Table of Contents |
---|
Overview
...
Tool Name | Description | License | |||||
---|---|---|---|---|---|---|---|
Static analysis | Coverity | This tool finds defects and security vulnerabilities in custom source code written in C, C++, Java, C#, JavaScript and more Coverity Scan is a free static-analysis cloud-based service for the open source community | Commercial | ||||
SonarQube | SonarQube (formerly Sonar)[1] is an open-source platform developed by SonarSource for continuous inspection of code quality to perform automatic reviews with static analysis of code to detect bugs, code smells, and security vulnerabilities | GNU LGPL | |||||
Veracode | Veracode provides multiple security analysis technologies on a single platform, including static analysis, dynamic analysis, mobile application behavioral analysis and software composition analysis. Evaluated by AT&T | ||||||
Fortify | Used by AT&T | ||||||
Helix QAC | Helix QAC is the most accurate static code analyzer for C and C++. | ||||||
CodeSonar | CodeSonar performs a unified dataflow and symbolic execution analysis that examines the computation of the entire program. | ||||||
MISRA | MISRA and the associated tools. Should we conform with MISRA standard? | ||||||
Dynamic analysis | IBM Security AppScan | Evaluated by AT&T | Commercial | ||||
Fortify WebInspect | Used by AT&T | Commercial | |||||
VeraCode | Veracode provides multiple security analysis technologies on a single platform, including static analysis, dynamic analysis, mobile application behavioral analysis and software composition analysis. | Commercial | |||||
angr | angr is a platform-agnostic binary analysis framework. It performs
| ||||||
Valgrind | Valgrind tool suite provides a number of debugging and profiling tools. | GPLv2 | |||||
KLEE | KLEE is a symbolic virtual machine built on top of the LLVM compiler infrastructure, and available under the UIUC open source license. | ||||||
LLVM/Clang Sanitizers | It is a fast memory error detector. It consists of a compiler instrumentation module and a run-time library. The tool can detect the following types of bugs:
| ||||||
FlowDroid (Java) | FlowDroid is a context-, flow-, field-, object-sensitive and lifecycle-aware static taint analysis tool, it could be leveraged to scan Java Bytecode. | ||||||
Pen test | Metasploit Framework | The Metasploit Project is a computer security project that provides information about security vulnerabilities and aids in penetration testing and IDS signature development. | BSD | ||||
OWASP Zed Attack Proxy (ZAP) | OWASP ZAP is an open-source web application security scanner. | Apache | |||||
Autosploit | AutoSploit attempts to automate the exploitation of remote hosts. | ||||||
Armitage | Armitage is a graphical cyber attack management tool for the Metasploit. | ||||||
cisco-global-exploiter | Cisco Global Exploiter (CGE), is an advanced, simple and fast security testing tool . | ||||||
BURP suite | |||||||
Postman | Browser plugin (Randy Stricklin to add details as to how to integrate with CI/CD | ||||||
Fuzzing test | OSS-Fuzz | OSS-Fuzz conducts continuous fuzzing of open source softwares. | Apache | ||||
AFL | American fuzzy lop is a fuzzer that employs genetic algorithms in order to efficiently increase code coverage of the test cases. | Apache | |||||
Vulnerability analysis | JFrog XRay | Used by AT&T. For container, npm, RPM, and debian etc artifacts vulnerability scan | Commercial | ||||
CoreOS Clair | Clair is an open source project for the static analysis of vulnerabilities in application containers (currently including appcand docker). | Apache | |||||
Cybellum | Cybellum V-Ray ™. Gives full component visibility and risk assessment, based on automated vulnerability detection. | ||||||
GrammaTech CodeSonar | Source code and binary level static analysis | ||||||
ClamAV | Anti-virus | Open source | |||||
NMAP | Discover hosts and services on a computer network by sending packets and analyzing the responses. | Modified GPLv2 | |||||
OpenVAS | The OpenVAS scanner is a comprehensive vulnerability assessment system that can detect security issues in all manner of servers and network devices. | ||||||
Wireshark | Wireshark is a free and open-source packet analyzer. It is used for network troubleshooting, analysis, software and communications protocol development, and education. | ||||||
Nessus Professional | Nessus helps the security pros on the front lines quickly and easily identify and fix vulnerabilities - including software flaws, missing patches, malware, and misconfigurations. | ||||||
John the Ripper | John the Ripper is a free password cracking software tool. | ||||||
Stress Test | SlowHTTPTest | SlowHTTPTest is a highly configurable tool that simulates some Application Layer Denial of Service attacks by prolonging HTTP connections in different ways. | Apache | ||||
MoonGen with DPDK | Fast and flexible packet generator for 10 Gbit/s Ethernet and beyond. MoonGen uses hardware features for accurate and precise latency measurements and rate control. | MIT | |||||
Pktgen with DPDK | Pktgen is a traffic generator powered by Intel's DPDK at 10Gbit wire rate traffic with 64 byte frames. | ||||||
Full stack test | Lynis OpenSCAP | Lynis is a free and open source security and auditing tool. OpenSCAP is used by OPNFV for security scan Kali Linux is a Linux distribution containing 300+ penetration tool. This distribution can be used for testing external attacks on Akraino systems. TODO: For a complete system test we may need to define a test diagram similar to this https://insights.sei.cmu.edu/sei_blog/07092018_testingtools_scanlon_figure2_2.png which should encompass all our tests and describe tests hierarchy and test strategy. | GPLv3 GPLv2 | ||||
Platform | Currently, there are no open source tools for a platform security verification available on for Arm platforms. Arm released an initial security guidance document provides Server Base Security Guide (SBSG) for review: View file | name | DEN0086-SBSG-alpha01.pdf | height | 250which is specifying security requirements and guidance for SBSA/SBBR class systems: https://developer.arm.com/docs/den0086/latest |
Release
Incident Response Plan
...