19] renamed --- README.md | 4 ++-- data/elixir/{sast => source-code-analysis}/0001-credo.json | 0 data/elixir/{sast => source-code-analysis}/0002-sobelow.json | 0 3 files changed, 2 insertions(+), 2 deletions(-) rename data/elixir/{sast => source-code-analysis}/0001-credo.json (100%) rename data/elixir/{sast => source-code-analysis}/0002-sobelow.json (100%) diff --git a/README.md b/README.md index 2aa062c..48cc7d9 100644 --- a/README.md +++ b/README.md @@ -149,7 +149,7 @@ from reading [A Gentle Introduction to Application Security](https://paragonie.c * [Books and ebooks](#books-and-ebooks-9) * [Secure Ruby Development Guide](#secure-ruby-development-guide-2014) (2014) * [Elixir](#elixir) - * [Sast](#sast) + * [Source code analysis](#source-code-analysis) * [rrrene/credo](#rrrenecredo-2015) (2015) * [nccgroup/sobelow](#nccgroupsobelow-2017) (2017) @@ -698,7 +698,7 @@ A guide to secure Ruby development by the Fedora Security Team. Also available o # Elixir -## Sast +## Source code analysis ### [rrrene/credo](https://github.com/rrrene/credo) (2015) diff --git a/data/elixir/sast/0001-credo.json b/data/elixir/source-code-analysis/0001-credo.json similarity index 100% rename from data/elixir/sast/0001-credo.json rename to data/elixir/source-code-analysis/0001-credo.json diff --git a/data/elixir/sast/0002-sobelow.json b/data/elixir/source-code-analysis/0002-sobelow.json similarity index 100% rename from data/elixir/sast/0002-sobelow.json rename to data/elixir/source-code-analysis/0002-sobelow.json From aa7e0ff40b76c1cc925b35b4d8621ada837d5ed5 Mon Sep 17 00:00:00 2001 From: 4chm3d Date: Fri, 24 May 2019 16:45:57 -0300 Subject: [PATCH 05/19] python - new section --- data/Python/source-code-analysis/0001-bandit.json | 7 +++++++ 1 file changed, 7 insertions(+) create mode 100644 data/Python/source-code-analysis/0001-bandit.json diff --git a/data/Python/source-code-analysis/0001-bandit.json b/data/Python/source-code-analysis/0001-bandit.json new file mode 100644 index 0000000..1731fe1 --- /dev/null +++ b/data/Python/source-code-analysis/0001-bandit.json @@ -0,0 +1,7 @@ +{ + "date": "2015-02-17", + "free": true, + "name": "PyCQA/bandit", + "remark": "Bandit is a tool designed to find common security issues in Python code.", + "url": "https://github.com/PyCQA/bandit" +} From 73b0884201c0954cc2ee0ba3fe38cea7a6bdff5e Mon Sep 17 00:00:00 2001 From: 4chm3d Date: Fri, 24 May 2019 16:48:19 -0300 Subject: [PATCH 06/19] ruby - new section --- README.md | 36 ++++++++++++++++++- .../source-code-analysis/0001-rubocop.json | 7 ++++ .../source-code-analysis/0002-brakeman.json | 7 ++++ .../0003-bundler-audit.json | 7 ++++ 4 files changed, 56 insertions(+), 1 deletion(-) create mode 100644 data/Ruby/source-code-analysis/0001-rubocop.json create mode 100644 data/Ruby/source-code-analysis/0002-brakeman.json create mode 100644 data/Ruby/source-code-analysis/0003-bundler-audit.json diff --git a/README.md b/README.md index 48cc7d9..49a2162 100644 --- a/README.md +++ b/README.md @@ -143,13 +143,19 @@ from reading [A Gentle Introduction to Application Security](https://paragonie.c * [Python chapter of Fedora Defensive Coding Guide](#python-chapter-of-fedora-defensive-coding-guide) * [Black Hat Python: Python Programming for Hackers and Pentesters](#-black-hat-python-python-programming-for-hackers-and-pentesters) ![nonfree](img/nonfree.png) * [Violent Python](#-violent-python) ![nonfree](img/nonfree.png) + * [Source code analysis](#source-code-analysis) + * [PyCQA/bandit](#pycqabandit-2015) (2015) * [Websites](#websites-2) * [OWASP Python Security Wiki](#owasp-python-security-wiki-2014) (2014) * [Ruby](#ruby) * [Books and ebooks](#books-and-ebooks-9) * [Secure Ruby Development Guide](#secure-ruby-development-guide-2014) (2014) + * [Source code analysis](#source-code-analysis-1) + * [rubocop-hq/rubocop](#rubocop-hqrubocop-2012) (2012) + * [presidentbeef/brakeman](#presidentbeefbrakeman-2014) (2014) + * [rubysec/bundler-audit](#rubysecbundler-audit-2013) (2013) * [Elixir](#elixir) - * [Source code analysis](#source-code-analysis) + * [Source code analysis](#source-code-analysis-2) * [rrrene/credo](#rrrenecredo-2015) (2015) * [nccgroup/sobelow](#nccgroupsobelow-2017) (2017) @@ -678,6 +684,14 @@ Black Hat Python by Justin Seitz from NoStarch Press is a great book for the off Violent Python shows you how to move from a theoretical understanding of offensive computing concepts to a practical implementation. +## Source code analysis + +### [PyCQA/bandit](https://github.com/PyCQA/bandit) (2015) + +**Released**: February 17, 2015 + +Bandit is a tool designed to find common security issues in Python code. + ## Websites ### [OWASP Python Security Wiki](https://github.com/ebranca/owasp-pysec/wiki) (2014) @@ -696,6 +710,26 @@ A wiki maintained by the OWASP Python Security project. A guide to