71 Open source projects that are alternatives of or similar to Threat Model Cookbook

Nmap and NSE command line wrapper in the style of Metasploit

Presentations, training modules, and other education materials from Duo Security's Application Security team.

OWASP Community Pages are a place where OWASP can accept community contributions for security-related content.

A Tool for Domain Flyovers

In progress rough solutions to bWAPP / bee-box

Web path scanner

The OWASP Vulnerable Web Applications Directory (VWAD) Project - OWASP Web Site

An organizational asset and vulnerability management tool, with Jira integration, designed for generating application security reports.

OWASP Zed Attack Proxy project landing page.

A curated list of threat modeling resources (Books, courses - free and paid, videos, tools, tutorials and workshops to practice on ) for learning Threat modeling and initial phases of security review.

Detects the algorithm of input JWT Token and provide options to generate the new JWT token based on the user selected algorithm.

Oversecured Vulnerable iOS App

A vulnerable version of Rails that follows the OWASP Top 10

Web Browser Hooking Framework. Manage, execute and assess web browser vulnerabilities

HTML5 WebSocket message fuzzer

Jenkins plugin for OWASP Dependency-Check. Inspects project components for known vulnerabilities (e.g. CVEs).

OWASP ZAP Add-ons

Application-embedded connectivity and zero-trust components

njsscan is a semantic aware SAST tool that can find insecure code patterns in your Node.js applications.

Some good resources for getting started with application security

w3af: web application attack and audit framework, the open source web vulnerability scanner.

OWASP Juice Shop: Probably the most modern and sophisticated insecure web application

The OWASP ZAP core project

Sample scan files for testing DefectDojo imports

Next generation web scanner

Application Security Awareness Training

This repository contains links to awesome security articles.

Dependency-Track is an intelligent Component Analysis platform that allows organizations to identify and reduce risk in the software supply chain.

GitHub Action to set up Fortify ScanCentral Client

OWASP SecurityRAT (version 1.x) - Tool for handling security requirements in development

Vendor-Neutral Security Tool Automation Controller (over REST)

An open source, git-ops, zero-trust secret encryption and decryption solution for Kubernetes applications

A simple PHP application to learn SQL Injection detection and exploitation techniques.

Kurukshetra - A framework for teaching secure coding by means of interactive problem solving.

vAPI is Vulnerable Adversely Programmed Interface which is Self-Hostable API that mimics OWASP API Top 10 scenarios through Exercises.

The OWASP Vulnerable Web Applications Directory project (VWAD) is a comprehensive and well maintained registry of all known vulnerable web applications currently available.

A Java library for parsing and programmatically using threat models

An application to assist in the organization and prioritization of software security activities.

Full Nuclei automation script with logic explanation.

OWASP Juice Shop: Probably the most modern and sophisticated insecure web application

Documentation for Essential Node.js Security

Methodology for high-quality web application security testing - https://github.com/tprynn/web-methodology/wiki

Embedded AppSec Best Practices

Tests for race conditions in web applications. Includes a RESTful API to integrate into a continuous integration pipeline.

A curated list of policy-as-code resources like blogs, videos, and tools to practice on for learning Policy-as-Code.

All-in-one tool for managing vulnerability reports from AppSec pipelines

Integrates OWASP Zed Attack Proxy reports into SonarQube

Integrates Dependency-Check reports into SonarQube

Additional Resources For Securing The Stack Tutorials

A Bind9 server for pentesters to use for Out-of-Band vulnerabilities

OWASP Code Review Guide Web Repository

The OWASP Cheat Sheet Series was created to provide a concise collection of high value information on specific application security topics.

CryptoNice is both a command line tool and library which provides the ability to scan and report on the configuration of SSL/TLS for your internet or internal facing web services. Built using the sslyze API and ssl, http-client and dns libraries, cryptonice collects data on a given domain and performs a series of tests to check TLS configuration…

Reapsaw is a continuous security devsecops tool, which helps in enabling security into CI/CD Pipeline. It supports coverage for multiple programming languages.

Some of the questions which i was asked when i was giving interviews for Application/Product Security roles. I am sure this is not an exhaustive list but i felt these questions were important to be asked and some were challenging to answer

Oversecured Vulnerable Android App

A simple Java command-line utility to mirror the CVE JSON data from NIST.

Python Interactive Deepweb-oriented Rapid Intelligent Link Analyzer

Some of my security stuff and vulnerabilities. Nothing advanced. More to come.

Workshop on Template Injection (6 exercises) covering Twig, Jinja2, Tornado, Velocity and Freemaker engines.