As reports of cyber attacks via vulnerable software are rampant, building security early on into your software development lifecycle becomes inevitable.
Adopting DevSecOps tools in your workflow is one way to accomplish this. And it doesn’t have to come at a big upfront cost.
Below are some starter tools to provide vulnerability data at no cost that can be used in addition to NIST’s National Vulnerability Database (NVD) and MITRE to step up your software security efforts.
OSS Index from Sonatype
OSS Index lets you look up an entire catalogue of open-source components that can be searched by anyone. It provides data on what severity vulnerabilities are lurking in a component and licensing information.
“OSS Index is a free catalogue of open source components and scanning tools to help developers identify vulnerabilities, understand risk, and keep their software safe.”
A search for
struts-core for example reveals interesting bits:
Remedy Cloud by Vulcan
Remedy Cloud from Vulcan Cyber has been launched earlier this month.
The simplistic and easy-to-use interface lets you look up vulnerabilities by their CVE identifiers.
Try looking up some recently announced zero-days, such as Chromium’s.
The web UI offers user the option to download vulnerability data in CSV format, after they provide their email address.
Snyk Vulnerability DB:
The Snyk Vulnerability DB provides a plethora of information about open source components and the vulnerabilities impacting them. Data includes both CVE and SNYK’s proprietary identifiers.
Users can sort the type of components (such as cocoapods, Composer, Go, npm, etc.). The web UI lists vulnerabilities by category, such as Prototype Pollution, Directory Traversal, Denial of Service (DoS), etc.
While not concerned with vulnerability data per se, SonarQube has a free community edition that touts itself as, “the starting point for adopting code quality in your CI/CD.”
Over fifty community plugins are also available further extending SonarQube’s abilities.
Most developers may benefit from using these DevSecOps tools in conjunction with each other rather than picking and choosing between them, to get maximum value for their software development process.