secure Ruby development by the Fedora Security Team. Also available on [Github](https://github.com/jrusnack/secure-ruby-development-guide). +## Source code analysis + +### [rubocop-hq/rubocop](https://github.com/rubocop-hq/rubocop) (2012) + +**Released**: May 3, 2012 + +A Ruby static code analyzer and formatter, based on the community Ruby style guide. + +### [presidentbeef/brakeman](https://github.com/presidentbeef/brakeman) (2014) + +**Released**: February 10, 2014 + +A static analysis security vulnerability scanner for Ruby on Rails applications. + +### [rubysec/bundler-audit](https://github.com/rubysec/bundler-audit) (2013) + +**Released**: February 12, 2013 + +Patch-level verification for Bundler. + # Elixir ## Source code analysis diff --git a/data/Ruby/source-code-analysis/0001-rubocop.json b/data/Ruby/source-code-analysis/0001-rubocop.json new file mode 100644 index 0000000..0b586cb --- /dev/null +++ b/data/Ruby/source-code-analysis/0001-rubocop.json @@ -0,0 +1,7 @@ +{ + "date": "2012-05-03", + "free": true, + "name": "rubocop-hq/rubocop", + "remark": "A Ruby static code analyzer and formatter, based on the community Ruby style guide.", + "url": "https://github.com/rubocop-hq/rubocop" +} diff --git a/data/Ruby/source-code-analysis/0002-brakeman.json b/data/Ruby/source-code-analysis/0002-brakeman.json new file mode 100644 index 0000000..065b366 --- /dev/null +++ b/data/Ruby/source-code-analysis/0002-brakeman.json @@ -0,0 +1,7 @@ +{ + "date": "2014-02-10", + "free": true, + "name": "presidentbeef/brakeman", + "remark": "A static analysis security vulnerability scanner for Ruby on Rails applications.", + "url": "https://github.com/presidentbeef/brakeman" +} diff --git a/data/Ruby/source-code-analysis/0003-bundler-audit.json b/data/Ruby/source-code-analysis/0003-bundler-audit.json new file mode 100644 index 0000000..0ca71f9 --- /dev/null +++ b/data/Ruby/source-code-analysis/0003-bundler-audit.json @@ -0,0 +1,7 @@ +{ + "date": "2013-02-12", + "free": true, + "name": "rubysec/bundler-audit", + "remark": "Patch-level verification for Bundler.", + "url": "https://github.com/rubysec/bundler-audit" +} From 306214c2d0d23507acaf600af54e0a5453f3c67e Mon Sep 17 00:00:00 2001 From: 4chm3d Date: Fri, 24 May 2019 18:56:32 -0300 Subject: [PATCH 07/19] python - https://pypi.org/project/safety/ --- README.md | 7 +++++++ data/Python/source-code-analysis/0002-safety.json | 7 +++++++ 2 files changed, 14 insertions(+) create mode 100644 data/Python/source-code-analysis/0002-safety.json diff --git a/README.md b/README.md index 49a2162..6507384 100644 --- a/README.md +++ b/README.md @@ -145,6 +145,7 @@ from reading [A Gentle Introduction to Application Security](https://paragonie.c * [Violent Python](#-violent-python) ![nonfree](img/nonfree.png) * [Source code analysis](#source-code-analysis) * [PyCQA/bandit](#pycqabandit-2015) (2015) + * [pyupio/safety](#pyupiosafety-2016) (2016) * [Websites](#websites-2) * [OWASP Python Security Wiki](#owasp-python-security-wiki-2014) (2014) * [Ruby](#ruby) @@ -692,6 +693,12 @@ Violent Python shows you how to move from a theoretical understanding of offensi Bandit is a tool designed to find common security issues in Python code. +### [pyupio/safety](https://github.com/pyupio/safety) (2016) + +**Released**: October 19, 2016 + +Safety checks your installed dependencies for known security vulnerabilities. + ## Websites ### [OWASP Python Security Wiki](https://github.com/ebranca/owasp-pysec/wiki) (2014) diff --git a/data/Python/source-code-analysis/0002-safety.json b/data/Python/source-code-analysis/0002-safety.json new file mode 100644 index 0000000..0438204 --- /dev/null +++ b/data/Python/source-code-analysis/0002-safety.json @@ -0,0 +1,7 @@ +{ + "date": "2016-10-19", + "free": true, + "name": "pyupio/safety", + "remark": "Safety checks your installed dependencies for known security vulnerabilities.", + "url": "https://github.com/pyupio/safety" +} From f04da299a84ef3aa488b75ce566591a8af164050 Mon Sep 17 00:00:00 2001 From: 4chm3d Date: Fri, 24 May 2019 19:10:17 -0300 Subject: [PATCH 08/19] java - new section --- README.md | 23 ++++++++++++++++--- .../0001-owasp-dependency-check.json | 7 ++++++ .../0002-find-sec-bugs.json | 7 ++++++ 3 files changed, 34 insertions(+), 3 deletions(-) create mode 100644 data/Java/source-code-analysis/0001-owasp-dependency-check.json create mode 100644 data/Java/source-code-analysis/0002-find-sec-bugs.json diff --git a/README.md b/README.md index 6507384..240b07e 100644 --- a/README.md +++ b/README.md @@ -97,6 +97,9 @@ from reading [A Gentle Introduction to Application Security](https://paragonie.c * [Books and ebooks](#books-and-ebooks-4) * [SEI CERT Java Coding Standard](#sei-cert-java-coding-standard-2007) (2007) * [Secure Coding Guidelines for Java SE](#secure-coding-guidelines-for-java-se-2014) (2014) + * [Source