appsecsanta.com
Resources curated from this publisher and indexed across appsec.fyi topic pages. Last item added: 2026-04-22.
| Date Added | Resource | Excerpt |
|---|---|---|
| 2026-04-22 2026 | Bandit Python: Free SAST in 10 Seconds (2026 Review)Python | Library for static analysis of Python code, Bandit identifies common security issues through Abstract Syntax Tree analysis. It ships with 47 built-in checks targeting vulnerabilities like hardcoded credentials, weak cryptography, and injection flaws, with specialized plugins for issues such as insecure Hugging Face model downloads (B615). Bandit offers flexible configuration, multiple output formats including SARIF, baseline comparisons for incremental scans, and integrates with pre-commit hooks and Docker. It’s recommended for Python projects needing a free, focused security linter to complement broader SAST solutions. |
| 2026-04-17 2026 | Gitleaks vs TruffleHog 2026 Benchmarks (AppSec Santa)Secrets | Library for open-source secret scanning, comparing Gitleaks and TruffleHog. Gitleaks excels as a fast, pre-commit hook using regex for rapid detection within git repositories. TruffleHog offers deeper scanning across git, S3 buckets, Docker images, and Slack, featuring credential verification to confirm active leaks, making it suitable for CI/CD pipelines. Most teams utilize both tools for comprehensive secret protection. |
| 2026-04-10 2026 | OWASP MASVS & MASTG: Mobile Security Guide (2026)Mobile | Library of OWASP MASVS & MASTG mobile application security requirements and testing guides, detailing structured verification for categories including storage, cryptography, authentication, network communication, platform interaction, code quality, and resilience. MASVS offers baseline (L1) and defense-in-depth (L2) security levels, alongside a resilience (R) category for protection against reverse engineering, with MASTG providing companion test cases for each requirement. Tools like MobSF, NowSecure, and AppKnox can map to specific MASVS categories for automated and manual assessments. |
| 2026-04-10 2026 | 8 Best Secret Scanning Tools (2026)Secrets | Library for detecting hardcoded credentials, API keys, and tokens. It highlights tools like Gitleaks for pre-commit blocking, TruffleHog for live credential verification, and detect-secrets for legacy codebases. GitGuardian is noted as a leading managed platform, offering real-time monitoring and collaboration tool scanning. The library emphasizes the importance of early detection to prevent data breaches and account takeovers, contrasting the cost of pre-commit remediation with post-commit incident response. |
| 2026-04-06 2026 | Objection 2026: Runtime Mobile Exploration via FridaMobile | Library for runtime mobile security exploration built on Frida. Objection provides a Python CLI that wraps Frida with pre-built commands for iOS and Android pentesting, allowing users to hook live applications from an interactive command line without writing custom JavaScript. Key features include SSL pinning bypass, file system and container exploration, and memory/heap analysis. It supports testing on jailbroken/rooted devices via `frida-server` or non-jailbroken/non-rooted devices by patching apps with `objection patchipa`/`patchapk`. |