{"id":22560005,"url":"https://github.com/paulveillard/cybersecurity-dynamic-analysis","last_synced_at":"2026-01-06T08:56:12.363Z","repository":{"id":109657684,"uuid":"455721083","full_name":"paulveillard/cybersecurity-dynamic-analysis","owner":"paulveillard","description":"An ongoing \u0026 curated collection of awesome vulnerability scanning software, libraries and frameworks, best guidelines and technical resources and most important dynamic application security testing (DAST)","archived":false,"fork":false,"pushed_at":"2022-04-09T13:33:54.000Z","size":562,"stargazers_count":11,"open_issues_count":0,"forks_count":2,"subscribers_count":3,"default_branch":"main","last_synced_at":"2025-02-02T12:37:15.429Z","etag":null,"topics":["dast","dynamic-analysis","dynamic-analysis-engines","sast","static-analysis","vulnerabilities","vulnerability-assessment","vulnerability-identification","vulnerability-management","vulnerability-scanner","vulnerability-scanners"],"latest_commit_sha":null,"homepage":"","language":null,"has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/paulveillard.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":"contributing.md","funding":null,"license":"LICENSE","code_of_conduct":"code-of-conduct.md","threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2022-02-04T23:00:03.000Z","updated_at":"2025-01-10T05:18:16.000Z","dependencies_parsed_at":"2023-05-15T20:00:41.809Z","dependency_job_id":null,"html_url":"https://github.com/paulveillard/cybersecurity-dynamic-analysis","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/paulveillard%2Fcybersecurity-dynamic-analysis","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/paulveillard%2Fcybersecurity-dynamic-analysis/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/paulveillard%2Fcybersecurity-dynamic-analysis/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/paulveillard%2Fcybersecurity-dynamic-analysis/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/paulveillard","download_url":"https://codeload.github.com/paulveillard/cybersecurity-dynamic-analysis/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":246026112,"owners_count":20711581,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["dast","dynamic-analysis","dynamic-analysis-engines","sast","static-analysis","vulnerabilities","vulnerability-assessment","vulnerability-identification","vulnerability-management","vulnerability-scanner","vulnerability-scanners"],"created_at":"2024-12-07T21:10:28.994Z","updated_at":"2026-01-06T08:56:12.323Z","avatar_url":"https://github.com/paulveillard.png","language":null,"funding_links":[],"categories":["Application Security"],"sub_categories":["DAST"],"readme":"# Dynamic Analysis Tools\n\u003e An ongoing \u0026 curated collection of awesome vulnerability scanning software, libraries and frameworks, best guidelines and technical resources and most important dynamic application security testing (DAST)\n\n\n## `What is Dynamic Analysis?`\n[Dynamic analysis](https://www.intel.com/content/www/us/en/develop/documentation/inspector-user-guide-windows/top/getting-started/dynamic-analysis-vs-static-analysis.html) is the testing and evaluation of an application during runtime.\n\n![dast](https://github.com/paulveillard/cybersecurity-dynamic-analysis/blob/main/img/dast-pipelines.png)\n\nThe primary advantage of dynamic analysis: It reveals subtle defects or vulnerabilities whose cause is too complex to be discovered by static analysis. Dynamic analysis can play a role in security assurance, but its primary goal is finding and debugging errors.\n\n![dynamic](https://github.com/paulveillard/cybersecurity-dynamic-analysis/blob/main/img/Application-Security-Testing.png)\n\n## `Table of Contents`\n\n#### [Programming Languages](#programming-languages-1)\n\n\u003cdetails\u003e\n \u003csummary\u003eShow languages\u003c/summary\u003e\n  \u003c!