code analysis](#source-code-analysis) + * [jeremylong/DependencyCheck](#jeremylongdependencycheck-2012) (2012) + * [find-sec-bugs/find-sec-bugs](#find-sec-bugsfind-sec-bugs-2012) (2012) * [Node.js](#node-js) * [Articles](#articles-2) * [Node.js Security Checklist - Rising Stack Blog](#node-js-security-checklist-rising-stack-blog-2015) (2015) @@ -143,7 +146,7 @@ from reading [A Gentle Introduction to Application Security](https://paragonie.c * [Python chapter of Fedora Defensive Coding Guide](#python-chapter-of-fedora-defensive-coding-guide) * [Black Hat Python: Python Programming for Hackers and Pentesters](#-black-hat-python-python-programming-for-hackers-and-pentesters) ![nonfree](img/nonfree.png) * [Violent Python](#-violent-python) ![nonfree](img/nonfree.png) - * [Source code analysis](#source-code-analysis) + * [Source code analysis](#source-code-analysis-1) * [PyCQA/bandit](#pycqabandit-2015) (2015) * [pyupio/safety](#pyupiosafety-2016) (2016) * [Websites](#websites-2) @@ -151,12 +154,12 @@ from reading [A Gentle Introduction to Application Security](https://paragonie.c * [Ruby](#ruby) * [Books and ebooks](#books-and-ebooks-9) * [Secure Ruby Development Guide](#secure-ruby-development-guide-2014) (2014) - * [Source code analysis](#source-code-analysis-1) + * [Source code analysis](#source-code-analysis-2) * [rubocop-hq/rubocop](#rubocop-hqrubocop-2012) (2012) * [presidentbeef/brakeman](#presidentbeefbrakeman-2014) (2014) * [rubysec/bundler-audit](#rubysecbundler-audit-2013) (2013) * [Elixir](#elixir) - * [Source code analysis](#source-code-analysis-2) + * [Source code analysis](#source-code-analysis-3) * [rrrene/credo](#rrrenecredo-2015) (2015) * [nccgroup/sobelow](#nccgroupsobelow-2017) (2017) @@ -505,6 +508,20 @@ A community-maintained Wiki detailing secure coding standards for Java programmi Secure Java programming guidelines straight from Oracle. +## Source code analysis + +### [jeremylong/DependencyCheck](https://github.com/jeremylong/DependencyCheck) (2012) + +**Released**: October 23, 2012 + +OWASP dependency-check is a software composition analysis utility that detects publicly disclosed vulnerabilities in application dependencies. + +### [find-sec-bugs/find-sec-bugs](https://github.com/find-sec-bugs/find-sec-bugs) (2012) + +**Released**: October 19, 2012 + +The SpotBugs plugin for security audits of Java web applications and Android applications. (Also work with Kotlin, Groovy and Scala projects) + # Node.js ## Articles diff --git a/data/Java/source-code-analysis/0001-owasp-dependency-check.json b/data/Java/source-code-analysis/0001-owasp-dependency-check.json new file mode 100644 index 0000000..1d98428 --- /dev/null +++ b/data/Java/source-code-analysis/0001-owasp-dependency-check.json @@ -0,0 +1,7 @@ +{ + "date": "2012-10-23", + "free": true, + "name": "jeremylong/DependencyCheck", + "remark": "OWASP dependency-check is a software composition analysis utility that detects publicly disclosed vulnerabilities in application dependencies.", + "url": "https://github.com/jeremylong/DependencyCheck" +} diff --git a/data/Java/source-code-analysis/0002-find-sec-bugs.json b/data/Java/source-code-analysis/0002-find-sec-bugs.json new file mode 100644 index 0000000..112d4ae --- /dev/null +++ b/data/Java/source-code-analysis/0002-find-sec-bugs.json @@ -0,0 +1,7 @@ +{ + "date": "2012-10-19", + "free": true, + "name": "find-sec-bugs/find-sec-bugs", + "remark": "The SpotBugs plugin for security audits of Java web applications and Android applications. (Also work with Kotlin, Groovy and Scala projects)", + "url": "https://github.com/find-sec-bugs/find-sec-bugs" +} From 32377c3fae316583780c278804cf7cd6aaf346de Mon Sep 17 00:00:00 2001 From: 4chm3d Date: Sat, 25 May 2019 08:20:26 -0300 Subject: [PATCH 09/19] (#50) - modsecurity/CRS and OWASP Cheat Sheet Series --- .../0006-modsecurity.json | 6 ++++++ .../0007-modsecurity-crs.json | 6 ++++++ .../0008-cheat-sheet-series.json | 6 ++++++ 3 files changed, 18 insertions(+) create mode 100644 data/01-full-stack/Open-Web-Application-Security-Project/0006-modsecurity.json create mode 100644 data/01-full-stack/Open-Web-Application-Security-Project/0007-modsecurity-crs.json create mode 100644 data/01-full-stack/Open-Web-Application-Security-Project/0008-cheat-sheet-series.json diff --git a/data/01-full-stack/Open-Web-Application-Security-Project/0006-modsecurity.json b/data/01-full-stack/Open-Web-Application-Security-Project/0006-modsecurity.json new file mode 100644 index 0000000..d27d9f7 --- /dev/null +++ b/data/01-full-stack/Open-Web-Application-Security-Project/0006-modsecurity.json @@ -0,0 +1,6 @@ +{ + "date": "2007-03-06", + "name": "ModSecurity (open source WAF)", + "remark": "ModSecurity is an open source, cross platform web application firewall (WAF) engine for Apache, IIS and Nginx that