As reports of cyber attacks via vulnerable software are rampant, building security early on into your software development lifecycle becomes inevitable.
Adopting DevSecOps tools in your workflow is one way to accomplish this. And it doesn’t have to come at a big upfront cost.
Below are some starter tools to provide vulnerability data at no cost that can be used in addition to NIST’s National Vulnerability Database (NVD) and MITRE to step up your software security efforts.
OSS Index lets you look up an entire catalogue of open-source components that can be searched by anyone. It provides data on what severity vulnerabilities are lurking in a component and licensing information.
“OSS Index is a free catalogue of open source components and scanning tools to help developers identify vulnerabilities, understand risk, and keep their software safe.”
A search for struts-core
for example reveals interesting bits:
Remedy Cloud from Vulcan Cyber has been launched earlier this month.
The simplistic and easy-to-use interface lets you look up vulnerabilities by their CVE identifiers.
Try looking up some recently announced zero-days, such as Chromium’s.
The web UI offers user the option to download vulnerability data in CSV format, after they provide their email address.
The Snyk Vulnerability DB provides a plethora of information about open source components and the vulnerabilities impacting them. Data includes both CVE and SNYK’s proprietary identifiers.
Users can sort the type of components (such as cocoapods, Composer, Go, npm, etc.). The web UI lists vulnerabilities by category, such as Prototype Pollution, Directory Traversal, Denial of Service (DoS), etc.
While not concerned with vulnerability data per se, SonarQube has a free community edition that touts itself as, “the starting point for adopting code quality in your CI/CD.”
Integrating SonarQube with your IDE extends static code analysis capabilities in fifteen languages including Java, JavaScript, C#/.NET, Go, and Python.
Over fifty community plugins are also available further extending SonarQube’s abilities.
Most developers may benefit from using these DevSecOps tools in conjunction with each other rather than picking and choosing between them, to get maximum value for their software development process.
Telecommunication, media, internet service providers (ISPs), information technology (IT)-service providers, and Kurdish websites in the…
Rogue WordPress Plugin Found to Steal Credit Card Information in Magecart Campaign Threat hunters have…
The Assembly of the Republic of Albania and telecom company One Albania have recently fallen…
The banking malware Carbanak has resurfaced with updated tactics, incorporating attack vendors and techniques to…
One of the world's largest theme park operators, Parques Reunidos has disclosed a cybersecurity incident.…
Phishing kit used by multiple hacked sites generates a log in page on the fly…
This website uses cookies.