-- Please use HTML syntax here so that it works for Github and mkdocs --\u003e\n  \u003cul\u003e\n    \u003cli\u003e\u003ca href=\"#dotnet\"\u003e.NET\u003c/a\u003e\u003c/li\u003e\n    \u003cli\u003e\u003ca href=\"#c\"\u003eC\u003c/a\u003e\u003c/li\u003e\n    \u003cli\u003e\u003ca href=\"#cpp\"\u003eC++\u003c/a\u003e\u003c/li\u003e\n    \u003cli\u003e\u003ca href=\"#java\"\u003eJava\u003c/a\u003e\u003c/li\u003e\n    \u003cli\u003e\u003ca href=\"#javascript\"\u003eJavaScript\u003c/a\u003e\u003c/li\u003e\n    \u003cli\u003e\u003ca href=\"#php\"\u003ePHP\u003c/a\u003e\u003c/li\u003e\n    \u003cli\u003e\u003ca href=\"#python\"\u003ePython\u003c/a\u003e\u003c/li\u003e\n    \u003cli\u003e\u003ca href=\"#ruby\"\u003eRuby\u003c/a\u003e\u003c/li\u003e\n    \u003cli\u003e\u003ca href=\"#rust\"\u003eRust\u003c/a\u003e\u003c/li\u003e\n    \u003cli\u003e\u003ca href=\"#sql\"\u003eSQL\u003c/a\u003e\u003c/li\u003e\n    \u003cli\u003e\u003ca href=\"#vbasic\"\u003eVisual Basic\u003c/a\u003e\u003c/li\u003e\n    \u003c/ul\u003e\n\u003c/details\u003e\n\n#### [Multiple languages](#multiple-languages-1)\n\n#### [Other](#other-1)\n\n- [API](#api)\n  - [Binaries](#binary)\n  - [Bytecode/IR](#bytecode)\n  - [Containers](#container)\n  - [Laravel](#laravel)\n  - [Security/DAST](#security)\n  - [Web](#web)\n  - [WebAssembly](#webassembly)\n  - [XML](#xml)\n  \n\n---\n\n## `Programming Languages`\n\n\u003ch2 id=\"dotnet\"\u003e.NET\u003c/h2\u003e\n\n- [Microsoft IntelliTest](https://docs.microsoft.com/en-us/visualstudio/test/intellitest-manual/getting-started?view=vs-2019) — Generate a candidate suite of tests for your .NET code.\n- [Pex and Moles](https://www.microsoft.com/en-us/research/project/pex-and-moles-isolation-and-white-box-unit-testing-for-net/) — Pex automatically generates test suites with high code coverage using automated white box analysis.\n\n\n\u003ch2 id=\"c\"\u003eC\u003c/h2\u003e\n\n- [CHAP](https://github.com/vmware/chap) — Analyzes un-instrumented ELF core files for leaks, memory growth, and corruption. It helps explain memory growth, can identify some forms of corruption, and  supplements a debugger by giving the status of various memory locations.\n- [KLEE](https://github.com/klee/klee) — Symbolic virtual machine built on top of the LLVM compiler infrastructure.\n- [LDRA](https://ldra.com) :copyright: — A tool suite including dynamic analysis and test to various standards can ensure test coverage to 100% op-code, branch \u0026 decsion coverage.\n- [LLVM/Clang Sanitizers](https://github.com/google/sanitizers) — \u003cul\u003e \u003cli\u003e\u003ca href=\"https://github.com/google/sanitizers/wiki/AddressSanitizer\"\u003eAddressSanitizer\u003c/a\u003e - A memory error detector for C/C++\u003c/li\u003e \u003cli\u003e\u003ca href=\"https://github.com/google/sanitizers/wiki/MemorySanitizer\"\u003eMemorySanitizer\u003c/a\u003e - A detector of uninitialized memory reads in C/C++ programs.\u003c/li\u003e \u003cli\u003e\u003ca href=\"https://github.com/google/sanitizers/wiki/ThreadSanitizerCppManual\"\u003eThreadSanitizer\u003c/a\u003e - A data race detector for C/C++\u003c/li\u003e \u003c/ul\u003e\n- [tis-interpreter](https://github.com/TrustInSoft/tis-interpreter) — An interpreter for finding subtle bugs in programs written in standard C.\n- [Valgrind](https://valgrind.org/) — An instrumentation framework for building dynamic analysis tools.\n\n\n\u003ch2 id=\"cpp\"\u003eC++\u003c/h2\u003e\n\n- [CHAP](https://github.com/vmware/chap) — Analyzes un-instrumented ELF core files for leaks, memory growth, and corruption. It helps explain memory growth, can identify some forms of corruption, and  supplements a debugger by giving the status of various memory locations.\n- [KLEE](https://github.com/klee/klee) — Symbolic virtual machine built on top of the LLVM compiler infrastructure.\n- [LDRA](https://ldra.com) :copyright: — A tool suite including dynamic analysis and test to various standards can ensure test coverage to 100% op-code, branch \u0026 decsion coverage.