is developed by Trustwave's SpiderLabs. It has a robust event-based programming language which provides protection from a range of attacks against web applications and allows for HTTP traffic monitoring, logging and real-time analys.", + "url": "https://github.com/SpiderLabs/ModSecurity" +} diff --git a/data/01-full-stack/Open-Web-Application-Security-Project/0007-modsecurity-crs.json b/data/01-full-stack/Open-Web-Application-Security-Project/0007-modsecurity-crs.json new file mode 100644 index 0000000..83d48ff --- /dev/null +++ b/data/01-full-stack/Open-Web-Application-Security-Project/0007-modsecurity-crs.json @@ -0,0 +1,6 @@ +{ + "date": "2012-09-19", + "name": "OWASP ModSecurity Core Rule Set (CRS)", + "remark": "The OWASP ModSecurity Core Rule Set (CRS) is a set of generic attack detection rules for use with ModSecurity or compatible web application firewalls.", + "url": "https://github.com/SpiderLabs/owasp-modsecurity-crs" +} diff --git a/data/01-full-stack/Open-Web-Application-Security-Project/0008-cheat-sheet-series.json b/data/01-full-stack/Open-Web-Application-Security-Project/0008-cheat-sheet-series.json new file mode 100644 index 0000000..719d40c --- /dev/null +++ b/data/01-full-stack/Open-Web-Application-Security-Project/0008-cheat-sheet-series.json @@ -0,0 +1,6 @@ +{ + "date": "2014-03-07", + "name": "OWASP Cheat Sheet Series", + "remark": "The OWASP Cheat Sheet Series was created to provide a concise collection of high value information on specific application security topics. These cheat sheets were created by various application security professionals who have expertise in specific topics. We hope that the OWASP Cheat Sheet Series provides you with excellent security guidance in an easy to read format.", + "url": "https://github.com/OWASP/CheatSheetSeries" +} From dc9faddb45b0f1631a990fa1374c90a357dc0987 Mon Sep 17 00:00:00 2001 From: 4chm3d Date: Sat, 25 May 2019 09:17:46 -0300 Subject: [PATCH 10/19] 3d5cc5cb - juice shop moved to another section --- data/00-general/websites/0010-juice-shop.json | 5 ----- .../0003-juice-shop.json | 6 ++++++ 2 files changed, 6 insertions(+), 5 deletions(-) delete mode 100644 data/00-general/websites/0010-juice-shop.json create mode 100644 data/01-full-stack/Open-Web-Application-Security-Project/0003-juice-shop.json diff --git a/data/00-general/websites/0010-juice-shop.json b/data/00-general/websites/0010-juice-shop.json deleted file mode 100644 index 2768c56..0000000 --- a/data/00-general/websites/0010-juice-shop.json +++ /dev/null @@ -1,5 +0,0 @@ -{ - "name": "Juice Shop", - "remark": "An intentionally insecure Javascript Web Application.", - "url": "https://bkimminich.github.io/juice-shop" -} \ No newline at end of file diff --git a/data/01-full-stack/Open-Web-Application-Security-Project/0003-juice-shop.json b/data/01-full-stack/Open-Web-Application-Security-Project/0003-juice-shop.json new file mode 100644 index 0000000..5a3eada --- /dev/null +++ b/data/01-full-stack/Open-Web-Application-Security-Project/0003-juice-shop.json @@ -0,0 +1,6 @@ +{ + "date": "2014-10-04", + "name": "OWASP Juice Shop Tool Project", + "remark": "OWASP Juice Shop is probably the most modern and sophisticated insecure web application! It can be used in security trainings, awareness demos, CTFs and as a guinea pig for security tools! Juice Shop encompasses vulnerabilities from the entire OWASP Top Ten along with many other security flaws found in real-world applications!", + "url": "https://github.com/bkimminich/juice-shop" +} From 50086148c2ad20bbb2b85ea88b6307dd7141aacf Mon Sep 17 00:00:00 2001 From: 4chm3d Date: Sat, 25 May 2019 09:19:39 -0300 Subject: [PATCH 11/19] c86d477e (#35) - moved to the new section --- data/00-general/websites/0012-nodegoat.json | 5 ----- .../0002-nodegoat.json | 6 ++++++ 2 files changed, 6 insertions(+), 5 deletions(-) delete mode 100644 data/00-general/websites/0012-nodegoat.json create mode 100644 data/01-full-stack/Open-Web-Application-Security-Project/0002-nodegoat.json diff --git a/data/00-general/websites/0012-nodegoat.json b/data/00-general/websites/0012-nodegoat.json deleted file mode 100644 index b2d6bdd..0000000 --- a/data/00-general/websites/0012-nodegoat.json +++ /dev/null @@ -1,5 +0,0 @@ -{ - "name": "OWASP NodeGoat", - "remark": "Purposly vulnerable to the OWASP Top 10 Node.JS web application, with [tutorials](https://nodegoat.herokuapp.com/tutorial), [security regression testing with the OWASP Zap API](https://github.com/OWASP/NodeGoat/wiki/NodeGoat-Security-Regression-tests-with-ZAP-API), [docker image](https://github.com/owasp/nodegoat#option-3---run-nodegoat-on-docker). With several options to get up and running fast.", - "url": "https://github.com/owasp/nodegoat" -} diff --git a/data/01-full-stack/Open-Web-Application-Security-Project/0002-nodegoat.json