Skip to content

Latest commit

 

History

History
233 lines (199 loc) · 8.45 KB

README.adoc

File metadata and controls

233 lines (199 loc) · 8.45 KB

Awesome Open-Source Developer Security Tools

List of awesome open-source developer security tools. Maintained by BoxyHQ, and heavily inspired by MVSP.

It includes security principles and controls relevant to popular compliance certifications (like ISO27001, SOC2, MVSP, etc.). Also check this list of popular compliance frameworks and certifications

Interested in the future of developer security? Join our Discord community to share and collaborate.

We’d love your feedback and contributions to this list. Please submit a GitHub issue or PR.

Business controls

Control

Description

Compliance Controls

Tools

Vulnerability Reports

  • Publish the point of contact for security reports on your website

  • Respond to security reports within a reasonable time frame

  • MVSP 1.1

  • ISO 27001 A.12.6.1

  • SOC2 CC7.1

Customer Testing

  • On request, enable your customers or their delegates to test the security of your application

  • Test on a non-production environment if it closely resembles the production environment in functionality

  • Ensure non-production environments do not contain production data

  • MVSP 1.2

  • ISO 27001 A.12.6.1

  • SOC2 CC7.1

External Testing

Contract a security vendor to perform annual, comprehensive penetration tests on your systems

  • MVSP 1.4

  • ISO 27001 A.12.6.1

  • SOC2 CC7.1

Training

Implement role-specific security training for your personnel that is relevant to their business function

Compliance

  • Comply with all industry security standards relevant to your business such as PCI DSS, HITRUST, ISO27001, and SSAE 18

  • Comply with local laws and regulations in jurisdictions applicable to your company and your customers, such as GDPR, Binding Corporate Rules, and Standard Contractual Clauses

Incident Management

  • Notify your customers about a breach without undue delay, no later than 72 hours upon discovery

  • Include the following information in the notification:

    • Relevant point of contact

    • Preliminary technical analysis of the breach

    • Remediation plan with reasonable timelines

Application Design Controls

Control

Description

Compliance Controls

Tools

Single Sign-On

Implement single sign-on using modern and industry standard protocols

Access Control

  • Implement strict access control in your application guarding resources as needed

  • Allow easy provisioning and de-provisioning of users

  • ISO 27001 A.9.1.1, A.9.2.1

  • SOC2 CC6.1

HTTPS-Only

  • Redirect traffic from HTTP protocol (port 80) to HTTPS (port 443)

  • Produce a clear scan using a widely adopted TLS scanning tool

  • Include the Strict-Transport-Security header on all pages with the includeSubdomains directive

  • MVSP 2.2

  • ISO 27001 A.10.1.1

  • SOC2 CC6.7

Dependency Patching

Apply security patches with a severity score of "medium" or higher, or ensure equivalent mitigations are available for all components of the application stack within one month of the patch release

  • MVSP 2.6

  • ISO 27001 A.12.6.1

  • SOC2 CC7.1

Logging

Keep logs of:

  • Users logging in and out

  • Read, write, delete operations on application and system users and objects

  • Security settings changes (including disabling logging)

  • Application owner access to customer data (access transparency)

Logs must include user ID, IP address, valid timestamp, type of action performed, and object of this action. Logs must be stored for at least 30 days, and should not contain sensitive data or payloads.

  • MVSP 2.7

  • ISO 27001 A.12.4.1

  • SOC2 CC7.2

Backup and Disaster Recovery

  • Securely back up all data to a different location than where the application is running

  • Maintain and periodically test disaster recovery plans

  • Periodically test backup restoration

Encryption

Use available means of encryption to protect sensitive data in transit between systems and at rest in online data storages and backups

  • MVSP 2.9

  • ISO 27001 A.10.1

  • SOC2 CC6.1

  • GDPR

  • HIPAA

  • BoxyHQ Privacy Vault (coming soon)

Application Implementation Controls

Control

Description

Compliance controls

Tools

List of Sensitive Data

Maintain a list of sensitive data types that the application is expected to process

  • MVSP 3.1

  • ISO 27001 A.10.1

  • SOC2 CC6.1

  • GDPR

  • HIPAA

  • BoxyHQ Privacy Vault (coming soon)

  • Bearer

Data Flow Diagram

Maintain an up-to-date diagram indicating how sensitive data reaches your systems and where it ends up being stored

  • MVSP 3.2

  • ISO 27001 A.10.1

  • SOC2 CC6.1

  • GDPR

  • HIPAA

  • BoxyHQ Privacy Vault (coming soon)

Vulnerability Prevention

Train your developers and implement development guidelines to prevent at least the following vulnerabilities:

  • Authorization bypass

  • Insecure session ID

  • Injections

  • Cross-site scripting

  • Cross-site request forgery

  • Use of vulnerable libraries

  • MVSP 3.3

  • ISO 27001 A.12.6.1

  • SOC2 CC7.1

Infrastructure and Cloud Security

Perform audits, continuous monitoring, hardening and forensics readiness for your infrastructure and cloud assets.

  • ISO 27001 A.12.6.1

  • SOC2 CC7.1

Code Security

Control

Description

Compliance controls

Tools

Data Leakage Prevention

Protect secrets from leaking into code, logs and unwanted systems.

  • ISO 27001 A.12.6.1

  • SOC2 CC7.1

Zero Trust Principles

Keep data encrypted from end-to-end and have no listening ports for malware/ransomeware to spread etc.