# Security Tools

| Product Name                  | Description                                                                                                              | Purpose                | Com/Open Source | CI  |
| ----------------------------- | ------------------------------------------------------------------------------------------------------------------------ | ---------------------- | --------------- | --- |
| find\_sec\_bugs               | Scans source code for vulnerable code, Has the abilty to integrate into developer machine. Effective with Java           | SAST                   | Open Source     | Yes |
| [LGTM](https://lgtm.com/)     | A SASS based source code review platform. Its free for open source projects. Can do both Java and javascript             | SAST                   | Free            | Yes |
| OWASP Zap proxy               | This is the best we have and we should use the ZAP and automate all tests                                                | DAST                   | Open Source     | Yes |
| MS Baseline security Analyzer | In case we use a windows infrastructure then this tool is usefull.                                                       | Hardening              | Free            | No  |
| Open Scap                     | We will need to create a custom profile and should be able to scan for hardened OS                                       | Hardening              | Free            | Yes |
| Open Scap                     | Docker scanning                                                                                                          | Docker scan            | Free            | Yes |
| Nessus Vulnerability Scanner  | Vulnerability Scanning                                                                                                   | Vulnerability Scanning | Commercial      | No  |
| Kali linux                    | OS with all the necessary tools to perform a pentest. This would be a lab setup and would be used as part of UAT testing | Penetration Testing    | Open Source     | No  |
| Skipfish                      | Hacking tool set from google.                                                                                            | DAST                   | Open Source     | No  |
| Burp suite                    | A web proxy used for penetration testing of web applications                                                             | DAST                   | Commercial      | No  |

Courtesy : Sasikumar Ganesan