[
  {
    "path": ".github/dependabot.yml",
    "content": "# To get started with Dependabot version updates, you'll need to specify which\n# package ecosystems to update and where the package manifests are located.\n# Please see the documentation for all configuration options:\n# https://docs.github.com/github/administering-a-repository/configuration-options-for-dependency-updates\n\nversion: 2\nupdates:\n  - package-ecosystem: \"npm\" # See documentation for possible values\n    directory: \"/\" # Location of package manifests\n    schedule:\n      interval: \"weekly\"\n"
  },
  {
    "path": ".gitignore",
    "content": "node_modules\n_book\n"
  },
  {
    "path": ".nojekyll",
    "content": ""
  },
  {
    "path": "CODE_OF_CONDUCT.md",
    "content": "# Contributor Covenant Code of Conduct\n\n## Our Pledge\n\nWe as members, contributors, and leaders pledge to make participation in our\ncommunity a harassment-free experience for everyone, regardless of age, body\nsize, visible or invisible disability, ethnicity, sex characteristics, gender\nidentity and expression, level of experience, education, socio-economic status,\nnationality, personal appearance, race, religion, or sexual identity\nand orientation.\n\nWe pledge to act and interact in ways that contribute to an open, welcoming,\ndiverse, inclusive, and healthy community.\n\n## Our Standards\n\nExamples of behavior that contributes to a positive environment for our\ncommunity include:\n\n- Demonstrating empathy and kindness toward other people\n- Being respectful of differing opinions, viewpoints, and experiences\n- Giving and gracefully accepting constructive feedback\n- Accepting responsibility and apologizing to those affected by our mistakes,\n  and learning from the experience\n- Focusing on what is best not just for us as individuals, but for the\n  overall community\n\nExamples of unacceptable behavior include:\n\n- The use of sexualized language or imagery, and sexual attention or\n  advances of any kind\n- Trolling, insulting or derogatory comments, and personal or political attacks\n- Public or private harassment\n- Publishing others' private information, such as a physical or email\n  address, without their explicit permission\n- Other conduct which could reasonably be considered inappropriate in a\n  professional setting\n\n## Enforcement Responsibilities\n\nCommunity leaders are responsible for clarifying and enforcing our standards of\nacceptable behavior and will take appropriate and fair corrective action in\nresponse to any behavior that they deem inappropriate, threatening, offensive,\nor harmful.\n\nCommunity leaders have the right and responsibility to remove, edit, or reject\ncomments, commits, code, wiki edits, issues, and other contributions that are\nnot aligned to this Code of Conduct, and will communicate reasons for moderation\ndecisions when appropriate.\n\n## Scope\n\nThis Code of Conduct applies within all community spaces, and also applies when\nan individual is officially representing the community in public spaces.\nExamples of representing our community include using an official e-mail address,\nposting via an official social media account, or acting as an appointed\nrepresentative at an online or offline event.\n\n## Enforcement\n\nInstances of abusive, harassing, or otherwise unacceptable behavior may be\nreported to the community leaders responsible for enforcement at\ndeepak@boxyhq.com.\nAll complaints will be reviewed and investigated promptly and fairly.\n\nAll community leaders are obligated to respect the privacy and security of the\nreporter of any incident.\n\n## Enforcement Guidelines\n\nCommunity leaders will follow these Community Impact Guidelines in determining\nthe consequences for any action they deem in violation of this Code of Conduct:\n\n### 1. Correction\n\n**Community Impact**: Use of inappropriate language or other behavior deemed\nunprofessional or unwelcome in the community.\n\n**Consequence**: A private, written warning from community leaders, providing\nclarity around the nature of the violation and an explanation of why the\nbehavior was inappropriate. A public apology may be requested.\n\n### 2. Warning\n\n**Community Impact**: A violation through a single incident or series\nof actions.\n\n**Consequence**: A warning with consequences for continued behavior. No\ninteraction with the people involved, including unsolicited interaction with\nthose enforcing the Code of Conduct, for a specified period of time. This\nincludes avoiding interactions in community spaces as well as external channels\nlike social media. Violating these terms may lead to a temporary or\npermanent ban.