Open-Source Cybersecurity Tools: Application Security

← Back to Open-Source Cybersecurity Tools Hub | Full Open Source Catalog | Main Atlas

This category contains 8 documented tools. It focuses on capabilities used for secure SDLC controls, code scanning, and dependency risk management. Use this section when building shortlists, comparing operational tradeoffs, and mapping controls to detection/response ownership.

Category Evaluation Checklist

  • Coverage depth against your highest-priority threats and compliance obligations.
  • Operational overhead for deployment, tuning, and long-term maintenance.
  • Signal quality versus analyst workload and false-positive pressure.
  • Integration fit with SIEM, ticketing, identity, cloud, and engineering workflows.
  • Governance readiness including auditability, ownership clarity, and change control.

Jump by Name

A | C | I | N | O | P | S

Letter A

This letter section contains 1 tools.

AppSec

  • Website: https://github.com/paragonie/awesome-appsec
  • Model: Open Source
  • Category: Application Security
  • Source Lists: Awesome Malware Analysis, Awesome Penetration Testing, Awesome Forensics

What it does: AppSec is used in application security programs to support secure SDLC controls, code scanning, and dependency risk management. Source summaries describe it as: Source list entry describing this security tool and its use case.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Penetration Testing > Online Resources > Other Lists Online.

Back to Name Jump

Letter C

This letter section contains 1 tools.

CakeFuzzer

  • Website: https://github.com/Zigrin-Security/CakeFuzzer
  • Model: Open Source
  • Category: Application Security
  • Source Lists: Awesome Security

What it does: CakeFuzzer is used in application security programs to support secure SDLC controls, code scanning, and dependency risk management. Source summaries describe it as: The ultimate web application security testing tool for CakePHP-based web applications. CakeFuzzer employs a predefined set of attacks that are randomly modified before execution. Leveraging its deep understanding of the Cake PHP framework, Cake Fuzzer launches attacks on all potential application entry points.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Security > Web > Scanning / Pentesting.

Back to Name Jump

Letter I

This letter section contains 1 tools.

Insider CLI

  • Website: https://github.com/insidersec/insider
  • Model: Open Source
  • Category: Application Security
  • Source Lists: Awesome Security

What it does: Insider CLI is used in application security programs to support secure SDLC controls, code scanning, and dependency risk management. Source summaries describe it as: A open source Static Application Security Testing tool (SAST) written in GoLang for Java (Maven and Android), Kotlin (Android), Swift (iOS), .NET Full Framework, C# and Javascript (Node.js).

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Security > Web > Development.

Back to Name Jump

Letter N

This letter section contains 2 tools.

Node.js Secure Coding: Defending Against Command Injection Vulnerabilities

  • Website: https://www.nodejs-security.com
  • Model: Open Source
  • Category: Application Security
  • Source Lists: Awesome Security

What it does: Node.js Secure Coding: Defending Against Command Injection Vulnerabilities is used in application security programs to support secure SDLC controls, code scanning, and dependency risk management. Source summaries describe it as: Learn secure coding conventions in Node.js by executing command injection attacks on real-world npm packages and analyzing vulnerable code.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Security > EBooks.

Back to Name Jump

Node.js Secure Coding: Prevention and Exploitation of Path Traversal Vulnerabilities

  • Website: https://www.nodejs-security.com/book/path-traversal
  • Model: Open Source
  • Category: Application Security
  • Source Lists: Awesome Security

What it does: Node.js Secure Coding: Prevention and Exploitation of Path Traversal Vulnerabilities is used in application security programs to support secure SDLC controls, code scanning, and dependency risk management. Source summaries describe it as: Master secure coding in Node.js with real-world vulnerable dependencies and experience firsthand secure coding techniques against Path Traversal vulnerabilities.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Security > EBooks.

Back to Name Jump

Letter O

This letter section contains 1 tools.

OWASP

  • Website: http://www.owasp.org
  • Model: Open Source
  • Category: Application Security
  • Source Lists: Awesome Security

What it does: OWASP is used in application security programs to support secure SDLC controls, code scanning, and dependency risk management. Source summaries describe it as: The Open Web Application Security Project (OWASP) is a 501(c)(3) worldwide not-for-profit charitable organization focused on improving the security of software.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Security > Web > Organization.

Back to Name Jump

Letter P

This letter section contains 1 tools.

Portswigger

  • Website: https://portswigger.net
  • Model: Open Source
  • Category: Application Security
  • Source Lists: Awesome Security

What it does: Portswigger is used in application security programs to support secure SDLC controls, code scanning, and dependency risk management. Source summaries describe it as: PortSwigger offers tools for web application security, testing & scanning. Choose from a wide range of security tools & identify the very latest vulnerabilities.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Security > Web > Organization.

Back to Name Jump

Letter S

This letter section contains 1 tools.

Scanmycode CE (Community Edition)

  • Website: https://github.com/marcinguy/scanmycode-ce
  • Model: Open Source
  • Category: Application Security
  • Source Lists: Awesome Security

What it does: Scanmycode CE (Community Edition) is used in application security programs to support secure SDLC controls, code scanning, and dependency risk management. Source summaries describe it as: Code Scanning/SAST/Static Analysis/Linting using many tools/Scanners with One Report. Currently supports: PHP, Java, Scala, Python, Ruby, Javascript, GO, Secret Scanning, Dependency Confusion, Trojan Source, Open Source and Proprietary Checks (total ca. 1000 checks).

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Security > Web > Scanning / Pentesting.

Back to Name Jump