Open Source Application Security arsenal



Application Security


While building Security Phoenix we had a thought on sharing some of the component (open source) to enable to build a custom arsenal of open source vulnerabilities


Various Phases


it all starts on pen and paper

I always like to start with a mindmap of the various component, might be old school but hey it works and helps to focus



What are the components of the framework:


*) Enumeration/Reconnaissance In this phase you list the various component of an application, web source, API etc...


Then you start the merry go round

  1. Static code analyser - you look at code and identify with regular expression what's good and bad

  2. Dependency-Check - this enables to create a software composition

  3. Code relationships - again this is related to how the code and libraries interdepend with each other

  4. Cloud Assessment - this is an extra component if you have a cloud deployment

  5. Network assessment - there are multiple one (from Nmap to nettacker) depends really hwo deep you want to go

  6. Web/API assessment - in this case, you want to test with script or interjection the code quality that you send to a web frontend (burp, zap are name in this case)

  7. Vulnerability Managers not many aggregators, that's why we've created Security Phoenix https://www.nsc42.co.uk/securityphoenix

  8. Intelligence framework - This is an extra step if you want to integrate a threat feed/scanner in the project




The core arsenal


*) Enumeration/Reconnasance

> https://sitereport.netcraft.com/

> https://github.com/rbsec/dnscan

> shodan.io

1) Static code analyser - https://github.com/ShiftLeftSecurity/sast-scan

2) Dependency-Check - https://github.com/jeremylong/DependencyCheck

3) Code relationships - https://github.com/crubier/code-to-graph

3) Cloud Assessment - Prowler - https://github.com/toniblyx/prowler

4) Network assessment - Nettacker - https://github.com/zdresearch/OWASP-Nettacker

> Tsunami - https://github.com/google/tsunami-security-scanner

*) Vulnerability Scanner/Management - Security Phoenix - https://landing.nsc42.com/register-phoenix

5. Intelligence framework - https://github.com/intelowlproject/IntelOwl


Some of the tool available



Feeds: https://www.findbestopensource.com/product/facebookincubator-nvdtools


Network Vuln assessment


Website Crawelers

> DNS Scan: https://github.com/rbsec/dnscan


Vulns - https://vuls.io/

https://github.com/future-architect/vuls

h4cker - https://h4cker.org

https://github.com/The-Art-of-Hacking/h4cker

Watchdog: https://github.com/flipkart-incubator/watchdog

Network:

www.seccubus.com

https://github.com/schubergphilis/Seccubus


Network Vuln Build:

This could be a set of tools you could launch from a central location with a VM/docker images


Idea of the build: www.seccubus.com

https://github.com/schubergphilis/Seccubus

h4cker - https://h4cker.org

https://github.com/The-Art-of-Hacking/h4cker

3) Cloud Assessment - Prowler - https://github.com/toniblyx/prowler you can script the launch/scanresults

4) Network assessment - Nettacker - https://github.com/zdresearch/OWASP-Nettacker


Specialisation Code analysis (sub section)

There are many open-source analyser in the wild but most of them are specialized on one or two language


Good reference: https://github.com/analysis-tools-dev/static-analysis - Indext to other Code analysers


- Python - Bandit - Bandit is a comprehensive source vulnerability scanner for Python

- Ruby - Brakeman - Brakeman is an open-source vulnerability scanner specifically designed for Ruby on Rails applications

Dawnscanner - Dawnscanner is an open source security source code analyzer for Ruby, supporting major MVC frameworks like Ruby on Rails, Padrino, and Sinatra. It also works on non-web applications written in Ruby.

- Java - https://github.com/scovetta/yasca

- C - Flawfinder Flawfinder - Scans C and C++.

https://sourceforge.net/projects/visualcodegrepp/

- PHP - RIPS - A static source code analyzer for vulnerabilities in PHP web applications.

- SonarQube - Scans source code for 15 languages for Bugs, Vulnerabilities, and Code Smells. SonarQube IDE plugins for Eclipse, Visual Studio, and IntelliJ provided by SonarLint.

HCL AppScan CodeSweep - This is the first Community edition version of AppScan. It is delivered as a VS Code plugin and scans files upon saving them. The results show the location of a finding, type and remediation advice. The tool currently supports Python, Ruby, JS (Node, Angular, JQuery, etc) , PHP, Perl, COBOL, APEX & a few more.


OWASP Tools for code analysis

Software Language(s)

OWASP Code Crawler .NET, Java

OWASP Orizon Project Java

OWASP LAPSE Project Java

OWASP O2 Platform

OWASP WAP-Web Application Protection PHP


- Also Full list here: https://samate.nist.gov/index.php/Source_Code_Security_Analyzers.html

- Full list of open code analyser : https://owasp.org/www-community/controls/Static_Code_Analysis



Specialisation - AWS Specific assessments -

A list of different tools that you can deploy to test AWS infrastructure. Remember to fill out the form if doing testing like this.

1. prowler - Tool based on AWS-CLI commands for AWS account hardening, following guidelines of the CIS Amazon Web Services Foundations Benchmark (https://d0.awsstatic.com/whitepapers/compliance/AWS_CIS_Foundations_Benchmark.pdf)

2. nccgroup/Scout2 - Security auditing tool for AWS environments

3. cloudsploit/scans - AWS security scanning checks

4. The amazon inspector‍ - https://aws.amazon.com/inspector/

5. Netflix/security_monkey - Security Monkey monitors your AWS and GCP accounts for policy changes and alerts on insecure configurations

6. Aardvark - Aardvark is a multi-account AWS IAM Access Advisor API

7. Repokid - AWS Least Privilege for Distributed, High-Velocity Deployment

8. DenizParlak/Zeus - AWS Auditing & Hardening Tool http://www.denizparlak.com/?p=386

9. Nimbostratus - Tools for fingerprinting and exploiting Amazon cloud infrastructures + video presentation and intro blog post

10. Bucket finder - This is a fairly simple tool to run, all it requires is a wordlist and it will go off and check each word to see if that bucket name exists in the Amazon's S3 system. Any that it finds it will check to see if the bucket is public, private or a redirect.

11. Tony's mega AWS Tools: https://github.com/toniblyx/my-arsenal-of-aws-security-tools


Others:

https://github.com/ehrishirajsharma/Swiftness - Note tacking for vuln


This concludes the list for now but i'll continue updating this list



© 2020 by NSC42 LTD

  • White LinkedIn Icon
  • YouTube - White Circle
  • White Twitter Icon
  • medium logo
  • White LinkedIn Icon