Since Pulse Security kicked off, we’ve been contributing code to open source projects to fix bugs, implement new functionality and try to do our part in pushing the state of open source security tooling forward. This post digs into some of these contributions, and how we’re trying to empower our clients to start addressing some of the security basics themselves using this FOSS tooling.
Background
At Pulse, we don’t want someone to hire us to review the security of their shiny new project just because we have some mythical tool or wordlist. The value isn’t in the tool, it’s in our people, expertise and the processes. The more we can share our knowledge, the better for everyone.
This also led to a bunch of open-source contributions. This article is going to take a break from our usual content and talk about some of the things we’ve done in the FOSS space.
Nuclei Scanner
We’ve been working on a better solution that would let clients find common low/observational issues themselves, streamline our reporting of generic hardening issues, and allow us to spend more time focusing on finding and documenting higher severity issues.
In the AppSec space, enter Project Discovery’s Nuclei an open source web application security scanner, which we have begun contributing to. We’re encouraging our clients to run this themselves regularly when they don’t want to invest in more expensive tooling.
We implemented xpath matching functionality and Will has been spearheading getting new checks into Nuclei. Whenever we find a hardening issue that is not specific to a certain client, such as Tomcat with stack traces enabled, we write a Nuclei check for it and submit it upstream. Expect to see more checks from us in the future.
Pulse Maintained Tools
Various Pulse staff have released and maintained open source tooling. Including things like tooling to statically compile linux binaries and JavaScript sourcemap extractors and network daemon fuzzers. There’s even CAD files for intake velocity stacks and a welding bench in there somewhere…
There’s far too much to cover in a single article, instead you can see some of what’s available in our source repos:
Contributions to FFUF, Seclists and Miscellaneous Projects
We use a bunch of various opensource tools such as ffuf and pencode, along with seclists and payloadsallthethings for wordlists. Elle has also been submitting minor fixes for the OWASP WSTG and OWASP Cheat Sheet Series
We’ve contributed fixes and features to these projects, along with various other offensive security tooling projects over the past few years.
Summary
We’ll continue to give our staff time to write and release code, and do our best to try to make things a little bit better than they were yesterday. If we can empower people to start tackling the security basics themselves, we can start to make things a little bit safer for everyone too.