Appsec adventures

STRIDE GPT is a web-based application that uses large language models to help teams create threat models automatically based on the STRIDE methodology. Users describe their application’s architecture and security-relevant context, and the tool generates a comprehensive list of threats categorized by STRIDE, as well as optional attack trees, DREAD risk scores, suggested mitigations, and even Gherkin test cases. It supports multiple LLM providers and aims to simplify design-phase threat analysis, making proactive security assessment more accessible. https://stridegpt.streamlit.app/

The Toreon Threat Modeling Tool Directory on GitHub is a curated list of tools that support or automate the design-time threat modeling process . It focuses exclusively on software, code, libraries, or services that help practitioners systematically identify, analyze, and mitigate threats during system design. The directory lists a variety of tools — from classic diagram and risk-analysis applications to newer AI-augmented threat modeling tools — and specifies inclusion criteria that emphasize practical support for threat modeling workflows, excluding operational threat intelligence or purely conceptual frameworks. The repository invites contributions to expand and enhance the list of available tools. https://github.com/Toreon/Threat-Modeling-Tool-Directory

This GitHub repository contains a comprehensive scanning toolset designed to detect and remediate two critical, unauthenticated remote code execution (RCE) vulnerabilities—CVE-2025-55182 (React) and CVE-2025-66478 (Next.js)—both rated CVSS 10.0. Dubbed "React2Shell," this flaw in the React Server Components (RSC) Flight protocol allows a single crafted HTTP request to deserialize into server-side code execution on vulnerable systems. The project provides two primary tools: a Software Composition Analysis (SCA) scanner to identify vulnerable dependencies in a codebase, and a web Dynamic Application Security Testing (DAST) scanner to actively probe live endpoints and validate exploitability in production environments. The web scanner includes a full test lab with exploit examples and is capable of scanning targets at scale, generating multiple report formats, and correlating findings with known attack patterns. The repository emphasizes that this is a critical security incident...

The OWASP Social OSINT Agent is an open-source autonomous intelligence tool built to gather, analyze, and synthesize publicly available social media data across platforms like Twitter/X, Reddit, GitHub, Hacker News, Bluesky, and Mastodon, using text and vision-capable large language models via any OpenAI-compatible API to produce coherent analytical reports from scattered activity. It supports flexible fetch controls, intelligent rate-limit handling, structured prompt-based analysis, robust caching to reduce API calls, offline mode, interactive CLI and Docker deployment, and both interactive and programmatic report generation. This project aims to help security professionals automate deep open-source intelligence investigations by turning raw social data into structured insights.  https://github.com/bm-github/owasp-social-osint-agent

GuardScan is a free, open-source CLI tool for code security, quality, and review. It performs static analyses to detect hard-coded secrets, dependency vulnerabilities, OWASP-Top-10 style flaws, insecure Docker/IaC configurations, license/compliance issues, and code smells. Optionally, it can integrate with your own AI provider (e.g. OpenAI, Claude, Gemini, or a local model) to offer AI-enhanced features: code review, explanations, documentation generation, test generation, refactoring suggestions, commit-message generation, threat modeling, and more — all while keeping your source code local and private. Because GuardScan runs fully on your machine (or infrastructure), it doesn’t require uploading code to third-party services; it’s free forever, and designed to work offline or in air-gapped environments.  https://github.com/ntanwir10/GuardScan

GoDefender is a Go library created by EvilBytecode that helps applications detect and defend against debugging tools, virtualization environments (like VMware or VirtualBox), and code injection techniques. Its modules include anti-debug checks (e.g., detecting if a debugger is attached), virtualization metrics (e.g., identifying sandboxed or emulated environments), and protections against DLL injection.   https://github.com/EvilBytecode/GoDefender

OpenSourceMalware is a collaborative platform where researchers and developers share intelligence about malicious open-source packages and repositories. It focuses on detecting and cataloging compromised libraries across ecosystems like npm and PyPI, enabling the security community to identify, track, and mitigate supply-chain attacks. By centralizing data on open-source malware and promoting transparent collaboration, the project aims to strengthen collective defenses against increasingly sophisticated threats hidden in trusted codebases.  https://opensourcemalware.com/

The OWASP Threat and Safeguard Matrix (TaSM) maps common cybersecurity threats such as phishing, supply-chain compromise, and web abuse against the NIST Cybersecurity Framework functions—Identify, Protect, Detect, Respond, and Recover. This approach helps organizations visualize how each safeguard mitigates specific risks, identify coverage gaps, and prioritize defenses based on real business impact. TaSM provides a practical, defense-in-depth structure for aligning technical and procedural controls with enterprise risk management.  https://owasp.org/www-project-threat-and-safeguard-matrix/

Island is a Chromium-based enterprise browser built to embed security and governance directly into the browsing environment. It allows organizations to control user actions such as copy, download, and screenshot, enforce conditional access based on identity or device posture, and secure SaaS and internal web apps across managed or unmanaged devices. Positioned as a leader in the enterprise browser market, Island aims to make the browser itself the central control point for security and productivity in hybrid work environments.  https://www.island.io/

Cisco has introduced Project CodeGuard, an open-source framework designed to enhance the security of software generated with the assistance of artificial intelligence coding agents. This framework aims to provide a "secure by default" approach, integrating security measures throughout the software development lifecycle—before, during, and after AI-assisted code generation. By implementing a unified, model-agnostic system, Project CodeGuard ensures that AI-generated code adheres to security best practices, addressing common vulnerabilities such as hardcoded secrets, inadequate input validation, outdated cryptography, and reliance on deprecated dependencies. The initiative emphasizes the importance of incorporating security at every stage of development, offering tools like rule sets, translators for popular AI coding agents, and validators to facilitate automatic enforcement of security standards. While acknowledging that human oversight remains essential, Cisco's Project ...

