Business

4 free DevSecOps tools for staying on top of vulnerabilities

As reports of cyber attacks via vulnerable software are rampant, building security early on into your software development lifecycle becomes inevitable.

Adopting DevSecOps tools in your workflow is one way to accomplish this. And it doesn’t have to come at a big upfront cost.

Below are some starter tools to provide vulnerability data at no cost that can be used in addition to NIST’s National Vulnerability Database (NVD) and MITRE to step up your software security efforts.

OSS Index from Sonatype

OSS Index lets you look up an entire catalogue of open-source components that can be searched by anyone. It provides data on what severity vulnerabilities are lurking in a component and licensing information.

“OSS Index is a free catalogue of open source components and scanning tools to help developers identify vulnerabilities, understand risk, and keep their software safe.”

A search for struts-core for example reveals interesting bits:

Full disclosure: I’m affiliated with Sonatype, makers of OSS Index.

Remedy Cloud by Vulcan

Remedy Cloud from Vulcan Cyber has been launched earlier this month.

The simplistic and easy-to-use interface lets you look up vulnerabilities by their CVE identifiers.

Try looking up some recently announced zero-days, such as Chromium’s.

The web UI offers user the option to download vulnerability data in CSV format, after they provide their email address.

Snyk Vulnerability DB:

The Snyk Vulnerability DB provides a plethora of information about open source components and the vulnerabilities impacting them. Data includes both CVE and SNYK’s proprietary identifiers.

Users can sort the type of components (such as cocoapods, Composer, Go, npm, etc.). The web UI lists vulnerabilities by category, such as Prototype Pollution, Directory Traversal, Denial of Service (DoS), etc.

SonarQube

While not concerned with vulnerability data per se, SonarQube has a free community edition that touts itself as, “the starting point for adopting code quality in your CI/CD.”

Integrating SonarQube with your IDE extends static code analysis capabilities in fifteen languages including Java, JavaScript, C#/.NET, Go, and Python.

Over fifty community plugins are also available further extending SonarQube’s abilities.


Most developers may benefit from using these DevSecOps tools in conjunction with each other rather than picking and choosing between them, to get maximum value for their software development process.

Ax Sharma

Ax Sharma is an Indian-origin British security researcher, journalist and TV subject matter expert with a focus on malware analysis and cybercrime investigations. His areas of interest include open source software security, threat intel analysis, and reverse engineering. Frequently featured by leading media outlets like the BBC, Channel 5, Fortune, WIRED, The Register, among others, Ax is an active community member of the OWASP Foundation and the British Association of Journalists (BAJ).

Recent Posts

Sea Turtle Cyber Espionage Campaign Targets Telecommunication and IT Companies in the Netherlands

Telecommunication, media, internet service providers (ISPs), information technology (IT)-service providers, and Kurdish websites in the…

11 months ago

Rogue WordPress plugin: Threat hunters uncover credit card skimming campaign targeting e-commerce sites

Rogue WordPress Plugin Found to Steal Credit Card Information in Magecart Campaign Threat hunters have…

11 months ago

Albanian Parliament and telco ‘One Albania’ suffer cyber attacks

The Assembly of the Republic of Albania and telecom company One Albania have recently fallen…

11 months ago

Carbanak Banking Malware Resurfaces with Updated Tactics in Ransomware Attacks

The banking malware Carbanak has resurfaced with updated tactics, incorporating attack vendors and techniques to…

11 months ago

Theme park giant Parques Reunidos hit by a ransomware cyber attack

One of the world's largest theme park operators, Parques Reunidos has disclosed a cybersecurity incident.…

2 years ago

Phishing kit screenshots your email domain on the fly to appear real

Phishing kit used by multiple hacked sites generates a log in page on the fly…

2 years ago

This website uses cookies.