\n\n### 3. Temporary Ban\n\n**Community Impact**: A serious violation of community standards, including\nsustained inappropriate behavior.\n\n**Consequence**: A temporary ban from any sort of interaction or public\ncommunication with the community for a specified period of time. No public or\nprivate interaction with the people involved, including unsolicited interaction\nwith those enforcing the Code of Conduct, is allowed during this period.\nViolating these terms may lead to a permanent ban.\n\n### 4. Permanent Ban\n\n**Community Impact**: Demonstrating a pattern of violation of community\nstandards, including sustained inappropriate behavior, harassment of an\nindividual, or aggression toward or disparagement of classes of individuals.\n\n**Consequence**: A permanent ban from any sort of public interaction within\nthe community.\n\n## Attribution\n\nThis Code of Conduct is adapted from the [Contributor Covenant][homepage],\nversion 2.0, available at\nhttps://www.contributor-covenant.org/version/2/0/code_of_conduct.html.\n\nCommunity Impact Guidelines were inspired by [Mozilla's code of conduct\nenforcement ladder](https://github.com/mozilla/diversity).\n\n[homepage]: https://www.contributor-covenant.org\n\nFor answers to common questions about this code of conduct, see the FAQ at\nhttps://www.contributor-covenant.org/faq. Translations are available at\nhttps://www.contributor-covenant.org/translations.\n"
  },
  {
    "path": "COMPLIANCE.adoc",
    "content": "[cols=\"2,6a,6a\",stripes=none]\n|===\n3+<h| Compliance frameworks and certifications\nh| Name\nh| Description\nh| Tools and Resources\n\n| MVSP\n| Minimum Viable Secure Product is a minimalistic security checklist for B2B software and business process outsourcing suppliers. Designed with simplicity in mind, the checklist contains only those controls that must, at a minimum, be implemented to ensure a reasonable security posture.\n| * https://mvsp.dev/mvsp.en/index.html[MVSP]\n\n| ISO 27001\n| ISO/IEC 27001 is an international standard on how to manage information security. The standard was originally published jointly by the International Organization for Standardization and the International Electrotechnical Commission in 2005 and then revised in 2013.\n| * https://github.com/SerNet/verinice[Verinice]\n* https://www.opensourcegrc.org/compliance-requirements?main=3[Open Source GRC]\n* https://www.eramba.org/community-downloads[eramba]\n\n| SOC2\n| Developed by the American Institute of CPAs (AICPA), SOC 2 defines criteria for managing customer data based on five “trust service principles”—security, availability, processing integrity, confidentiality and privacy.\n\n* Type I report is evaluation at a single point in time and can be achieved faster but provides less assurance to your clients.\n* Type II report is evaluation over an extended period of time (3-12 months) and provides more assurance to your clients.\n| * https://www.strongdm.com/comply[strongdm Comply]\n\n| GDPR\n| The General Data Protection Regulation is a regulation in EU law on data protection and privacy in the European Union and the European Economic Area. The GDPR is an important component of EU privacy law and of human rights law, in particular Article 8 of the Charter of Fundamental Rights of the European Union.\n| * https://www.eramba.org/community-downloads[eramba]\n* https://www.opensourcegrc.org/compliance-requirements?main=19[Open Source GRC]\n\n| PCI DSS\n| The Payment Card Industry Data Security Standard (PCI DSS) is a widely accepted set of policies and procedures intended to optimize the security of credit, debit and cash card transactions and protect cardholders against misuse of their personal information.\n| * https://github.com/SerNet/verinice[Verinice]\n* https://www.eramba.org/community-downloads[eramba]\n* https://www.opensourcegrc.org/compliance-requirements?main=2[Open Source GRC]\n\n| HIPAA\n| The Health Insurance Portability and Accountability Act of 1996 (HIPAA) is a federal law that required the creation of national standards to protect sensitive patient health information from being disclosed without the patient's consent or knowledge.\n| * https://www.eramba.org/community-downloads[eramba]\n* https://www.opensourcegrc.org/compliance-requirements?main=11[Open Source GRC]\n\n| HITRUST CSF\n| Organizations that create, access, store, or exchange sensitive information can use the HITRUST Common Security Framework (CSF) assessment as a roadmap to data security and compliance. The HITRUST CSF assurance program combines aspects from common security frameworks like ISO, NIST, PCI, and HIPAA.