\n- [LLVM/Clang Sanitizers](https://github.com/google/sanitizers) — \u003cul\u003e \u003cli\u003e\u003ca href=\"https://github.com/google/sanitizers/wiki/AddressSanitizer\"\u003eAddressSanitizer\u003c/a\u003e - A memory error detector for C/C++\u003c/li\u003e \u003cli\u003e\u003ca href=\"https://github.com/google/sanitizers/wiki/MemorySanitizer\"\u003eMemorySanitizer\u003c/a\u003e - A detector of uninitialized memory reads in C/C++ programs.\u003c/li\u003e \u003cli\u003e\u003ca href=\"https://github.com/google/sanitizers/wiki/ThreadSanitizerCppManual\"\u003eThreadSanitizer\u003c/a\u003e - A data race detector for C/C++\u003c/li\u003e \u003c/ul\u003e\n- [tis-interpreter](https://github.com/TrustInSoft/tis-interpreter) — An interpreter for finding subtle bugs in programs written in standard C.\n- [Valgrind](https://valgrind.org/) — An instrumentation framework for building dynamic analysis tools.\n\n\n\u003ch2 id=\"java\"\u003eJava\u003c/h2\u003e\n\n- [Java PathFinder](https://github.com/javapathfinder/jpf-core) — An extensible software model checking framework for Java bytecode programs.\n- [Parasoft Jtest](https://www.parasoft.com/products/jtest) :copyright: — Jtest is an automated Java software testing and static analysis product that is made by Parasoft. The product includes technology for Data-flow analysis Unit test-case generation and execution, static analysis, regression testing, code coverage, and runtime error detection.\n\n\n\u003ch2 id=\"javascript\"\u003eJavaScript\u003c/h2\u003e\n\n- [Iroh.js](https://github.com/maierfelix/Iroh) — A dynamic code analysis tool for JavaScript. Iroh allows to record your code flow in realtime, intercept runtime informations and manipulate program behaviour on the fly.\n- [Jalangi2](https://github.com/Samsung/jalangi2) — Jalangi2 is a popular framework for writing dynamic analyses for JavaScript.\n\n\n\u003ch2 id=\"php\"\u003ePHP\u003c/h2\u003e\n\n- [Enlightn](https://www.laravel-enlightn.com/) — A static and dynamic analysis tool for Laravel applications that provides recommendations to improve the performance, security and code reliability of Laravel apps. Contains 120 automated checks.\n\n\n\u003ch2 id=\"python\"\u003ePython\u003c/h2\u003e\n\n- [CrossHair](https://github.com/pschanely/CrossHair) — Symbolic execution engine for testing Python contracts.\n- [icontract](https://github.com/Parquery/icontract) — Design-by-contract library supporting behavioral subtyping\nThere is also a wider tooling around the icontract library such as  a linter (pyicontract-lint) and a plug-in for Sphinx (sphinx-icontract).\n- [Scalene](https://github.com/emeryberger/scalene) — A high-performance, high-precision CPU and memory profiler for Python\n- [typo](https://github.com/aldanor/typo) — Runtime Type Checking for Python 3.\n\n\n\u003ch2 id=\"ruby\"\u003eRuby\u003c/h2\u003e\n\n- [suture](https://github.com/testdouble/suture) — A Ruby gem that helps you refactor your legacy code  by the result of some old behavior with a new version.\n\n\n\u003ch2 id=\"rust\"\u003eRust\u003c/h2\u003e\n\n- [loom](https://github.com/tokio-rs/loom) — Concurrency permutation testing tool for Rust.  It runs a test many times, permuting the possible concurrent executions of that test.\n- [MIRI](https://github.com/rust-lang/miri) — An interpreter for Rust's mid-level intermediate representation, which can detect certain classes of undefined behavior like out-of-bounds memory accesses and use-after-free.\n- [puffin](https://github.com/EmbarkStudios/puffin) — Instrumentation profiler for Rust.\n- [stuck](https://github.com/jonhoo/stuck) — provides a visualization for quickly identifying common bottlenecks in running, asynchronous, and concurrent applications.\n\n\n\u003ch2 id=\"sql\"\u003eSQL\u003c/h2\u003e\n\n- [WhiteHat Sentinel Dynamic](https://www.whitehatsec.com/products/dynamic-application-security-testing/) :copyright: — Part of the WhiteHat Application Security Platform. Dynamic application security scanner that covers the OWASP Top 10.\n\n\n\u003ch2 id=\"vbasic\"\u003eVisual Basic\u003c/h2\u003e\n\n- [VB Watch](https://www.aivosto.com/vbwatch.html) :copyright: — Profiler, Protector and Debugger for VB6. Profiler measures performance and test coverage. Protector implements robust error handling. Debugger helps monitor your executables.