10 Free DevOps-Friendly Security Tools Developers Will Love
Start building an affordable DevSecOps automation toolchain with these free application security tools.
May 25, 2018
![](https://eu-images.contentstack.com/v3/assets/blt6d90778a997de1cd/blt6f3a3044e21f8729/64f0d5c95ff3327129a632a0/01-freetools.jpeg?width=700&auto=webp&quality=80&disable=upscale)
One of the key ways to get developers to jump wholeheartedly onto the application security (appsec) bandwagon is to stop making it so darned difficult for them to shoehorn security processes into their daily workflows. A big ingredient to DevSecOps success is an organization's ability to implement security tools that developers don't hate.
To do that, organizations need to improve the integration between the security testing suite and all of the rest of the tools developers use to deliver software. The good news is that this kind of integration doesn't have to break the bank. While it's probably not possible to do this completely for free, the fact is that some of the most DevOps friendly security tools that integrate well into the continuous integration/continuous delivery (CI/CD) stack also happen to be free.
Here are some promising possibilities.
Led by the same group that brings together the industry standard benchmark OWASP Top 10 vulnerability list, OWASP ZAP hands developers the power of free automated security scanning. ZAP has already gained a lot of uptake in the enterprise and the big DevOps bonus here is that it's got a well-regarded Jenkins plug-in that can help dev teams streamline it into their DevOps toolchain.
Get The Tool: https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project
A security testing framework purpose-made to be embedded into the continuous integration (CI) pipeline favored by DevOps teams, Gauntlt has a rabid following in both the dev and security worlds. The reason it's so popular is because it provides the glue to make a lot of existing security tools usable within the Cucumber testing framework that DevOps teams use for the rest of their automated testing. This can do a lot to help alleviate dev frustration by busting security testing silos.
Get The Tool: http://gauntlt.org
BDD-Security offers another security acceptance testing framework alternative. It uses Behavior Driven Development concepts to help teams set and automatically test their security specs and is also based on Cucumber. BDD-Security comes pre-wired to support Selenium/WebDriver, OWASP ZAP, SSLyz, and Nessus. This is an external scanner that doesn't require access to target source code to work.
Get The Tool: https://github.com/continuumsecurity/bdd-security
The pell-mell pace of DevOps code-commits on GitHub has opened up a lot of risks when there aren't enough processes or tools in place to help developers instill discipline around sensitive data. The last couple of years have offered up some pretty glaring examples of lax security practices that led to breaches of seriously sensitive data on GitHub repositories - Uber being a prime example in 2016. Git-Hound is a free security tool meant to help reduce some of the risks by providing automated checks to ensure sensitive data isn't committed into code repos.
Get The Tool: https://github.com/ezekg/git-hound
An open source static-code analysis tool with a mature and lively community, Brakeman hunts down security vulnerabilities in Ruby on Rails applications. It's built a lot of steam since first entering the picture in 2013 and recently broke the 11 million downloads mark.
Get The Tool: https://brakemanscanner.org
Like Brakeman, FindSecurityBugs is a free static-code analysis tool - this one aimed primarily at Java applications. It taps into an integrated development environment (IDE), with a number of useful plug-ins to systems like Jenkins, Eclipse, and Maven, among others.
Get The Tool: https://find-sec-bugs.github.io
Introduced at BlackHat Asia's Arsenal earlier this year, Archery is a relatively new kid on the block compared to a lot of tools on this list, but it's got the makings for growing into its own. It's an open-source vulnerability assessment and management tool that performs dynamic authenticated scanning using Selenium. Devs will appreciate Archery's REST APIs, which should give them the power to easily drop it into their DevOps toolset.
Get The Tool: https://github.com/toolswatch/blackhat-arsenal tools/blob/master/vulnerability_assessment/archery.md
DevOps teams have been turning in droves to Kubernetes to help them orchestrate their containerized workloads. It's proving a powerfully scalable tool for deploying containerized applications, but like anything powerful and scalable it calls out for some important security practices to ensure risks are minimized in the process. Fortunately, the Center for Internet Security (CIS) has developed a comprehensive set of recommendations for hardening Kubernetes implementations. This tool provides a valuable set of automated scripts to ensure organizations are following the benchmark.
Get The Tool: https://github.com/neuvector/kubernetes-cis-benchmark
The last couple of years have presented a parade of embarrassments when it comes to enterprise AWS hygiene. In the haste to push code faster, many developer organizations have gotten very sloppy with how they secure their development environments and that's lead to some very high profile breaches. Cloudsploit helps DevOps teams scan their AWS instances for the kinds of misconfigurations and other security risks that lead directly to these kinds of exposures.
Get The Tool: https://github.com/cloudsploit/scans
Led by the infrastructure-as-code provider Chef, InsSpec provides the tools to bake compliance, security, and policy requirements into the infrastructure-as-code ethos. This open source project makes it possible to turn policies into human- and machine-readable language. It's not just for Chef, either. It's platform-agnostic and will work in Puppet environments and plays nicely with other platforms and systems like Docker, Azure, AWS, and more.
Get The Tool: https://www.inspec.io
Led by the infrastructure-as-code provider Chef, InsSpec provides the tools to bake compliance, security, and policy requirements into the infrastructure-as-code ethos. This open source project makes it possible to turn policies into human- and machine-readable language. It's not just for Chef, either. It's platform-agnostic and will work in Puppet environments and plays nicely with other platforms and systems like Docker, Azure, AWS, and more.
Get The Tool: https://www.inspec.io
One of the key ways to get developers to jump wholeheartedly onto the application security (appsec) bandwagon is to stop making it so darned difficult for them to shoehorn security processes into their daily workflows. A big ingredient to DevSecOps success is an organization's ability to implement security tools that developers don't hate.
To do that, organizations need to improve the integration between the security testing suite and all of the rest of the tools developers use to deliver software. The good news is that this kind of integration doesn't have to break the bank. While it's probably not possible to do this completely for free, the fact is that some of the most DevOps friendly security tools that integrate well into the continuous integration/continuous delivery (CI/CD) stack also happen to be free.
Here are some promising possibilities.
About the Author(s)
You May Also Like
CISO Perspectives: How to make AI an Accelerator, Not a Blocker
August 20, 2024Securing Your Cloud Assets
August 27, 2024