\n| * https://www.eramba.org/community-downloads[eramba]\n* https://www.opensourcegrc.org/compliance-requirements?main=17[Open Source GRC]\n\n| CSA STAR\n| The Security, Trust, Assurance, and Risk (STAR) Registry is a publicly accessible registry that documents the security and privacy controls provided by popular cloud computing offerings. STAR encompasses the key principles of transparency, rigorous auditing, and harmonization of standards outlined in the Cloud Controls Matrix (CCM).\n| * https://cloudsecurityalliance.org/star/[Cloud Security Alliance]\n\n|==="
  },
  {
    "path": "LICENSE",
    "content": "                                 Apache License\n                           Version 2.0, January 2004\n                        http://www.apache.org/licenses/\n\n   TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION\n\n   1. Definitions.\n\n      \"License\" shall mean the terms and conditions for use, reproduction,\n      and distribution as defined by Sections 1 through 9 of this document.\n\n      \"Licensor\" shall mean the copyright owner or entity authorized by\n      the copyright owner that is granting the License.\n\n      \"Legal Entity\" shall mean the union of the acting entity and all\n      other entities that control, are controlled by, or are under common\n      control with that entity. For the purposes of this definition,\n      \"control\" means (i) the power, direct or indirect, to cause the\n      direction or management of such entity, whether by contract or\n      otherwise, or (ii) ownership of fifty percent (50%) or more of the\n      outstanding shares, or (iii) beneficial ownership of such entity.\n\n      \"You\" (or \"Your\") shall mean an individual or Legal Entity\n      exercising permissions granted by this License.\n\n      \"Source\" form shall mean the preferred form for making modifications,\n      including but not limited to software source code, documentation\n      source, and configuration files.\n\n      \"Object\" form shall mean any form resulting from mechanical\n      transformation or translation of a Source form, including but\n      not limited to compiled object code, generated documentation,\n      and conversions to other media types.\n\n      \"Work\" shall mean the work of authorship, whether in Source or\n      Object form, made available under the License, as indicated by a\n      copyright notice that is included in or attached to the work\n      (an example is provided in the Appendix below).\n\n      \"Derivative Works\" shall mean any work, whether in Source or Object\n      form, that is based on (or derived from) the Work and for which the\n      editorial revisions, annotations, elaborations, or other modifications\n      represent, as a whole, an original work of authorship. For the purposes\n      of this License, Derivative Works shall not include works that remain\n      separable from, or merely link (or bind by name) to the interfaces of,\n      the Work and Derivative Works thereof.\n\n      \"Contribution\" shall mean any work of authorship, including\n      the original version of the Work and any modifications or additions\n      to that Work or Derivative Works thereof, that is intentionally\n      submitted to Licensor for inclusion in the Work by the copyright owner\n      or by an individual or Legal Entity authorized to submit on behalf of\n      the copyright owner. For the purposes of this definition, \"submitted\"\n      means any form of electronic, verbal, or written communication sent\n      to the Licensor or its representatives, including but not limited to\n      communication on electronic mailing lists, source code control systems,\n      and issue tracking systems that are managed by, or on behalf of, the\n      Licensor for the purpose of discussing and improving the Work, but\n      excluding communication that is conspicuously marked or otherwise\n      designated in writing by the copyright owner as \"Not a Contribution.\"\n\n      \"Contributor\" shall mean Licensor and any individual or Legal Entity\n      on behalf of whom a Contribution has been received by Licensor and\n      subsequently incorporated within the Work.