b/data/01-full-stack/Open-Web-Application-Security-Project/0002-nodegoat.json new file mode 100644 index 0000000..919f70e --- /dev/null +++ b/data/01-full-stack/Open-Web-Application-Security-Project/0002-nodegoat.json @@ -0,0 +1,6 @@ +{ + "date": "2014-05-06", + "name": "OWASP NodeGoat Project", + "remark": "OWASP NodeGoat project provides an environment to learn how OWASP Top 10 security risks apply to web applications developed using Node.js and how to effectively address them.", + "url": "https://github.com/OWASP/NodeGoat" +} From 976a6128c0632fac6a07a1a085abf2ef227339f4 Mon Sep 17 00:00:00 2001 From: 4chm3d Date: Sat, 25 May 2019 09:21:24 -0300 Subject: [PATCH 12/19] f57b8034 (#49) - moved to the new section --- data/00-general/websites/0013-serverlessgoat.json | 6 ------ .../0005-serverless-goat.json | 6 ++++++ 2 files changed, 6 insertions(+), 6 deletions(-) delete mode 100644 data/00-general/websites/0013-serverlessgoat.json create mode 100644 data/01-full-stack/Open-Web-Application-Security-Project/0005-serverless-goat.json diff --git a/data/00-general/websites/0013-serverlessgoat.json b/data/00-general/websites/0013-serverlessgoat.json deleted file mode 100644 index 7976657..0000000 --- a/data/00-general/websites/0013-serverlessgoat.json +++ /dev/null @@ -1,6 +0,0 @@ -{ - "free": true, - "name": "OWASP ServerlessGoat", - "remark": "OWASP ServerlessGoat is a deliberately insecure realistic AWS Lambda serverless application, maintained by OWASP and created by [PureSec](https://www.puresec.io/). You can install WebGoat, learn about the vulnerabilities, how to exploit them, and how to remediate each issue. The project also includes documentation explaining the issues and how they should be remediated with best-practices.", - "url": "https://www.owasp.org/index.php/OWASP_Serverless_Goat" -} \ No newline at end of file diff --git a/data/01-full-stack/Open-Web-Application-Security-Project/0005-serverless-goat.json b/data/01-full-stack/Open-Web-Application-Security-Project/0005-serverless-goat.json new file mode 100644 index 0000000..2311c12 --- /dev/null +++ b/data/01-full-stack/Open-Web-Application-Security-Project/0005-serverless-goat.json @@ -0,0 +1,6 @@ +{ + "date": "2018-12-18", + "name": "OWASP Serverless Goat", + "remark": "OWASP ServerlessGoat is a deliberately insecure realistic AWS Lambda serverless application, maintained by OWASP.", + "url": "https://www.owasp.org/index.php/OWASP_Serverless_Goat" +} From 27155d736ce0ccf1644686b6ca10eba1afd0f98d Mon Sep 17 00:00:00 2001 From: 4chm3d Date: Sat, 25 May 2019 09:22:42 -0300 Subject: [PATCH 13/19] 38c9544b - owasp top 10 moved to another section --- .../0001-owasp-top-ten.json | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename data/{00-general/websites/01-wiki-pages => 01-full-stack/Open-Web-Application-Security-Project}/0001-owasp-top-ten.json (100%) diff --git a/data/00-general/websites/01-wiki-pages/0001-owasp-top-ten.json b/data/01-full-stack/Open-Web-Application-Security-Project/0001-owasp-top-ten.json similarity index 100% rename from data/00-general/websites/01-wiki-pages/0001-owasp-top-ten.json rename to data/01-full-stack/Open-Web-Application-Security-Project/0001-owasp-top-ten.json From fcb0faa06134f7d5643b0030258f99262dccac44 Mon Sep 17 00:00:00 2001 From: 4chm3d Date: Sat, 25 May 2019 09:27:02 -0300 Subject: [PATCH 14/19] (#48) - zap api; wiki --- .../00-general/websites/01-wiki-pages/0001-zap-api-doc.json | 6 ++++++ 1 file changed, 6 insertions(+) create mode 100644 data/00-general/websites/01-wiki-pages/0001-zap-api-doc.json diff --git a/data/00-general/websites/01-wiki-pages/0001-zap-api-doc.json b/data/00-general/websites/01-wiki-pages/0001-zap-api-doc.json new file mode 100644 index 0000000..f03836c --- /dev/null +++ b/data/00-general/websites/01-wiki-pages/0001-zap-api-doc.json @@ -0,0 +1,6 @@ +{ + "free": true, + "name": "The ZAP API", + "remark": "ZAP provides a REST Application Programming Interface (API) which allows you to interact with ZAP programmatically.", + "url": "https://github.com/zaproxy/zaproxy/wiki/ApiDetails" +} From a4c7dbfb6a8fc3cdd0e9d44f9730124f4471bcb0 Mon Sep 17 00:00:00 2001 From: 4chm3d Date: Sat, 25 May 2019 09:27:28 -0300 Subject: [PATCH 15/19] (#48) - zaproxy --- .../Open-Web-Application-Security-Project/0009-zaproxy.json | 6 ++++++ 1 file changed, 6 insertions(+) create mode 100644 data/01-full-stack/Open-Web-Application-Security-Project/0009-zaproxy.json diff --git a/data/01-full-stack/Open-Web-Application-Security-Project/0009-zaproxy.json b/data/01-full-stack/Open-Web-Application-Security-Project/0009-zaproxy.json new file mode 100644 index 0000000..1e2c38e --- /dev/null +++ b/data/01-full-stack/Open-Web-Application-Security-Project/0009-zaproxy.json @@ -0,0 +1,6 @@ +{ + "date": "2010-10-06", + "name": "OWASP Zed Attack Proxy Project", + "remark": "The