Open source security tools list (opens in new tab)

(github.com)

95 pointsDutchie20205y ago23 comments

23 comments

A lot of these "awesome" lists are maybe reasonably OK on first-publish, but ultimately become useless due to:

1. Lack of curation (focus on including everything rather than being opinionated)

2. Lack of updates (tools get out of date fast, especially in long lists that try and include everything).

However, THIS list is different. This list is BAD on first publish. Most of the categories are not even remotely security related ("Project Management") or at least not explicitly so ("Supply Chain Management" / "Docker UI" / "Configuration Management"). Yeah sure, some of the latter will be useful for blue teams, but noone on any blue team is going to be searching for those tools under the keyword "security".

Beyond the above, things get worse: the formatting is hopeless, many of the tools are not open-source at all, and while including a lot of irrelevant non-security-related stuff, it omits many obvious well-known security tools.

Flagged for marketing this as "Open source"

Dutchie2020OP5y ago

Flagging seems a bit excessive. I have no affiliation with penetrum. Just thought the collection as a whole was interesting. Of course it's not a perfect list as it seems to be a one time post.

lucideer5y ago

I wouldn't go as far as flagging typically for low-quality content. However labelling something as "open source" when it is in fact not "open source" goes further.

justin_oaks5y ago

I find such lists nigh unto useless. I don't have time to evaluate each project to see which one is the right fit for my needs.

We'd be better off if people did a deep dive analysis of just one of those categories.

I suspect that whoever constructs these types of lists does NOT have experience with each project, and thus there's bound to be plenty of projects that don't deserve to be on the list because they're just not ready for production usage.

IndySun5y ago

Correct. Also, I've viewed many so-called 'awesome' lists that have out of date, abandoned, discredited, links. Copy Pasted?

By all means take a look, but use some perspicacity.

ozim5y ago

I think people find it neat to have 'awesome list' and then they find out how much work it is to update it at least once a year.

Second idea, they put it on GH and expect that "community" will post pull requests to their list doing work. Maybe not in an 'evil' way but they think that idea is neat and others will find it also cool.

I found it in a way where I was setting website for a local hobby club. I have started initial web page, posted couple articles and wanted others to pick up and participate. After 3 months of initial "oh that is so cool we have a website", no one ever cared beside me, I operated website for 2 more years and moved on with life to other hobbies because of life.

1 more reply

corty5y ago

Most "awesome lists" are just there for farming GitHub stars. There are people who think those will get them ahead in applications or salary negotiations.

This also means that after the initial inrush, long-term care is inefficient (star-wise) and the purpose is maybe already fulfilled anyways.

zorbash5y ago

The worst thing about "awesome" lists is that they're not searchable and as you say, they tend to have out of date links.

ozim5y ago

This looks more like stack for that company.

If that would be at least a list of tools they find amazing or solving some problem in a great way.

But it is just everything, trello, dnsmasq, openvas and a kitchen sink.

bertman5y ago

  strg+f Wireguard: 0/0

I guess maintaining recommendation lists is hard.

Fnoord5y ago

Yeah, I saw. Also, Wazuh (as "WAZUH") is mentioned as SIEM right under OSSEC (which it forked) but then it isn't mentioned under HIDS whereas OSSEC is. I don't see Ghidra or Kali mentioned either.

pure-xx5y ago

I try to do something similar with Threat Intel / OSINT tooling at http://www.threat-intel.xyz. List gets regular updated and curated by hand.

lucideer5y ago

This is great. Producing lists like this that are good & useful is not easy: what you've done by focusing on threat intel (instead of broad/generic "security" heading) seems a very good approach.

