https://owasp.org/www-project-devsecops-maturity-model/
Attackers are intelligent and creative, equipped with new technologies and purpose. Under the guidance of the forward-looking DevSecOps Maturity Model, appropriate principles and measures are at hand implemented which counteract the attacks.
https://github.com/OWASP/Container-Security-Verification-Standard
a community-effort to establish a framework of security requirements and controls that focus on normalizing the functional and non-functional security controls required when designing, developing and testing container-based solutions with a focus on Docker.
https://owasp.org/www-project-application-security-verification-standard/
The OWASP Application Security Verification Standard (ASVS) Project provides a basis for testing web application technical security controls and also provides developers with a list of requirements for secure development.
https://owasp.org/www-project-samm/
Our mission is to provide an effective and measurable way for you to analyze and improve your secure development lifecycle. SAMM supports the complete software lifecycle and is technology and process agnostic. We built SAMM to be evolutive and risk-driven in nature, as there is no single recipe that works for all organizations.
https://find-sec-bugs.github.io/
The SpotBugs plugin for security audits of Java web applications.
If you are new to security testing, then ZAP has you very much in mind. Check out our ZAP in Ten video series to learn more!
https://owasp.org/www-project-dependency-check/
Dependency-Check is a Software Composition Analysis (SCA) tool that attempts to detect publicly disclosed vulnerabilities contained within a project’s dependencies. It does this by determining if there is a Common Platform Enumeration (CPE) identifier for a given dependency. If found, it will generate a report linking to the associated CVE entries.
https://owasp.org/www-project-proactive-controls/
The OWASP Top Ten Proactive Controls describes the most important controls and control categories that every architect and developer should absolutely, 100% include in every project.
Prowler is an Open Source security tool to perform AWS, GCP and Azure security best practices assessments, audits, incident response, continuous monitoring, hardening and forensics readiness.
is a free command line tool which checks a server’s service on any port for the support of TLS/SSL ciphers, protocols as well as recent cryptographic flaws and more.
https://github.com/GoogleContainerTools/distroless
Less is more.
“Distroless” images contain only your application and its runtime dependencies. They do not contain package managers, shells or any other programs you would expect to find in a standard Linux distribution.
Semgrep helps security engineers and developers find and fix the issues that matter before production.
https://github.com/FloeDesignTechnologies/phpcs-security-audit
phpcs-security-audit is a set of PHP_CodeSniffer rules that finds vulnerabilities and weaknesses related to security in PHP code.
https://owasp.org/www-project-docker-top-10/
The OWASP Docker Top 10 project is giving you ten bullet points to plan and implement a secure docker-based container environment.
https://owasp.org/www-project-api-security/
API Security focuses on strategies and solutions to understand and mitigate the unique vulnerabilities and security risks of Application Programming Interfaces (APIs).
https://owasp.org/www-project-top-ten/
The OWASP Top 10 is a standard awareness document for developers and web application security. It represents a broad consensus about the most critical security risks to web applications.