OWASP Zed Attack Proxy (ZAP) is one of the world’s most popular free security tools and is actively maintained by hundreds of international volunteers. It can help you automatically find security vulnerabilities in your web applications while you are developing and testing your applications. Its also a great tool for experienced pentesters to use for manual security testing.", + "url": "https://github.com/zaproxy/zaproxy" +} From 56429c5e6934e279fdc4030e34c14b0969ba55e8 Mon Sep 17 00:00:00 2001 From: 4chm3d Date: Sat, 25 May 2019 09:27:59 -0300 Subject: [PATCH 16/19] (#48) - zap api; java --- data/Java/tools/0001-zap-api-java.json | 7 +++++++ 1 file changed, 7 insertions(+) create mode 100644 data/Java/tools/0001-zap-api-java.json diff --git a/data/Java/tools/0001-zap-api-java.json b/data/Java/tools/0001-zap-api-java.json new file mode 100644 index 0000000..0f63de7 --- /dev/null +++ b/data/Java/tools/0001-zap-api-java.json @@ -0,0 +1,7 @@ +{ + "date":"2016-06-03", + "free": true, + "name": "zaproxy/zap-api-java", + "remark": "The Java implementation to access the OWASP ZAP API. For more information about OWASP ZAP consult the (main) OWASP ZAP project.", + "url": "https://github.com/zaproxy/zap-api-java" +} From 9fbaab92aac1449f5482343b2ea7dfaa0a198a5e Mon Sep 17 00:00:00 2001 From: 4chm3d Date: Sat, 25 May 2019 09:28:14 -0300 Subject: [PATCH 17/19] (#48) - zap api; nodejs --- data/Node.js/tools/0001-zap-api-nodejs.json | 7 +++++++ 1 file changed, 7 insertions(+) create mode 100644 data/Node.js/tools/0001-zap-api-nodejs.json diff --git a/data/Node.js/tools/0001-zap-api-nodejs.json b/data/Node.js/tools/0001-zap-api-nodejs.json new file mode 100644 index 0000000..8a08b61 --- /dev/null +++ b/data/Node.js/tools/0001-zap-api-nodejs.json @@ -0,0 +1,7 @@ +{ + "date":"2018-11-16", + "free": true, + "name": "zaproxy/zap-api-nodejs", + "remark": "The NodeJS implementation to access the OWASP ZAP API. For more information about OWASP ZAP consult the (main) OWASP ZAP project.", + "url": "https://github.com/zaproxy/zap-api-nodejs" +} From 21d757023cd4f3b2a119660ea2383950e3110aab Mon Sep 17 00:00:00 2001 From: 4chm3d Date: Sat, 25 May 2019 09:28:23 -0300 Subject: [PATCH 18/19] (#48) - zap api; python --- data/Python/tools/0001-zap-api-python.json | 7 +++++++ 1 file changed, 7 insertions(+) create mode 100644 data/Python/tools/0001-zap-api-python.json diff --git a/data/Python/tools/0001-zap-api-python.json b/data/Python/tools/0001-zap-api-python.json new file mode 100644 index 0000000..e357c32 --- /dev/null +++ b/data/Python/tools/0001-zap-api-python.json @@ -0,0 +1,7 @@ +{ + "date":"2015-05-29", + "free": true, + "name": "zaproxy/zap-api-python", + "remark": "The Python implementation to access the OWASP ZAP API. For more information about OWASP ZAP consult the (main) OWASP ZAP project.", + "url": "https://github.com/zaproxy/zap-api-python" +} From 7b6fe13fccc4e9ac37019d06a6ab0f5198124949 Mon Sep 17 00:00:00 2001 From: 4chm3d Date: Sat, 25 May 2019 09:28:47 -0300 Subject: [PATCH 19/19] owasp - new project --- README.md | 118 +++++++++++++++--- .../0004-web-goat.json | 6 + 2 files changed, 106 insertions(+), 18 deletions(-) create mode 100644 data/01-full-stack/Open-Web-Application-Security-Project/0004-web-goat.json diff --git a/README.md b/README.md index 240b07e..fb277a0 100644 --- a/README.md +++ b/README.md @@ -59,21 +59,29 @@ from reading [A Gentle Introduction to Application Security](https://paragonie.c * [MicroCorruption](#microcorruption) * [The Matasano Crypto Challenges](#the-matasano-crypto-challenges) * [PentesterLab](#pentesterlab) - * [Juice Shop](#juice-shop) * [Supercar Showdown](#supercar-showdown) - * [OWASP NodeGoat](#owasp-nodegoat) - * [OWASP ServerlessGoat](#owasp-serverlessgoat) * [Blogs](#blogs) * [Crypto Fails](#crypto-fails) * [NCC Group - Blog](#ncc-group-blog) * [Scott Helme](#scott-helme) * [Cossack Labs blog](#cossack-labs-blog-2018) (2018) * [Wiki pages](#wiki-pages) - * [OWASP Top Ten Project](#owasp-top-ten-project) + * [The ZAP API](#the-zap-api) * [Tools](#tools) * [Qualys SSL Labs](#qualys-ssl-labs) * [securityheaders.io](#securityheaders-io) * [report-uri.io](#report-uri-io) + * [Full stack](#full-stack) + * [Open Web Application Security Project](#open-web-application-security-project) + * [OWASP Top Ten Project](#owasp-top-ten-project) + * [OWASP NodeGoat Project](#owasp-nodegoat-project-2014) (2014) + * [OWASP Juice Shop Tool Project](#owasp-juice-shop-tool-project-2014) (2014) + * [OWASP WebGoat Project](#owasp-webgoat-project-2008) (2008) + * [OWASP Serverless Goat](#owasp-serverless-goat-2018) (2018) + * [ModSecurity (open source WAF)](#modsecurity-open-source-waf-2007) (2007) + * [OWASP ModSecurity Core Rule Set (CRS)](#owasp-modsecurity-core-rule-set-crs-2012) (2012) + * [OWASP Cheat Sheet