\n\n   2. Grant of Copyright License. Subject to the terms and conditions of\n      this License, each Contributor hereby grants to You a perpetual,\n      worldwide, non-exclusive, no-charge, royalty-free, irrevocable\n      copyright license to reproduce, prepare Derivative Works of,\n      publicly display, publicly perform, sublicense, and distribute the\n      Work and such Derivative Works in Source or Object form.\n\n   3. Grant of Patent License. Subject to the terms and conditions of\n      this License, each Contributor hereby grants to You a perpetual,\n      worldwide, non-exclusive, no-charge, royalty-free, irrevocable\n      (except as stated in this section) patent license to make, have made,\n      use, offer to sell, sell, import, and otherwise transfer the Work,\n      where such license applies only to those patent claims licensable\n      by such Contributor that are necessarily infringed by their\n      Contribution(s) alone or by combination of their Contribution(s)\n      with the Work to which such Contribution(s) was submitted. If You\n      institute patent litigation against any entity (including a\n      cross-claim or counterclaim in a lawsuit) alleging that the Work\n      or a Contribution incorporated within the Work constitutes direct\n      or contributory patent infringement, then any patent licenses\n      granted to You under this License for that Work shall terminate\n      as of the date such litigation is filed.\n\n   4. Redistribution. You may reproduce and distribute copies of the\n      Work or Derivative Works thereof in any medium, with or without\n      modifications, and in Source or Object form, provided that You\n      meet the following conditions:\n\n      (a) You must give any other recipients of the Work or\n          Derivative Works a copy of this License; and\n\n      (b) You must cause any modified files to carry prominent notices\n          stating that You changed the files; and\n\n      (c) You must retain, in the Source form of any Derivative Works\n          that You distribute, all copyright, patent, trademark, and\n          attribution notices from the Source form of the Work,\n          excluding those notices that do not pertain to any part of\n          the Derivative Works; and\n\n      (d) If the Work includes a \"NOTICE\" text file as part of its\n          distribution, then any Derivative Works that You distribute must\n          include a readable copy of the attribution notices contained\n          within such NOTICE file, excluding those notices that do not\n          pertain to any part of the Derivative Works, in at least one\n          of the following places: within a NOTICE text file distributed\n          as part of the Derivative Works; within the Source form or\n          documentation, if provided along with the Derivative Works; or,\n          within a display generated by the Derivative Works, if and\n          wherever such third-party notices normally appear. The contents\n          of the NOTICE file are for informational purposes only and\n          do not modify the License. You may add Your own attribution\n          notices within Derivative Works that You distribute, alongside\n          or as an addendum to the NOTICE text from the Work, provided\n          that such additional attribution notices cannot be construed\n          as modifying the License.\n\n      You may add Your own copyright statement to Your modifications and\n      may provide additional or different license terms and conditions\n      for use, reproduction, or distribution of Your modifications, or\n      for any such Derivative Works as a whole, provided Your use,\n      reproduction, and distribution of the Work otherwise complies with\n      the conditions stated in this License.\n\n   5. Submission of Contributions. Unless You explicitly state otherwise,\n      any Contribution intentionally submitted for inclusion in the Work\n      by You to the Licensor shall be under the terms and conditions of\n      this License, without any additional terms or conditions.\n      Notwithstanding the above, nothing herein shall supersede or modify\n      the terms of any separate license agreement you may have executed\n      with Licensor regarding such Contributions.\n\n   6. Trademarks. This License does not grant permission to use the trade\n      names, trademarks, service marks, or product names of the Licensor,\n      except as required for reasonable and customary use in describing the\n      origin of the Work and reproducing the content of the NOTICE file.