The Software Factory Security Framework (SF²) provides a strategic approach for organizations — from startups to enterprises — to scale security alongside software development. It emphasises universal security responsibilities, a two-axis model to assess organisational posture, and an investment-portfolio mindset for allocating resources. The framework integrates with existing standards such as NIST SSDF and OWASP SAMM but fills in gaps around strategic priorities and sustainable resourcing.  https://sf2framework.com/#framework-overview

The platform “Fork” offers a continuous, data-driven approach to application threat modeling, designed for scaling across teams and lifecycles. It uses the risk-centric PASTA framework to go beyond purely technical vulnerabilities, linking business impact, threat libraries, real-time intelligence and integrations with existing tools. The offering includes a free tier for smaller use and enterprise plans with unlimited scope, team access, audit controls, and even optional outsourced modeling services. https://forktm.com/

The Seqra project is a security-oriented static analysis tool built in Go that combines the data-flow and cross-module strengths of CodeQL with the rule-writing simplicity of Semgrep. It outputs results in the standard SARIF format for CI/CD integration, can run scans on Java projects, and is free to use under the MIT License (with parts under a functional source license). The core engine is source-available, with conditions, and Seqra emphasizes seamless adoption via CLI, GitHub Actions, and integration into developer tooling.  https://github.com/seqra/seqra

This GitHub repository contains PoCs (proofs of concept) demonstrating how a malicious maintainer—one who already has commit or maintainer access—can stealthily tamper with software releases built via GitHub Actions workflows. The repository was presented at fwd:cloudsec Europe 2025. The content begins by defining the threat model: a maintainer who wants to hide malicious changes in release artifacts without altering the source code. It then walks through multiple attack paths across the SLSA pipeline stages (Source, Build, Distribution). The first path exploits the fact that GitHub Releases are mutable by default, so a maintainer can alter assets after publishing. Another path uses a typosquatted third-party GitHub Action to insert malicious behavior during the build. Other variants include abusing controlled runners (hosted or self-hosted), manipulating checkout behavior, or using orphan commits to erase traces. For each attack path, the repository includes OPSEC considerations (wh...

Qinsight is a SaaS platform focused on giving organizations visibility into their cryptographic assets across TLS, SSH, certificates, and encryption protocols. It helps assess and score cryptographic risk, flag vulnerabilities (including quantum-vulnerable algorithms), and provides guidance for remediation. The platform is designed to aid compliance, prepare for post-quantum cryptographic transitions, and reduce blind spots in how encryption is used across enterprise systems. https://www.qinsight.com/

Auto Exploit is an emerging cybersecurity platform that explores the potential of large language models (LLMs) to autonomously generate exploits for newly discovered vulnerabilities. Their provocative claim is that an LLM can produce a working exploit in under 10 minutes and for as little as a dollar. Currently, the site features an empty exploits database, indicating that the platform is in its early stages. Visitors can join a waitlist to receive updates as the platform develops. https://autoexploit.ai/

 In the first installment of his series, Alex Ilgayev introduces MCPSpy, an open-source tool designed to monitor Model Context Protocol (MCP) traffic. MCP is an emerging standard that enables AI applications to communicate with external tools and data sources. Ilgayev discusses the motivations behind developing MCPSpy, the choice of eBPF for monitoring, and the tool's initial implementation. He also outlines the limitations of the current version and hints at future developments, such as inspecting encrypted HTTPS-based MCP communications over TLS. The article emphasizes the importance of visibility in securing AI-driven tools and sets the stage for deeper exploration in subsequent parts of the series. https://blog.alexil.me/monitoring-mcp-traffic-using-ebpf-part-1-c445b76377cf

This repository preserves an archive of exploit data originally hosted on 0day.today, a long running public repository of proof of concept exploits and shellcode. In early 2025, 0day.today went offline and later returned without its previous content, leaving years of technical exploit data erased from the internet. Because the site used anti bot protections, much of its content was never archived publicly. This project serves as a historical preservation effort to prevent permanent loss, support security researchers, educators and defenders, and add context to CVEs that are poorly documented elsewhere. The archive includes a top level index.json listing metadata such as exploit ID, date, category, platform, author, CVEs, title and original link, with each exploit stored in its category directory as a plain text file named by its exploit ID. It is licensed under Apache 2.0.  https://github.com/vulncheck-oss/0day.today.archive

 This repository provides a GitHub Action that uses Claude to automatically review code changes for security vulnerabilities. It scans pull requests in the CI/CD pipeline and posts inline comments highlighting issues like SQL injection, cross site scripting, authentication flaws, insecure data handling and dependency problems. Developers can also run ad hoc security checks from the terminal using the /security review command, which analyzes the codebase, explains detected issues and suggests or applies fixes. The project is open source, MIT licensed and created by Anthropic. https://github.com/anthropics/claude-code-security-review

OWASP's AI Vulnerability Scoring System (AIVSS) provides a structured method to assess security risks in AI systems, especially agent-based and generative models. It extends beyond traditional CVSS by scoring behaviors like tool misuse, memory tampering, and identity spoofing. AIVSS includes scoring rubrics, calculators, and templates to support consistent evaluation and mitigation planning.  https://aivss.owasp.org/