Free Application Security Tools
Free and open source tools for securing applications throughout the SDLC. Browse SAST, DAST, SCA, and API security tools for vulnerability scanning, code analysis, and runtime protection.
Showing 24 of 500 tools
PayloadsAllTheThings
swisskyrepo/PayloadsAllTheThings
A list of useful payloads and bypass for Web Application Security and Pentest/CTF
hoppscotch
hoppscotch/hoppscotch
Open source API development ecosystem - https://hoppscotch.io (open-source alternative to Postman, Insomnia)
ImHex
WerWolv/ImHex
🔍 A Hex Editor for Reverse Engineers, Programmers and people who value their retinas when working at 3 AM.
termux-app
termux/termux-app
Termux - a terminal emulator application for Android OS extendible by variety of packages.
sentry
getsentry/sentry
Developer-first error tracking and performance monitoring
CheatSheetSeries
OWASP/CheatSheetSeries
The OWASP Cheat Sheet Series was created to provide a concise collection of high value information on specific application security topics.
openzeppelin-contracts
OpenZeppelin/openzeppelin-contracts
OpenZeppelin Contracts is a library for secure smart contract development.
radare2
radareorg/radare2
UNIX-like reverse engineering framework and command-line toolset
security-guide-for-developers
FallibleInc/security-guide-for-developers
Security Guide for Developers
strix
usestrix/strix
Open-source AI agents for penetration testing
javascript-obfuscator
javascript-obfuscator/javascript-obfuscator
A powerful obfuscator for JavaScript and Node.js
bytecode-viewer
Konloch/bytecode-viewer
A Java 8+ Jar & Android APK Reverse Engineering Suite (Decompiler, Editor, Debugger & More)
yii2
yiisoft/yii2
Yii 2: The Fast, Secure and Professional PHP Framework
dirsearch
maurosoria/dirsearch
Web path scanner
secguide
Tencent/secguide
面向开发人员梳理的代码安全指南
Reverse-Engineering
mytechnotalent/Reverse-Engineering
A FREE comprehensive reverse engineering tutorial covering x86, x64, 32-bit/64-bit ARM, 8-bit AVR and 32-bit RISC-V architectures.
pytest
pytest-dev/pytest
The pytest framework makes it easy to write small tests, yet scales to support complex functional testing
rubocop
rubocop/rubocop
A Ruby static code analyzer and formatter, based on the community Ruby style guide.
DVWA
digininja/DVWA
Damn Vulnerable Web Application (DVWA)
juice-shop
juice-shop/juice-shop
OWASP Juice Shop: Probably the most modern and sophisticated insecure web application
nightwatch
nightwatchjs/nightwatch
Integrated end-to-end testing framework written in Node.js and using W3C Webdriver API. Developed at @browserstack
promptfoo
promptfoo/promptfoo
Test your prompts, agents, and RAGs. AI Red teaming, pentesting, and vulnerability scanning for LLMs. Compare performance of GPT, Claude, Gemini, Llama, and more. Simple declarative configs with command line and CI/CD integration.
swagger-editor
swagger-api/swagger-editor
Swagger Editor
gosec
securego/gosec
Go security checker
Related Security Domains
Frequently Asked Questions
What is the difference between SAST and DAST?
SAST (Static Application Security Testing) analyzes source code without running the application, finding vulnerabilities early in development. DAST (Dynamic Application Security Testing) tests a running application from the outside, simulating real attacks. Both are complementary — SAST finds code-level issues, DAST finds runtime vulnerabilities.
What are the best free SAST tools?
Top free SAST tools include Semgrep (multi-language pattern matching), Bandit (Python security linting), SpotBugs with FindSecBugs (Java), Brakeman (Ruby on Rails), and SonarQube Community Edition. These integrate into CI/CD pipelines to catch vulnerabilities before deployment.
What is SCA and why does it matter?
SCA (Software Composition Analysis) identifies vulnerabilities in open source dependencies. With 80%+ of modern applications built on open source components, SCA tools like OWASP Dependency-Check, Grype, and Syft are essential for understanding your software supply chain risk.
How do I secure APIs?
Use tools like OWASP ZAP or Burp Suite for API testing, implement OAuth 2.0 and OpenID Connect for authentication, enforce rate limiting, validate all inputs, and scan API schemas with tools like Spectral. The OWASP API Security Top 10 is the definitive reference for API vulnerabilities.