\n\n   7. Disclaimer of Warranty. Unless required by applicable law or\n      agreed to in writing, Licensor provides the Work (and each\n      Contributor provides its Contributions) on an \"AS IS\" BASIS,\n      WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or\n      implied, including, without limitation, any warranties or conditions\n      of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A\n      PARTICULAR PURPOSE. You are solely responsible for determining the\n      appropriateness of using or redistributing the Work and assume any\n      risks associated with Your exercise of permissions under this License.\n\n   8. Limitation of Liability. In no event and under no legal theory,\n      whether in tort (including negligence), contract, or otherwise,\n      unless required by applicable law (such as deliberate and grossly\n      negligent acts) or agreed to in writing, shall any Contributor be\n      liable to You for damages, including any direct, indirect, special,\n      incidental, or consequential damages of any character arising as a\n      result of this License or out of the use or inability to use the\n      Work (including but not limited to damages for loss of goodwill,\n      work stoppage, computer failure or malfunction, or any and all\n      other commercial damages or losses), even if such Contributor\n      has been advised of the possibility of such damages.\n\n   9. Accepting Warranty or Additional Liability. While redistributing\n      the Work or Derivative Works thereof, You may choose to offer,\n      and charge a fee for, acceptance of support, warranty, indemnity,\n      or other liability obligations and/or rights consistent with this\n      License. However, in accepting such obligations, You may act only\n      on Your own behalf and on Your sole responsibility, not on behalf\n      of any other Contributor, and only if You agree to indemnify,\n      defend, and hold each Contributor harmless for any liability\n      incurred by, or claims asserted against, such Contributor by reason\n      of your accepting any such warranty or additional liability.\n\n   END OF TERMS AND CONDITIONS\n\n   APPENDIX: How to apply the Apache License to your work.\n\n      To apply the Apache License to your work, attach the following\n      boilerplate notice, with the fields enclosed by brackets \"[]\"\n      replaced with your own identifying information. (Don't include\n      the brackets!)  The text should be enclosed in the appropriate\n      comment syntax for the file format. We also recommend that a\n      file or class name and description of purpose be included on the\n      same \"printed page\" as the copyright notice for easier\n      identification within third-party archives.\n\n   Copyright [yyyy] [name of copyright owner]\n\n   Licensed under the Apache License, Version 2.0 (the \"License\");\n   you may not use this file except in compliance with the License.\n   You may obtain a copy of the License at\n\n       http://www.apache.org/licenses/LICENSE-2.0\n\n   Unless required by applicable law or agreed to in writing, software\n   distributed under the License is distributed on an \"AS IS\" BASIS,\n   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n   See the License for the specific language governing permissions and\n   limitations under the License.\n"
  },
  {
    "path": "README.adoc",
    "content": ":!last-update-label:\n:compat-mode!:\nAwesome Open-Source Developer Security Tools\n============================================\nBoxyHQ team <hello@boxyhq.com>\nv0.1.0, 2022-08-30\n\nhttps://github.com/boxyhq/awesome-oss-devsec[⭐ Star us on GitHub]\n\nList of awesome open-source developer security tools. Maintained by https://boxyhq.com[BoxyHQ], and heavily inspired by https://mvsp.dev/mvsp.en/index.html[MVSP].\n\nIt includes security principles and controls relevant to popular compliance certifications (like ISO27001, SOC2, MVSP, etc.). Also check this list of link:COMPLIANCE.adoc[popular compliance frameworks and certifications]\n\nInterested in the future of developer security? Join our https://discord.com/invite/uyb7pYt4Pa[Discord] community to share and collaborate.\n\nWe'd love your feedback and contributions to this list. Please submit a GitHub issue or PR.