DevOps.yoga


A DevOps Wiki

View project on GitHub

This is content about Security tools.

List of Security Tools

Note: This tools list is currently sourced from, and thus linked to, XebiaLabs. Much thanks to them for their valuable DevOps Toolchest.

NameIconDescription
Signal Sciences Signal Sciences secures the most important web applications, APIs, and microservices of the world's leading companies. Our next-gen WAF and RASP help you increase security and maintain site reliability without sacrificing velocity, all at the lowest total cost of ownership. Learn how our patented approach can help you.
Klocwork Klocwork by Rogue Wave Software provides source code analysis solutions that boost development productivity. Using static analysis technology, Klocwork Insight enables software developers to find critical security vulnerabilities, quality defects, and architectural issues quickly and accurately.
HashiCorp Vault HashiCorp's Vault secures, stores, and controls access to tokens, passwords, certificates, API keys, and other sensitive resources in modern datacenters. For each resource, Vault handles leasing, revocation, rolling, and auditing.
OSSEC OSSEC is a free, open-source host-based intrusion detection system (HIDS). It performs log analysis, integrity checking, Windows registry monitoring, rootkit detection, time-based alerting, and active response. It provides intrusion detection for most operating systems, including Linux, OpenBSD, FreeBSD, OS X, Solaris and Windows. OSSEC has a centralized, cross-platform architecture allowing multiple systems to be easily monitored and managed. Apart from the above features, it is one of the popular FREE tool that helps meet many of PCI DSS requirements
OWASP Zed Attack Proxy (ZAP) The OWASP Zed Attack Proxy (ZAP) is one of the world’s most popular free security tools and is actively maintained by hundreds of international volunteers. It can help you automatically find security vulnerabilities in your web applications while you are developing and testing your applications. It's also a great tool for experienced pentesters to use for manual security testing.
CyberArk Conjur Available as an open source tool and for the enterprise, CyberArk Conjur is a secrets management solution tailored specifically for the unique infrastructure requirements of native cloud and DevOps environments. The solution incorporates fundamental DevOps security principles, such as least privilege and segregation of duties, to secure and manage secrets used by non-human machine identities as well as human users throughout the DevOps pipeline.
LogRhythm SIEM SIEM log management, network and endpoint monitoring and forensics, and security analytics. LogRhythm claims to help customers detect and respond quickly to cyber threats before a material breach occurs. It also aims to provide compliance automation and assurance and IT predictive intelligence to organizations, government agencies, and mid-sized businesses.
Veracode Veracode is an application security company based in Burlington, Massachusetts. Founded in 2006, the company offers an automated cloud-based service for securing web, mobile and third-party enterprise applications.
Tripwire Open Source Tripwire is a free software security and data integrity tool useful for monitoring and alerting on specific file change(s) on a range of systems. The project is based on code originally contributed by Tripwire, Inc. in 2000.
Fortify WebInspect Easily manage large-scale, distributed penetration testing tools across thousands of apps. Fortify on Demand is a managed application security testing service that enables organizations to quickly test the application security of a few applications or launch a comprehensive security program without additional investment in software and personnel.
Snort Snort is a free and open source network intrusion prevention system (NIPS) and network intrusion detection system (NIDS) created by Martin Roesch in 1998. Snort is now developed by Sourcefire, of which Roesch is the founder and CTO. In 2009, Snort entered InfoWorld's Open Source Hall of Fame as one of the "greatest [pieces of] open source software of all time".
Burp Proxy Burp Proxy is an intercepting proxy server for security testing of web applications. It operates as a man-in-the-middle between your browser and the target application. Using the Proxy, you can quickly understand how the application works and start testing it manually, and you can also pass individual requests to other Burp tools for more advanced, customized and automated testing. Burp Proxy also has the ability to sniff all traffic between frontend and backend and to test SSL pinning
Venafi Trust Protection Platform Venafi Trust Protection Platform (TPP) provides fully automated processes for injecting X.509 keys and certificates into Containers, VM's, CI/CD pipelines, Orchestration and Config Management tools. TPP is currently integrated with Kubernetes, HashiCorp Vault, Terraform, Docker, Chef, SaltStack, IBM UrbanCode and many other tool chains.
Checkmarx SAST (Static Application Security Testing) Checkmarx is an Application Security software company, whose mission is to provide enterprise organizations with application security testing products and services that empower developers to deliver secure applications. Cx SAST is designed to seamlessly integrate with all development and application security methodologies.
