10 Free Tools: A good Helper for Agile DevOps

Most DevOps-friendly security tools that can be well integrated into continuous workflows are often free. This article lists a few of the most promising DevOps-friendly free tools.
One of the key ways for developers to devote themselves to application security (APPSEC) is to eliminate many of the troubles encountered when embedding security processes into daily workflows. A major factor in the success of DevSecOps is the company's ability to implement security tools that developers will not hate.

To this end, companies need to improve the integration between the security testing toolkit and other software development tools used by developers. Fortunately, this integration has not reached the point where it is necessary to grab the bank's money. Although not completely zero cost, it is true that most DevOps-friendly security tools that are well integrated into continuous workflows are often free.

Here are a few of the most promising DevOps friendly free tools.

1. OWASP Zed Attack Proxy (ZAP)

Led by the same organization that launched the industry standard benchmark OWASP Top 10 Vulnerability List, OWASP ZAP gives developers the ability to automate security scans for free. ZAP has been adopted by many enterprises. One of the advantages of DevOps is that it has a well-rated Jenkins plug-in that can help the development team seamlessly integrate into the DevOps tool chain.

2. Gauntlt
As a security testing framework created specifically for embedding continuous integration (CI) pipelines, Gauntlt has a large number of fans in the development and security communities. It is so popular because it allows many of the existing security tools in the Cucumber framework used by DevOps teams to automate testing.

3. BDD-Security
BDD-Security provides additional options for security acceptance testing frameworks. The tool uses the concept of "behavior-driven development" to help teams establish and automatically test their security specifications, and is also based on the Cucumber testing framework. BDD-Security presets support Selenium/WebDriver, OWASP ZAP, SSLyz, and Nessus, and is an external scanner that works without accessing the target source code.

4. Git-Hound
Without sufficient processes or tools to help developers constrain sensitive data, DevOps’ hasty submission of code to GitHub will undoubtedly introduce a lot of risks. In the past two years, we have witnessed a number of highly sensitive leaks of sensitive data in the GitHub code repository, all caused by lax security practices. For example, the Uber data breach in 2016. Git-Hound is a free security tool designed to reduce the risk of such sensitive data leakage. It can provide automatic inspection of sensitive data submissions and prevent sensitive data from being submitted to the code warehouse.

5. Brakeman

Brakeman is an open source static code analysis tool with mature and active community support, capable of capturing security vulnerabilities in Ruby on Rails applications. Since it first hit people's attention in 2013, Brakeman has been developing very well, and recently broke the 11 million download mark.

6. FindSecurityBugs

Similar to Brakeman, FindSecurityBugs is also a free static code analysis attack, but the analysis target is mainly focused on Java applications. It can be embedded in an integrated development environment (IDE) and has useful plug-ins for multiple platforms such as Jenkins, Eclipse, and Maven.

7. Archery
Archery appeared at the Black Hat Asia Armory earlier this year. It is a relatively young member of this list, but it definitely has the strength to stand out. This is an open source vulnerability assessment and management tool that uses Selenium to perform dynamic authentication scans. Archery's REST API allows developers to easily integrate it into the DevOps toolset and should be widely welcomed by developers.

8. CIS Kubernetes standard inspection procedures
DevOps teams have invested in Kubernets’ arms to effectively orchestrate their containerized workloads. Kubernetes provides powerful and scalable tools for containerized application deployment, but as any powerful and scalable tool requires, it also requires some important security practices to ensure that the risks in the process are kept to a minimum. Fortunately, the Center for Internet Security (CIS) has developed a set of recommendations to strengthen the implementation of Kubernetes. The tool provides a valuable set of automated scripts that can help companies comply with those standards.

9. Cloudsploit
When it comes to enterprise AWS security, there have been a lot of embarrassment in the past two years. In order to push the code faster, many software companies are very lax in the security protection of the development environment, which has led to several high-profile data breaches. Cloudsploit helps DevOps teams scan their AWS instances for various configuration errors and other security risks that directly lead to such data exposure.

10. InSpec
InsSpec is led by Chef, an infrastructure and code provider, and provides tools to integrate compliance, security, and policy requirements into the thought of infrastructure and code. This open source project facilitates the translation of strategies into human and machine-readable languages. This is a platform-independent project, not only for Chef, but also for the Puppet environment. It also performs well on other platforms and systems such as Docker.