\n\n[cols=\"2a,6a,2a,2a\",stripes=none]\n|===\n4+<h| Business controls\nh| Control\nh| Description\nh| Compliance Controls\nh| Tools\n\n| Vulnerability Reports\n| * Publish the point of contact for security reports on your website\n* Respond to security reports within a reasonable time frame\n| * https://mvsp.dev/mvsp.en/index.html[MVSP 1.1]\n* ISO 27001 A.12.6.1\n* SOC2 CC7.1\n|\n\n| Customer Testing\n| * On request, enable your customers or their delegates to test the security of your application\n* Test on a non-production environment if it closely resembles the production environment in functionality\n* Ensure non-production environments do not contain production data\n| * https://mvsp.dev/mvsp.en/index.html[MVSP 1.2]\n* ISO 27001 A.12.6.1\n* SOC2 CC7.1\n|\n\n| External Testing\n| Contract a security vendor to perform annual, comprehensive penetration tests on your systems\n| * https://mvsp.dev/mvsp.en/index.html[MVSP 1.4]\n* ISO 27001 A.12.6.1\n* SOC2 CC7.1\n|\n\n| Training\n| Implement role-specific security training for your personnel that is relevant to their business function\n| * https://mvsp.dev/mvsp.en/index.html[MVSP 1.5]\n* ISO 27001 A.7.2.2\n* SOC2 CC2.2\n|\n\n| Compliance\n| * Comply with all industry security standards relevant to your business such as PCI DSS, HITRUST, ISO27001, and SSAE 18\n* Comply with local laws and regulations in jurisdictions applicable to your company and your customers, such as GDPR, Binding Corporate Rules, and Standard Contractual Clauses\n| * https://mvsp.dev/mvsp.en/index.html[MVSP 1.6]\n* ISO 27001\n* SOC2\n| * https://github.com/deepfence/ThreatMapper[Deepfence ThreatMapper]\n* https://hub.steampipe.io/mods?objectives=compliance[Steampipe Compliance Mods]\n\n| Incident Management\n| * Notify your customers about a breach without undue delay, no later than 72 hours upon discovery\n  * Include the following information in the notification:\n  ** Relevant point of contact\n  ** Preliminary technical analysis of the breach\n  ** Remediation plan with reasonable timelines\n| * https://mvsp.dev/mvsp.en/index.html[MVSP 1.7]\n* ISO 27001 A.16.1\n* SOC2 CC7.3\n|\n\n4+<h| Application Design Controls\nh| Control\nh| Description\nh| Compliance Controls\nh| Tools\n\n| Single Sign-On\n| Implement single sign-on using modern and industry standard protocols\n| * https://mvsp.dev/mvsp.en/index.html[MVSP 2.1]\n* ISO 27001 A.9.4.2\n* SOC2 CC6.1\n| * https://github.com/boxyhq/jackson[BoxyHQ SAML Jackson]\n\n| Access Control\n| * Implement strict access control in your application guarding resources as needed\n* Allow easy provisioning and de-provisioning of users\n| * ISO 27001 A.9.1.1, A.9.2.1\n* SOC2 CC6.1\n| * https://www.aserto.com[Aserto]\n* https://github.com/boxyhq/jackson#directory-sync[BoxyHQ Directory Sync]\n* https://github.com/casbin/casbin[Casbin]\n* https://cerbos.dev[Cerbos]\n* https://github.com/ory/keto[Keto]\n* https://github.com/osohq/oso[Oso]\n* https://github.com/permitio/opal[OPAL]\n\n| HTTPS-Only\n| * Redirect traffic from HTTP protocol (port 80) to HTTPS (port 443)\n  * Produce a clear scan using a widely adopted TLS scanning tool\n  * Include the Strict-Transport-Security header on all pages with the `includeSubdomains` directive\n| * https://mvsp.dev/mvsp.en/index.html[MVSP 2.2]\n* ISO 27001 A.10.1.1\n* SOC2 CC6.7\n| * https://hub.steampipe.io/plugins/turbot/net[Steampipe Net Plugin]\n* https://github.com/drwetter/testssl.sh[testssl.sh]\n\n\n| Dependency Patching\n| Apply security patches with a severity score of \"medium\" or higher, or ensure equivalent mitigations are available for all components of the application stack within one month of the patch release\n| * https://mvsp.dev/mvsp.en/index.html[MVSP 2.6]\n* ISO 27001 A.12.6.1\n* SOC2 CC7.1\n| * https://owasp.org/www-project-dependency-check[OWASP Dependency Check]\n* https://owasp.org/www-project-dependency-track[OWASP Dependency Track]\n\n| Logging\n| Keep logs of:\n\n  * Users logging in and out\n  * Read, write, delete operations on application and system users and objects\n  * Security settings changes (including disabling logging)\n  * Application owner access to customer data (access transparency)\n\nLogs must include user ID, IP address, valid timestamp, type of action performed, and object of this action.