Open source is great for many things, but in particular for security devtools. In this article, we'll look at some of the best Open Source Security tools on GitHub that you can use to easily boost security of your apps. This list of 5 tools was curated from the Open Source Security Index which contains 100 different projects in total.
Oftentimes, security is not the first thing developers think about when developing their apps. In fact, almost always, speed and execution take a priority over great security practices. This sometimes goes unnoticed, but, increasingly often, we see even large companies like Uber, CircleCI, and Atlassian getting hacked.
Why is this so? Mostly, because traditionally security tools have been very hard to set up and maintain - in addition they required a lot of expertise from the engineer using them. But this is no longer true! And the following is the list of 5 devtools that are changing this narrative.
Infisical is the youngest project on this list, and yet it's already #17. It is an open source end-to-end secret management platform.
What does this mean? Infisical provides tools to distribute secrets and environment variables across your infrastructure (e.g., Vercel, AWS, GitHub Actions, Circle CI, etc) and across your team (using a CLI or SDKs to automatically pull the environments with latest secrets). Next to that, it also does automatic secret scanning and secret leak prevention.
Kubeshark is the the API traffic analyzer for Kubernetes providing real-time K8s protocol-level visibility, capturing and monitoring all traffic and payloads going in, out and across containers, pods, nodes and clusters. You can think of it as TCPDump and Wireshark re-invented for Kubernetes.
Supertokens is an open source alternative to Auth0, Firebase Auth, and AWS Cognito. Supertokens architecture is optimized to add secure authentication for your users without compromising on user and developer experience.
It is an end-to-end solution with login, sign ups, user and session management – and, most importantly, you can use it without all the complexities of OAuth protocols.
Metlo allows you to find API vulnerabilities before they make it into production. It scans your mirrored network traffic to create a catalog of all your APIs - even the undocumented, legacy, and shadow APIs. After that, each endpoint is scanned for sensitive data and given a risk score.
In addition, Metlo alerts you as soon as anomalous API usage patterns are detected and gives you full context around any attack to help quickly fix the vulnerability.
As we have seen, each of the above tools provides an (almost) automatic way to make sure that your apps are as secure as possible – thereby making your users safe. Everyone can benefit from trying and learning about these tools, no matter how experienced you are.
The fact that these projects are open source provides a unique advantage because every developer can try them out, while at the same they are much easier for large enterprises to adopt – given how stringent their security and complaince policies may be.
Please, add to comments if you think some other open source security dev tools should be on this list but were missed. Looking forward to the discussion!