Series](#owasp-cheat-sheet-series-2014) (2014) + * [OWASP Zed Attack Proxy Project](#owasp-zed-attack-proxy-project-2010) (2010) * [AWS Lambda](#aws-lambda) * [Tools](#tools-1) * [PureSec FunctionShield](#puresec-functionshield) @@ -100,11 +108,15 @@ from reading [A Gentle Introduction to Application Security](https://paragonie.c * [Source code analysis](#source-code-analysis) * [jeremylong/DependencyCheck](#jeremylongdependencycheck-2012) (2012) * [find-sec-bugs/find-sec-bugs](#find-sec-bugsfind-sec-bugs-2012) (2012) + * [Tools](#tools-2) + * [zaproxy/zap-api-java](#zaproxyzap-api-java-2016) (2016) * [Node.js](#node-js) * [Articles](#articles-2) * [Node.js Security Checklist - Rising Stack Blog](#node-js-security-checklist-rising-stack-blog-2015) (2015) * [Books and ebooks](#books-and-ebooks-5) * [Essential Node.js Security](#-essential-node-js-security-2017) (2017) ![nonfree](img/nonfree.png) + * [Tools](#tools-3) + * [zaproxy/zap-api-nodejs](#zaproxyzap-api-nodejs-2018) (2018) * [Training](#training) * [Security Training by ^Lift Security](#-security-training-by-lift-security) ![nonfree](img/nonfree.png) * [Security Training from BinaryMist](#-security-training-from-binarymist) ![nonfree](img/nonfree.png) @@ -149,6 +161,8 @@ from reading [A Gentle Introduction to Application Security](https://paragonie.c * [Source code analysis](#source-code-analysis-1) * [PyCQA/bandit](#pycqabandit-2015) (2015) * [pyupio/safety](#pyupiosafety-2016) (2016) + * [Tools](#tools-4) + * [zaproxy/zap-api-python](#zaproxyzap-api-python-2015) (2015) * [Websites](#websites-2) * [OWASP Python Security Wiki](#owasp-python-security-wiki-2014) (2014) * [Ruby](#ruby) @@ -372,22 +386,10 @@ A series of programming exercises for teaching oneself cryptography by [Matasano PentesterLab provides [free Hands-On exercises](https://pentesterlab.com/exercises/) and a [bootcamp](https://pentesterlab.com/bootcamp/) to get started. -### [Juice Shop](https://bkimminich.github.io/juice-shop) - -An intentionally insecure Javascript Web Application. - ### [Supercar Showdown](http://hackyourselffirst.troyhunt.com/) How to go on the offence before online attackers do. -### [OWASP NodeGoat](https://github.com/owasp/nodegoat) - -Purposly vulnerable to the OWASP Top 10 Node.JS web application, with [tutorials](https://nodegoat.herokuapp.com/tutorial), [security regression testing with the OWASP Zap API](https://github.com/OWASP/NodeGoat/wiki/NodeGoat-Security-Regression-tests-with-ZAP-API), [docker image](https://github.com/owasp/nodegoat#option-3---run-nodegoat-on-docker). With several options to get up and running fast. - -### [OWASP ServerlessGoat](https://www.owasp.org/index.php/OWASP_Serverless_Goat) - -OWASP ServerlessGoat is a deliberately insecure realistic AWS Lambda serverless application, maintained by OWASP and created by [PureSec](https://www.puresec.io/). You can install WebGoat, learn about the vulnerabilities, how to exploit them, and how to remediate each issue. The project also includes documentation explaining the issues and how they should be remediated with best-practices. - ### Blogs #### [Crypto Fails](http://cryptofails.com) @@ -410,9 +412,9 @@ Blog of cryptographic company that makes open-source libraries and tools, and de ### Wiki pages -#### [OWASP Top Ten Project](https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project) +#### [The ZAP API](https://github.com/zaproxy/zaproxy/wiki/ApiDetails) -The top ten most common and critical security vulnerabilities found in web applications. +ZAP provides a REST Application Programming Interface (API) which allows you to interact with ZAP programmatically. ### Tools @@ -428,6 +430,62 @@ Quickly and easily assess the security of your HTTP response headers. A free CSP and HPKP reporting service. +# Full stack + +## Open Web Application Security Project + +### [OWASP Top Ten Project](https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project) + +The top ten most common and critical security vulnerabilities found in web applications. + +### [OWASP NodeGoat Project](https://github.com/OWASP/NodeGoat) (2014) + +**Released**: May 6, 2014 + +OWASP NodeGoat project provides an environment to learn how OWASP Top 10 security risks apply to web applications developed using Node.js and how to effectively address them. + +### [OWASP Juice Shop Tool Project](https://github.com/bkimminich/juice-shop) (2014) + +**Released**: October 4, 2014 + +OWASP Juice Shop is probably the most modern and sophisticated insecure web application! It can be used in security trainings, awareness demos, CTFs and as a guinea pig for security tools! Juice Shop encompasses vulnerabilities from the entire OWASP Top Ten along with many other security flaws found in real-world applications! + +### [OWASP WebGoat Project](https://github.com/WebGoat/WebGoat) (2008) + +**Released**: