Awesome AppSec in Ubuntu

Description

Ubuntu, a mature and user-friendly Linux distribution, is used by developers and security communities alike. Its appeal also lies in the ease of installing handy tools. Ubuntu have two main software distribution channels:

• Ubuntu archive: If software is embraced by Ubuntu or Debian because of its maturity and usefulness, it's distributed as a Debian package. Given the slow release cycle, you can expect only stable versions here. However, it's a double-edged sword - you might miss out on the latest features introduced by the upstream.
• Snap Store: Here's where anyone can play! By simply wrapping your software in a self-contained snap, you can publish it in the Snap Store. With no restrictions on release cycles, maintainers can publish new versions at their own pace.

This open list curates awesome tools that:

• Assist anyone working with code to ensure or improve the security of a codebase; and
• Can be easily installed on Ubuntu, either from the Ubuntu Archive or the Snap Store.

Categories

The tools were meticulously grouped into categories. To make things more visual, the following diagram outlines each category and how it could potentially fit into your software development lifecycle.

%%{init: {'theme':'neutral'}}%%

gantt
    axisFormat  

    section Stages in the Software Development Lifecycle
        Planning                : 2050-01-01, 1d
        Analysis                : 1d
        Design                  : 1d
        Implementation          : 1d
        Testing and integration : 1d
        Maintainance            : 1d

    section Categories from this list
        Threat modelling                            : 2050-01-01, 6d
        License scanning                            : 2050-01-03, 2d
        Fuzzing                                     : 2050-01-04, 2d
        Symbolic execution                          : 2050-01-04, 2d
        Security linting                            : 2050-01-04, 3d
        Vulnerability scanning for dependencies     : 2050-01-04, 3d
        Runtime isolation                           : 2050-01-04, 3d
        Runtime process analysis                    : 2050-01-04, 3d
        Web scanning                                : 2050-01-04, 3d
        Web firewalling                             : 2050-01-04, 3d
        Reverse engineering                         : 2050-01-05, 1d
        Vulnerability disclosure                    : 2050-01-06, 1d

Tools

Coordinated vulnerability disclosure

• cvelib (package) - CLI tool and Python library for communicating with the CVE Services API.

Fuzzing

• AFL++ (package) - Coverage-based fuzzer with compile-time instrumentation and QEMU emulation.

License scanning

• Trivy (snap) - License scanner and opinionated risk assessor.

Reverse engineering

• Capstone (package) - Disassembly framework supporting 20+ architectures.
• Ghidra (snap) - Reverse engineering framework with disassembly, assembly, decompilation, graphing, and scripting capabilities.
• MobSF (snap) - Android and IOS security assessment platform, both static and dynamic.
• radare2 (snap) - Reverse engineering toolkit with disassamblers, debuggers, and emulators.

Runtime isolation

• AppArmor (package) - Linux security module implementing a MAC policy to limit the capabilities of an application.
• Landlock (OS feature) - Linux LSM implementing access control for unprivileged processes.
• Kernel Lockdown (OS feature) - Linux kernel feature to prevent unauthorized access or modification to the kernel image or sensitive data from the kernel memory.
• Snapcraft (snap) - Toolkit for creating snaps, namely cross-distro packages that are self-contained using the AppArmor LSM.

Runtime process analysis

• nsntrace (snap) - Network tracer for processes, with .pcap exports.
• Valgrind (snap) - Memory management and thread error detector.

Security linting

• Bandit (snap) - Python static code analyser.
• Brakeman (snap) - Static vulnerability scanner for Ruby on Rails.
• Clippy (package) - Rust linter with safety checks
• cppcheck (snap) - C/C++ static code analyser.
• frawfinder (snap) - C/C++ static code analyser.
• gosec (snap) - Go static code analyser.
• govulncheck (snap) - Go static code analyser.
• Ruff (snap) - Python linter with security-oriented rules.
• semgrep-rules-manager (snap) - Downloader of third-party Semgrep rules.
• Semgrep (snap) - Static analysis engine for finding bugs and querying the code in 30+ programming languages.
• ShellCheck (snap) - Static doe analyser for shell scripts.

Symbolic execution

• KLEE (snap) - Symbolic execution VM using LLVM.

Threat modelling

• OWASP Threat Dragon (snap) - Threat modelling platform.

Vulnerability scanning for dependencies

• cargo-auditable (package) - Tool for embedding the dependency tree in Rust-based executables, which can be later scanned for vulnerabilities.
• depsdev (snap) - deps.dev client for fetching details such as dependencies, licenses, advisories, and critical health.
• OSV-Scanner (snap) - Vulnerability scanner for projects' lists of dependencies.
• Trivy (snap) - Vulnerability scanner for SBOM.

Web firewalling

• Apache ModSecurity (package) - Apache module for ModSecurity
• libmodsecurity (package) - ModSecurity library, used for the integration with Nginx
• modsecurity-crs (package) - OWASP ModSecurity Core Rule Set

Web scanning

• Zed Attack Proxy (snap) - Extensible web app scanner.
• sublist3r (package) - Subdomain enumeration tool by using OSINT or bruteforce.
• wfuzz (package) - Fuzzer for any field of an HTTP request.

Contributions

Do you use Ubuntu for software development or security? Ever discovered an awesome software security tool that can be swiftly installed on Ubuntu via apt or snap, yet it's missing from this list?

Just follow the contribution guide and it will be added to this list. Your contribution could be the missing piece in someone else's Ubuntu journey!