\nLogs must be stored for at least 30 days, and should not contain sensitive data or payloads. \n| * https://mvsp.dev/mvsp.en/index.html[MVSP 2.7]\n* ISO 27001 A.12.4.1\n* SOC2 CC7.2\n| * https://github.com/retracedhq[BoxyHQ Audit Logs]\n* https://www.elastic.co/elastic-stack[ELK Stack]\n* https://www.fluentd.org[FluentD]\n* https://steampipe.io[Steampipe]\n\n| Backup and Disaster Recovery\n| * Securely back up all data to a different location than where the application is running\n  * Maintain and periodically test disaster recovery plans\n  * Periodically test backup restoration\n| * https://mvsp.dev/mvsp.en/index.html[MVSP 2.8]\n* ISO 27001 A.17.1\n* SOC2 A1.3\n|\n\n| Encryption\n| Use available means of encryption to protect sensitive data in transit between systems and at rest in online data storages and backups\n| * https://mvsp.dev/mvsp.en/index.html[MVSP 2.9]\n* ISO 27001 A.10.1\n* SOC2 CC6.1\n* GDPR\n* HIPAA\n| * BoxyHQ Privacy Vault (coming soon)\n\n4+<h| Application Implementation Controls\nh| Control\nh| Description\nh| Compliance controls\nh| Tools\n\n| List of Sensitive Data\n| Maintain a list of sensitive data types that the application is expected to process\n| * https://mvsp.dev/mvsp.en/index.html[MVSP 3.1]\n* ISO 27001 A.10.1\n* SOC2 CC6.1\n* GDPR\n* HIPAA\n| * BoxyHQ Privacy Vault (coming soon)\n* https://github.com/Bearer/bearer[Bearer]\n\n| Data Flow Diagram\n| Maintain an up-to-date diagram indicating how sensitive data reaches your systems and where it ends up being stored\n| * https://mvsp.dev/mvsp.en/index.html[MVSP 3.2]\n* ISO 27001 A.10.1\n* SOC2 CC6.1\n* GDPR\n* HIPAA\n| * BoxyHQ Privacy Vault (coming soon)\n\n| Vulnerability Prevention\n| Train your developers and implement development guidelines to prevent at least the following vulnerabilities:\n\n  * Authorization bypass\n  * Insecure session ID\n  * Injections\n  * Cross-site scripting\n  * Cross-site request forgery\n  * Use of vulnerable libraries\n| * https://mvsp.dev/mvsp.en/index.html[MVSP 3.3]\n* ISO 27001 A.12.6.1\n* SOC2 CC7.1\n| * https://owasp.org/www-project-top-ten[OWASP Top Ten]\n* https://owasp.org/www-project-zap/[OWASP Zap]\n* https://hub.steampipe.io/mods/turbot/net_insights[Steampipe Net Insights mod]\n* https://wapiti-scanner.github.io[Wapiti Scanner]\n* https://github.com/Bearer/bearer[Bearer]\n* https://codemodder.io[Codemodder]\n\n| Infrastructure and Cloud Security\n| Perform audits, continuous monitoring, hardening and forensics readiness for your infrastructure and cloud assets.\n| * ISO 27001 A.12.6.1\n* SOC2 CC7.1\n| * https://github.com/bridgecrewio/AirIAM[AirIAM]\n* https://github.com/aquasecurity/cloudsploit[Cloudsploit]\n* https://github.com/deepfence/ThreatMapper[Deepfence ThreatMapper]\n* https://github.com/controlplaneio/kubesec[Kubesec Kubernetes security]\n* https://github.com/prowler-cloud/prowler[Prowler for AWS]\n* https://hub.steampipe.io/mods?objectives=compliance,security[Steampipe Compliance & Security mods]\n* https://github.com/aquasecurity/trivy[Trivy container scanner]\n\n\n\n4+<h| Code Security\nh| Control\nh| Description\nh| Compliance controls\nh| Tools\n\n| Data Leakage Prevention\n| Protect secrets from leaking into code, logs and unwanted systems.\n| * ISO 27001 A.12.6.1\n* SOC2 CC7.1\n| * https://github.com/GitGuardian/ggshield[GitGuardian]\n* https://github.com/zricethezav/gitleaks[Gitleaks]\n* https://hub.steampipe.io/plugins/turbot/code[Steampipe Code Plugin]\n* https://github.com/Bearer/bearer[Bearer]\n\n| Zero Trust Principles\n| Keep data encrypted from end-to-end and have no listening ports for malware/ransomeware to spread etc.\n| * https://doi.org/10.6028/NIST.SP.800-207[NIST Special Publication 800-207]\n| * https://github.com/openziti/ziti[OpenZiti] (numerous SDKs)\n|===\n"
  },
  {
    "path": "SUMMARY.adoc",
    "content": "= Summary\n\n. link:README.adoc[DevSec Tools]\n. link:COMPLIANCE.adoc[Compliance frameworks and certifications]"
  },
  {
    "path": "book.json",
    "content": "{\n  \"plugins\": [\n    \"@honkit/honkit-plugin-ga\"\n  ],\n  \"pluginsConfig\": {\n    \"ga\": {\n      \"trackingID\": \"G-SPZEPCS1QS\",\n      \"anonymizeIP\": true\n    }\n  }\n}"
  },
  {
    "path": "package.json",
    "content": "{\n  \"name\": \"awesome-oss-devsec\",\n  \"version\": \"0.1.0\",\n  \"description\": \"An awesome list of OSS developer-first security tools\",\n  \"main\": \"index.js\",\n  \"scripts\": {\n    \"build\": \"honkit build\",\n    \"dev\": \"honkit serve\",\n    \"help\": \"honkit --help\"\n  },\n  \"repository\": {\n    \"type\": \"git\",\n    \"url\": \"git+https://github.com/boxyhq/awesome-oss-devsec.git\"\n  },\n  \"keywords\": [\n    \"security\"\n  ],\n  \"author\": \"Deepak Prabhakara\",\n  \"license\": \"Apache-2.0\",\n  \"bugs\": {\n    \"url\": \"https://github.com/boxyhq/awesome-oss-devsec/issues\"\n  },\n  \"homepage\": \"https://github.com/boxyhq/awesome-oss-devsec#readme\",\n  \"devDependencies\": {\n    \"honkit\": \"6.0.2\",\n    \"@honkit/honkit-plugin-ga\": \"1.0.1\"\n  },\n  \"engines\": {\n    \"node\": \">=20.11.0\"\n  }\n}"
  }
]