Security and privacy is a complex ecosystem with evolving threats and tools. We can help identify tools that meets maturity of your code and business to scale costs with increase in revenue or product adoption.


But for a good place to start we recommend OWASP Top 10. From OWASP:

"The OWASP Top 10 is a powerful awareness document for web application security. It represents a broad consensus about the most critical security risks to web applications. Project members include a variety of security experts from around the world who have shared their expertise to produce this list."


OWASP releases its Top 10 every few years. The most recent is 2017:

Injection
Broken Authentication
Sensitive Data Exposure
XML External Entities (XXE)
Broken Access Control
Security Misconfiguration
Cross-Site Scripting (XSS)
Insecure Deserialization
Using Components with Known Vulnerabilities
Insufficient Logging & Monitoring

For more on the OWASP Top 10, see https://www.owasp.org/index.php/Category:OWASP_Top_Ten_2017_Project

There are many open source security tools on the market. Here is a list of some popular ones:
Owasp Orizon
OWASP LAPSE
OWASP O2 Platform
OWASP WAP-Web Application Protection
Boon - http://www.cs.berkeley.edu/~daw/boon
FindBugs - http://findbugs.sourceforge.net
Find Security Bugs - https://find-sec-bugs.github.io/
FlawFinder - http://www.dwheeler.com/flawfinder
Google CodeSearchDiggity - http://www.bishopfox.com/resources/tools/google-hacking-diggity/attack-tools/
phpcs-security-audit - https://github.com/FloeDesignTechnologies/phpcs-security-audit
PMD - http://pmd.sourceforge.net/
Microsoft’s FxCop
.NET Security Guard - https://dotnet-security-guard.github.io/
Oedipus - http://www.darknet.org.uk/2006/06/oedipus-open-source-web-application-security-analysis/
Puma Scan - https://pumascan.com
Splint - http://splint.org
SonarQube - http://sonarqube.org
W3af - http://w3af.sourceforge.net/

This list came from OWASP. For their full list of tools, including paid tools, see https://www.owasp.org/index.php/Appendix_A:_Testing_Tools#Open_Source_.2F_Freeware


 

For help running your scan, prioritizing the results, and training your technical people to secure your systems, contact us!