Checkmarx AppSec Accelerator AppSec Accelerator is an Application Security Managed Service that helps development organizations transition to a secure SDLC and combines SAST and DAST for the best possible security coverage. With AppSec Accelerator, our AppSec experts will help you streamline and automate your Application Security testing while embedding it within your development environment.
Charles Proxy Charles Proxy, the defacto tool for sniffing out any requests made between a frontend and a backend. It tracks response times, sizes of messages and can also be used to rewrite requests made to insert faulty data or trigger error codes on screens. Charles Proxy is also used by Security testers to test if an app or website uses SSL pinning to secure the data send.
Gauntlt Automated Security Testing. Gauntlt provides hooks to a variety of security tools and puts them within reach of security, dev and ops teams to collaborate to build rugged software. It is built to facilitate testing and communication between groups and create actionable tests that can be hooked into your deploy and testing processes.
WhiteHat WhiteHat Security combines technology and human intelligence to deliver the world's most powerful solution for application security. WhiteHat’s application security solutions enable you to find and fix vulnerabilities before the bad guys can exploit them.
SecureAssist SecureAssist is a lightweight static analysis tool that automatically detects vulnerabilities and provides just-in-time security guidance to you as you code. With SecureAssist, you can eliminate the most common security problems, by checking your own code for security vulnerabilities, and using SecureAssist guidance to fix them.
SD Elements SD Elements automates software security requirements based on your project’s technology, business, and compliance drivers. SD Elements eliminates security vulnerabilities in the most cost effective way, before scanning begins.
Kiuwan Kiuwan is an end-to-end application security platform, providing a DevSecOps approach to securing your applications. Highlights: SAST + SCA, 30+ Languages, Web, Mobile & Legacy systems supported, discover open source vulnerabilities and license compliance, OWASP, CWE, SANS 25, PCI-DSS, HIPAA, WASC, MISRA-C, BIZEC, CERT-C, CERT-J.
Qualys Cloud Platform Qualys Cloud Platform consists of integrated apps to help organizations simplify security operations and lower the cost of compliance by delivering critical security intelligence on demand and automating the full spectrum of auditing, compliance and protection for all your IT assets – on premises, in clouds and on mobile endpoints.
Twistlock Twistlock is the industry’s most complete, automated and scalable container cybersecurity platform. From precise, full-lifecycle vulnerability and compliance management to application-tailored runtime defense and cloud native firewalls, Twistlock secures your containers and modern applications against the next generation of threats across the entire application lifecycle.
Black Duck Black Duck's multi-factor open source detection capabilities, in conjunction with Black Duck KnowledgeBase™, the most comprehensive database of open source component, vulnerability, and license information, enable you to research open source projects, mitigate security and license compliance risks, and automatically enforce open source policies using your existing DevOps tools and processes.
BDD-Security BDD-Security is a security testing framework that uses natural language in a Given, When, Then Gherkin syntax to describe security requirements as features.
Fortify SCA Micro Focus Fortify Static Code Analyzer reduces software risk by identifying security vulnerabilities that pose the biggest threats to your organization. It pinpoints the root cause of the vulnerability, correlates and prioritizes results, and provides best practices so developers can develop code more securely.
Sqreen Sqreen is a web application security monitoring and protection solution helping companies protect their apps and users from attacks.
Aqua Security Aqua provides full dev-to-prod security across the entire CI/CD pipeline and runtime environment, providing end-to-end visibility and protecting applications against attacks.
XRay Performs deep recursively security scanning and security version analysis on artifacts in conjunction with Artifactory. Easily embedded within CI/CD pipeline with alerting and upload/download prevention.
IriusRisk IriusRisk is a single integrated console to easily create threat models and manage application security risk throughout the software development process.
Nessus Nessus helps the security pros on the front lines quickly and easily identify and fix vulnerabilities - including software flaws, missing patches, malware, and misconfigurations - across a variety of operating systems, devices and applications.
PMD PMD is an open source static source code analyzer that reports on issues found within application code. PMD includes built-in rule sets and supports the ability to write custom rules

Prev: Practices | Next: Glossary