Business

4 free DevSecOps tools for staying on top of vulnerabilities

As reports of cyber attacks via vulnerable software are rampant, building security early on into your software development lifecycle becomes inevitable.

Adopting DevSecOps tools in your workflow is one way to accomplish this. And it doesn’t have to come at a big upfront cost.

Below are some starter tools to provide vulnerability data at no cost that can be used in addition to NIST’s National Vulnerability Database (NVD) and MITRE to step up your software security efforts.

OSS Index from Sonatype

OSS Index lets you look up an entire catalogue of open-source components that can be searched by anyone. It provides data on what severity vulnerabilities are lurking in a component and licensing information.

“OSS Index is a free catalogue of open source components and scanning tools to help developers identify vulnerabilities, understand risk, and keep their software safe.”

A search for struts-core for example reveals interesting bits:

Full disclosure: I’m affiliated with Sonatype, makers of OSS Index.

Remedy Cloud by Vulcan

Remedy Cloud from Vulcan Cyber has been launched earlier this month.

The simplistic and easy-to-use interface lets you look up vulnerabilities by their CVE identifiers.

Try looking up some recently announced zero-days, such as Chromium’s.

The web UI offers user the option to download vulnerability data in CSV format, after they provide their email address.

Snyk Vulnerability DB:

The Snyk Vulnerability DB provides a plethora of information about open source components and the vulnerabilities impacting them. Data includes both CVE and SNYK’s proprietary identifiers.

Users can sort the type of components (such as cocoapods, Composer, Go, npm, etc.). The web UI lists vulnerabilities by category, such as Prototype Pollution, Directory Traversal, Denial of Service (DoS), etc.

SonarQube

While not concerned with vulnerability data per se, SonarQube has a free community edition that touts itself as, “the starting point for adopting code quality in your CI/CD.”

Integrating SonarQube with your IDE extends static code analysis capabilities in fifteen languages including Java, JavaScript, C#/.NET, Go, and Python.

Over fifty community plugins are also available further extending SonarQube’s abilities.

Most developers may benefit from using these DevSecOps tools in conjunction with each other rather than picking and choosing between them, to get maximum value for their software development process.

Ax Sharma

Ax Sharma is an Indian-origin British security researcher, journalist and TV subject matter expert with a focus on malware analysis and cybercrime investigations. His areas of interest include open source software security, threat intel analysis, and reverse engineering. Frequently featured by leading media outlets like the BBC, Channel 5, Fortune, WIRED, The Register, among others, Ax is an active community member of the OWASP Foundation and the British Association of Journalists (BAJ).