Dutchie2020OP5y ago

Really wasn't expecting some much feedback on this list, just found it while looking for some SIEM solution and thought it was interesting. Your site looks way better though! Maybe the admins can change the URL?

globular-toast5y ago

This has the lowest signal to noise ratio of any of these lists of I've seen so far. That entire project management section should go. The entire section on configuration management should go. There are probably some good tools here but I'm not going to click on each and every one just in case it's something more interesting than Trello.

dalu5y ago

Yesterday I needed a regex fuzzer but couldn't find any (except some Windows SDL whatever that means, I'm not developing on Windows) In the end I just created a very limited whitelist of input characters allowed and didn't use a "security tool"

0xad5y ago

You can use grammarinator or any other of myriad grammar fuzzers BUT I'd start with radamsa and its string-related flags. Radamsa is _awesome_, you run it on an input and you get mutated output. Works both for binary files and text fles (such as grammars).

xaldir5y ago

> open source

First tool: Trello

Hmm okay

studentik5y ago

Cool list! Gives general ideas on what to take into account when dealing with security

1MachineElf5y ago

Curious to see the pfSense firewall appliance OS filed under "Anti-Virus"

monkin5y ago

That’s one badly formatted list.

dan_can_code5y ago

I thought so too. I was hoping to be able to click a url.

j / k navigate · click thread line to collapse

23 comments

lucideer5y ago

A lot of these "awesome" lists are maybe reasonably OK on first-publish, but ultimately become useless due to:

1. Lack of curation (focus on including everything rather than being opinionated)

2. Lack of updates (tools get out of date fast, especially in long lists that try and include everything).

Flagged for marketing this as "Open source"

Dutchie2020OP5y ago

Flagging seems a bit excessive. I have no affiliation with penetrum. Just thought the collection as a whole was interesting. Of course it's not a perfect list as it seems to be a one time post.

lucideer5y ago

I wouldn't go as far as flagging typically for low-quality content. However labelling something as "open source" when it is in fact not "open source" goes further.

justin_oaks5y ago

I find such lists nigh unto useless. I don't have time to evaluate each project to see which one is the right fit for my needs.

We'd be better off if people did a deep dive analysis of just one of those categories.

IndySun5y ago

Correct. Also, I've viewed many so-called 'awesome' lists that have out of date, abandoned, discredited, links. Copy Pasted?

By all means take a look, but use some perspicacity.

ozim5y ago

I think people find it neat to have 'awesome list' and then they find out how much work it is to update it at least once a year.

1 more reply

corty5y ago

Most "awesome lists" are just there for farming GitHub stars. There are people who think those will get them ahead in applications or salary negotiations.

This also means that after the initial inrush, long-term care is inefficient (star-wise) and the purpose is maybe already fulfilled anyways.

zorbash5y ago

The worst thing about "awesome" lists is that they're not searchable and as you say, they tend to have out of date links.

ozim5y ago

This looks more like stack for that company.

If that would be at least a list of tools they find amazing or solving some problem in a great way.

But it is just everything, trello, dnsmasq, openvas and a kitchen sink.

bertman5y ago

  strg+f Wireguard: 0/0

I guess maintaining recommendation lists is hard.

Fnoord5y ago

Yeah, I saw. Also, Wazuh (as "WAZUH") is mentioned as SIEM right under OSSEC (which it forked) but then it isn't mentioned under HIDS whereas OSSEC is. I don't see Ghidra or Kali mentioned either.

pure-xx5y ago

I try to do something similar with Threat Intel / OSINT tooling at http://www.threat-intel.xyz. List gets regular updated and curated by hand.

lucideer5y ago

This is great. Producing lists like this that are good & useful is not easy: what you've done by focusing on threat intel (instead of broad/generic "security" heading) seems a very good approach.

Dutchie2020OP5y ago

globular-toast5y ago

dalu5y ago

0xad5y ago

xaldir5y ago

> open source

First tool: Trello

Hmm okay

studentik5y ago

Cool list! Gives general ideas on what to take into account when dealing with security

1MachineElf5y ago

Curious to see the pfSense firewall appliance OS filed under "Anti-Virus"

monkin5y ago

That’s one badly formatted list.

dan_can_code5y ago

I thought so too. I was hoping to be able to click a url.

j / k navigate · click thread line to collapse