About the OWASP Free for Open Source Application Security Tools
Bola Egunjobi
GMC (CJBS) | MBA (Cass) | CISSP | ISO27001 CIS LA | ISO27001 CIS LI | PRINCE2 | PRINCE2 AGILE | MSP | GMCA (Cambridge) | Information Security Manager.
If you are a software developer, IT project manager, of information security professional, you're probably aware of the OWASP Top 10 Web Application Security Risks. But did you know that OWASP provides many more resources to help you secure your web posture and estate?
An example is the list of free-for-open-source application security tools, which is a bunch of cool tools that can help you improve the software that you and your team is developing.
The following are just a few examples of the tools listed:
Static Application Scanning Tools (Source Code Analysis Tools) that analyse source code or compiled code to report on security flaws.
Dynamic Application Scanning Tools (Vulnerability Scanning Tools) that scan web applications to report on security vulnerabilities such as those identified in the Top 10.
Vulnerability Scanning Tools to help you identify your third party software apps that require patches, including:
- Tools that will update your libraries: Dependabot, and Maven versions plugin.
- Tools that detect known vulnerable components: WhiteSource, SourceClear, Synk.
Code Quality Tools, including:
- SonarQube (for numerous languages including C#, Python, Ruby, VB6, etc),
- DeepScan (for JavaScript and TypeScript),
- SpotBugs (for Java).
GitLab's Tools: There are also links to some of the cool security tools that GitLab uses for SAST, DAST, Dependency Analysis and Container Scanning, as well as OWASP's own free open source tools for Dependency Checking and Dependency Tracking.
OWASP published these pages to encourage more commercial tool vendors to make their tools free for open source projects, and to encourage open source project teams to use the tools.