java代碼審計規範:
https://gitee.com/9199771/sec_coding/blob/master/sec_coding.md
漏洞掃描
主動掃描:
goby https://gobies.org/
(或者盜版的Nessus、awvs、appscan)
被動掃描:
xray https://download.xray.cool/
(或者盜版的appscan)
備註:
1)建議採用goby聯動 xray和awvs 兩款web掃描器
2)awvs開啓插樁模式在研發和安全自測階段使用
研發安全
IAST:
1)被動IAST:
火線IAST https://dongtai.io/
2)主動IAST
openrasp https://github.com/baidu/openrasp
AWVS https://my.oschina.net/9199771/blog/5330762
代碼審計:
fortify、checkmarx
抓包分析:
burp https://down.52pojie.cn/Tools/Network_Analyzer/
yakit https://github.com/yaklang/yakit
軟件成分分析:
Dependency-Track https://docs.dependencytrack.org/
生產防護
waf:
modsecurity
主程序: https://github.com/SpiderLabs/ModSecurity
規則庫: https://github.com/coreruleset/coreruleset
modsecurity自帶了語義策略libinjection和傳統正則,已經比較強了
rasp:
openrasp https://github.com/baidu/openrasp
HIDS:
elkeid https://github.com/bytedance/Elkeid
waf+rasp+主機安全三者一個都不能少,相互補充
蜜罐:
decoymini: https://github.com/decoymini
hFish: https://github.com/hacklcx/HFish
辦公安全
EDR:
1)Elastic EDR https://mp.weixin.qq.com/s/UWdOBmYxXStaqWeAFkbj1g
2)360 EDR https://ent.online.360.cn/signup?src=EntDT
蜜罐:
decoymini: https://github.com/decoymini
hFish: https://github.com/hacklcx/HFish
資產管理
Mars: https://github.com/TideSec/Mars
大雜燴
QingScan: https://github.com/78778443/QingScan