Developer Security Mesh

⭐ Star us on GitHub

DevSecMesh is BoxyHQ’s upcoming product to automate security in all parts of your tech stack. By combining Security as Code, security playbooks, compliance controls and some incredible open-source security tools DevSecMesh provides complete automation of your product security. Think of it as an extension of your security team or your security team if you don’t have one.

In the meantime we have curated a list of awesome developer-first security principles for your product. And a set of free OSS tools to use for it where applicable. It is heavily inspired by MVSP, a minimum security baseline for enterprise-ready products and services. Our missions align and we have recently joined their working group.

Designed with simplicity in mind the checklist contains security controls, their description, relevance to popular compliance certifications (like ISO27001, SOC2, MVSP, etc.) and open-source tools you can readily use to automate it.

Shift-left security allows developers to keep pace with agile development and continuous deployment but it’s simply not enough to provide tools that are designed for security teams. What is needed instead is developer tools built for security, allowing developers to built secure products without adding additional work.

We’d love your feedback and contributions to this list. Please submit an issue, PR or reach out to us at [email protected]

We have also consolidated a list of popular compliance frameworks and certifications that you might find interesting.

If you are interested in Developer Security and DevSecOps in general, we invite you to join our Discord community and share more.

Awesome OSS Developer Security Tools

Business controls
Control	Description	Compliance Controls	Tools (if applicable)
Vulnerability reports	Publish the point of contact for security reports on your website Respond to security reports within a reasonable time frame	MVSP 1.1 ISO 27001 A.12.6.1 SOC2 CC7.1
Customer testing	On request, enable your customers or their delegates to test the security of your application Test on a non-production environment if it closely resembles the production environment in functionality Ensure non-production environments do not contain production data	MVSP 1.2 ISO 27001 A.12.6.1 SOC2 CC7.1
External testing	Contract a security vendor to perform annual, comprehensive penetration tests on your systems	MVSP 1.4 ISO 27001 A.12.6.1 SOC2 CC7.1
Training	Implement role-specific security training for your personnel that is relevant to their business function	MVSP 1.5 ISO 27001 A.7.2.2 SOC2 CC2.2
Compliance	Comply with all industry security standards relevant to your business such as PCI DSS, HITRUST, ISO27001, and SSAE 18 Comply with local laws and regulations in jurisdictions applicable to your company and your customers, such as GDPR, Binding Corporate Rules, and Standard Contractual Clauses	MVSP 1.6 ISO 27001 SOC2	Steampipe Compliance Mods
Incident management	Notify your customers about a breach without undue delay, no later than 72 hours upon discovery Include the following information in the notification: Relevant point of contact Preliminary technical analysis of the breach Remediation plan with reasonable timelines	MVSP 1.7 ISO 27001 A.16.1 SOC2 CC7.3
Application design controls
Control	Description	Compliance Controls	Tools (if applicable)
Single Sign-On	Implement single sign-on using modern and industry standard protocols	MVSP 2.1 ISO 27001 A.9.4.2 SOC2 CC6.1	BoxyHQ SAML Jackson
Access Control	Implement strict access control in your application guarding resources as needed Allow easy provisioning and de-provisioning of users	ISO 27001 A.9.1.1, A.9.2.1 SOC2 CC6.1	BoxyHQ Directory Sync (coming soon)
HTTPS-only	Redirect traffic from HTTP protocol (port 80) to HTTPS (port 443) This does not apply to secure protocols designed to run on top of unencrypted connections, such as OCSP Produce a clear scan using a widely adopted TLS scanning tool Include the Strict-Transport-Security header on all pages with the `includeSubdomains` directive	MVSP 2.2 ISO 27001 A.10.1.1 SOC2 CC6.7	Steampipe Net Plugin testssl.sh
Dependency Patching	Apply security patches with a severity score of "medium" or higher, or ensure equivalent mitigations are available for all components of the application stack within one month of the patch release	MVSP 2.6 ISO 27001 A.12.6.1 SOC2 CC7.1	OWASP Dependency Check OWASP Dependency Track
Logging	Keep logs of: Users logging in and out Read, write, delete operations on application and system users and objects Security settings changes (including disabling logging) Application owner access to customer data (access transparency) Logs must include user ID, IP address, valid timestamp, type of action performed, and object of this action. Logs must be stored for at least 30 days, and should not contain sensitive data or payloads.	MVSP 2.7 ISO 27001 A.12.4.1 SOC2 CC7.2	BoxyHQ Audit Logs (coming soon) ELK Stack FluentD Steampipe
Backup and Disaster recovery	Securely back up all data to a different location than where the application is running Maintain and periodically test disaster recovery plans Periodically test backup restoration	MVSP 2.8 ISO 27001 A.17.1 SOC2 A1.3
Encryption	Use available means of encryption to protect sensitive data in transit between systems and at rest in online data storages and backups	MVSP 2.9 ISO 27001 A.10.1 SOC2 CC6.1 GDPR HIPAA	BoxyHQ Privacy Vault (coming soon)
Application implementation controls
Control	Description	Compliance controls	Tools (if applicable)
List of sensitive data	Maintain a list of sensitive data types that the application is expected to process	MVSP 3.1 ISO 27001 A.10.1 SOC2 CC6.1 GDPR HIPAA	BoxyHQ Privacy Vault (coming soon)
Data flow diagram	Maintain an up-to-date diagram indicating how sensitive data reaches your systems and where it ends up being stored	MVSP 3.2 ISO 27001 A.10.1 SOC2 CC6.1 GDPR HIPAA	BoxyHQ Privacy Vault (coming soon)
Vulnerability prevention	Train your developers and implement development guidelines to prevent at least the following vulnerabilities: Authorization bypass Insecure session ID Injections Cross-site scripting Cross-site request forgery Use of vulnerable libraries	MVSP 3.3 ISO 27001 A.12.6.1 SOC2 CC7.1	OWASP Top Ten OWASP Zap Steampipe Net Insights mod Wapiti Scanner
Infrastructure and cloud security	Perform audits, continuous monitoring, hardening and forensics readiness for your infrastructure and cloud assets.	ISO 27001 A.12.6.1 SOC2 CC7.1	AirIAM Cloudsploit Kubesec Kubernetes security Prowler for AWS Steampipe Compliance & Security mods Trivy container scanner
Code security
Control	Description	Compliance controls	Tools (if applicable)
Data leakage prevention	Protect secrets from leaking into code, logs and unwanted systems.	ISO 27001 A.12.6.1 SOC2 CC7.1	GitGuardian Gitleaks Steampipe Code Plugin

codywalker77 / awesome-oss-devsec Goto Github PK

awesome-oss-devsec's Introduction

Developer Security Mesh

Awesome OSS Developer Security Tools

awesome-oss-devsec's People

Contributors

Recommend Projects

React

Vue.js

Typescript

TensorFlow

Django

Laravel

D3

Recommend Topics

javascript

web

server

Machine learning

Visualization

Game

Recommend Org

Facebook

Microsoft

Google

Alibaba

D3

Tencent