There are a variety of free and open-source web security tools available for use. These tools can help to identify vulnerabilities in web applications and infrastructure, and can easily be used by anyone in your organization.
In this post, we’ll explore just a few simple tools that you can use quickly and vastly improve the security of your organization.
detect-secrets
Many developers don’t know there is anything wrong with hardcoding secrets in code or pushing them to a file in a repo. This is bad! With the number of hacks leading to stolen code, you never know when these will leak out. Worse yet, by being littered in your repos, you may not know what secrets you need to roll in the event of a breach.
detect-secrets is a tool developed by Yelp that can be used to detect and prevent the accidental commit of sensitive information, such as passwords, API keys, and other secrets, in a code repository. The tool works by scanning a code repository for known patterns of sensitive information, such as regular expressions, and comparing the results against a set of predefined rules.
The tool can be integrated into the development process by running it as a pre-commit hook, which will prevent the commit of code containing sensitive information. It also can be run as a command line utility that can be scheduled to run periodically, or when prompted, to check for any newly committed secrets. It is recommended to run this as a pre-commit hook to avoid having your secrets in the git history.
detect-secrets uses a modular approach, which means that users can define their own custom patterns and rules for detecting sensitive information. This allows the tool to be tailored to the specific needs of an organization and its unique use cases.
OSV-Scanner
Modern development increasingly relies on using third party dependencies to build applications. In fact, it is estimated over 70% of code used in an application is from third party dependencies. Thus it is easy to see why you must keep your dependencies up to date when a vulnerability is discovered in them. With all of these dependencies, how can you possibly keep up?
Enter, OSV-Scanner by Google. This tool was just recently announced and is gaining popularity fast. OSV-Scanner uses the open source OSV.dev database to keep track of vulnerabilities across many different ecosystems. It provides a simple CLI which you can execute against your code to generate a list of dependency vulnerabilities and what versions they are fixed in.
Using a dependency vulnerability scanner can help identify known vulnerabilities in the third-party packages that your software depends on. This can help you take steps to address these vulnerabilities and improve the overall security of your software. Some of the advantages of using a dependency vulnerability scanner include:
-
Identifying vulnerabilities early: By regularly scanning your dependencies, you can identify vulnerabilities as soon as they are discovered and take action to mitigate them before they can be exploited.
-
Automating the process: A dependency vulnerability scanner can automate the process of identifying vulnerabilities, which can save time and resources compared to manually reviewing each dependency.
-
Prioritizing vulnerabilities: A dependency vulnerability scanner can help prioritize vulnerabilities based on their severity and potential impact, allowing you to focus on the most critical issues first.
-
Supporting compliance: Some organizations have regulations and compliance requirements that mandate the use of vulnerability scanners to detect and mitigate security risks.
OpenSquat
OpenSquat is a free and open-source tool for identifying and monitoring squatting domains. Squatting domains, also known as typosquatting or URL hijacking, is the practice of registering domain names that are similar to popular websites with the intention of redirecting traffic to a malicious or unwanted site. OpenSquat allows you to detect and track these types of domains, and can be used to protect your brand and prevent phishing attacks.
A few simple examples of url typosquatting are:
|
|
There are many more ways to pull off this attack. Attackers can use this to phish your clients and steal your brand
The tool works by comparing a list of target domains, such as a company’s website, with a list of known squatting domains. OpenSquat then generates a report that shows which domains are similar to the target domains and can be used to monitor and track these domains over time.
You can easily set up a Github action or some other scheduling service to automate and search for these domains on a regular basis. Check out the tool here
With these tools in hand you can quickly improve the security of your organization. If you need help increasing the security of your applications, get ahold of us!