January 12, 2008 + +WebGoat is a deliberately insecure web application maintained by OWASP designed to teach web application security lessons. You can install and practice with WebGoat. There are other 'goats' such as WebGoat for .Net. In each lesson, users must demonstrate their understanding of a security issue by exploiting a real vulnerability in the WebGoat applications. + +### [OWASP Serverless Goat](https://www.owasp.org/index.php/OWASP_Serverless_Goat) (2018) + +**Released**: December 18, 2018 + +OWASP ServerlessGoat is a deliberately insecure realistic AWS Lambda serverless application, maintained by OWASP. + +### [ModSecurity (open source WAF)](https://github.com/SpiderLabs/ModSecurity) (2007) + +**Released**: March 6, 2007 + +ModSecurity is an open source, cross platform web application firewall (WAF) engine for Apache, IIS and Nginx that is developed by Trustwave's SpiderLabs. It has a robust event-based programming language which provides protection from a range of attacks against web applications and allows for HTTP traffic monitoring, logging and real-time analys. + +### [OWASP ModSecurity Core Rule Set (CRS)](https://github.com/SpiderLabs/owasp-modsecurity-crs) (2012) + +**Released**: September 19, 2012 + +The OWASP ModSecurity Core Rule Set (CRS) is a set of generic attack detection rules for use with ModSecurity or compatible web application firewalls. + +### [OWASP Cheat Sheet Series](https://github.com/OWASP/CheatSheetSeries) (2014) + +**Released**: March 7, 2014 + +The OWASP Cheat Sheet Series was created to provide a concise collection of high value information on specific application security topics. These cheat sheets were created by various application security professionals who have expertise in specific topics. We hope that the OWASP Cheat Sheet Series provides you with excellent security guidance in an easy to read format. + +### [OWASP Zed Attack Proxy Project](https://github.com/zaproxy/zaproxy) (2010) + +**Released**: October 6, 2010 + +The OWASP Zed Attack Proxy (ZAP) is one of the world’s most popular free security tools and is actively maintained by hundreds of international volunteers. It can help you automatically find security vulnerabilities in your web applications while you are developing and testing your applications. Its also a great tool for experienced pentesters to use for manual security testing. + # AWS Lambda ## Tools @@ -522,6 +580,14 @@ OWASP dependency-check is a software composition analysis utility that detects p The SpotBugs plugin for security audits of Java web applications and Android applications. (Also work with Kotlin, Groovy and Scala projects) +## Tools + +### [zaproxy/zap-api-java](https://github.com/zaproxy/zap-api-java) (2016) + +**Released**: June 3, 2016 + +The Java implementation to access the OWASP ZAP API. For more information about OWASP ZAP consult the (main) OWASP ZAP project. + # Node.js ## Articles @@ -540,6 +606,14 @@ Covers a lot of useful information for developing secure Node.js applications. Hands-on and abundant with source code for a practical guide to Securing Node.js web applications. +## Tools + +### [zaproxy/zap-api-nodejs](https://github.com/zaproxy/zap-api-nodejs) (2018) + +**Released**: November 16, 2018 + +The NodeJS implementation to access the OWASP ZAP API. For more information about OWASP ZAP consult the (main) OWASP ZAP project. + ## Training ### ![nonfree](img/nonfree.png) [Security Training by ^Lift Security](https://liftsecurity.io/training) @@ -716,6 +790,14 @@ Bandit is a tool designed to find common security issues in Python code. Safety checks your installed dependencies for known security vulnerabilities. +## Tools + +### [zaproxy/zap-api-python](https://github.com/zaproxy/zap-api-python) (2015) + +**Released**: May 29, 2015 + +The Python implementation to access the OWASP ZAP API. For more information about OWASP ZAP consult the (main) OWASP ZAP project. + ## Websites ### [OWASP Python Security Wiki](https://github.com/ebranca/owasp-pysec/wiki) (2014) diff --git a/data/01-full-stack/Open-Web-Application-Security-Project/0004-web-goat.json b/data/01-full-stack/Open-Web-Application-Security-Project/0004-web-goat.json new file mode 100644 index 0000000..19d701a --- /dev/null +++ b/data/01-full-stack/Open-Web-Application-Security-Project/0004-web-goat.json @@ -0,0 +1,6 @@ +{ + "date": "2008-01-12", + "name": "OWASP WebGoat Project", + "remark": "WebGoat is a deliberately insecure web application maintained by OWASP designed to teach web application security lessons. You can install and practice with WebGoat. There are other 'goats' such as WebGoat for .Net. In each lesson, users must demonstrate their understanding of a security issue by exploiting a real vulnerability in the WebGoat applications.", + "url": "https://github.com/WebGoat/WebGoat" +}