\n\n\n## Multiple languages\n\n- [Code Pulse](http://code-pulse.com/) — Code Pulse is a free real-time code coverage tool for penetration testing activities by OWASP and Code Dx ([GitHub](https://github.com/codedx/codepulse)).\n- [Gcov](https://gcc.gnu.org/onlinedocs/gcc/Gcov.html) — GNU source code coverage program. Code coverage tool and profiling tool which is part of the GCC. Supports C, C++, Fortran.\n\n\n## Other\n\n\n\n\u003ch2 id=\"api\"\u003eAPI\u003c/h2\u003e\n\n- [Smartbear](https://smartbear.com/) :copyright: — Test automation and performance testing platform\n\n\n\u003ch2 id=\"binary\"\u003eBinaries\u003c/h2\u003e\n\n- [angr](https://github.com/angr/angr) — Platform agnostic binary analysis framework from UCSB.\n- [BOLT](https://github.com/facebookincubator/BOLT) — Binary Optimization and Layout Tool - A linux command-line utility used for optimizing performance of binaries  with profile guided permutation of linking to improve cache efficiency\n- [Dr. Memory](https://drmemory.org/) — Dr. Memory is a memory monitoring tool capable of identifying memory-related programming errors ([Github](https://github.com/DynamoRIO/drmemory)).\n- [DynamoRIO](http://www.dynamorio.org/) — Is a runtime code manipulation system that supports code transformations on any part of a program, while it executes.\n- [llvm-propeller](https://github.com/google/llvm-propeller) — Profile guided hot/cold function splitting to improve cache efficiency. An alternative to BOLT by Facebook\n- [Pin Tools](https://software.intel.com/en-us/articles/pin-a-dynamic-binary-instrumentation-tool) — A dynamic binary instrumentation tool and a platform for creating analysis tools.\n- [TRITON](https://triton.quarkslab.com/) — Dynamic Binary Analysis for x86 binaries.\n\n\n\u003ch2 id=\"bytecode\"\u003eBytecode/IR\u003c/h2\u003e\n\n- [souper](https://github.com/google/souper) — optimize LLVM IR with SMT solvers\n\n\n\u003ch2 id=\"container\"\u003eContainers\u003c/h2\u003e\n\n- [cadvisor](https://github.com/google/cadvisor) — Analyzes resource usage and performance characteristics of running containers.\n\n\n\u003ch2 id=\"laravel\"\u003eLaravel\u003c/h2\u003e\n\n- [Enlightn](https://www.laravel-enlightn.com/) — A static and dynamic analysis tool for Laravel applications that provides recommendations to improve the performance, security and code reliability of Laravel apps. Contains 120 automated checks.\n\n\n\u003ch2 id=\"security\"\u003eSecurity/DAST\u003c/h2\u003e\n\n- [AppScan Standard](https://www.hcltechsw.com/products/appscan) :copyright: — HCL's AppScan is a dynamic application security testing suite ([previously by IBM](https://newsroom.ibm.com/2018-12-06-HCL-Technologies-to-Acquire-Select-IBM-Software-Products-for-1-8B)).\n- [Enlightn](https://www.laravel-enlightn.com/) — A static and dynamic analysis tool for Laravel applications that provides recommendations to improve the performance, security and code reliability of Laravel apps. Contains 120 automated checks.\n- [WebScanner](https://www.defensecode.com/web-security-scanner-dast/) :copyright: — WebScanner is a DAST solution for comprehensive security audits of active web applications.\n- [WhiteHat Sentinel Dynamic](https://www.whitehatsec.com/products/dynamic-application-security-testing/) :copyright: — Part of the WhiteHat Application Security Platform. Dynamic application security scanner that covers the OWASP Top 10.\n- [Full OWASP / Vulnerability Scanners](https://github.com/paulveillard/cybersecurity-dynamic-analysis/blob/main/dynamic-application-security-testing.md)\n\n\n\u003ch2 id=\"web\"\u003eWeb\u003c/h2\u003e\n\n- [Smartbear](https://smartbear.com/) :copyright: — Test automation and performance testing platform\n\n\n\u003ch2 id=\"webassembly\"\u003eWebAssembly\u003c/h2\u003e\n\n- [Wasabi](https://github.com/danleh/wasabi) — Wasabi is a framework for writing dynamic analyses for WebAssembly, written in JavaScript.\n\n\n\u003ch2 id=\"xml\"\u003eXML\u003c/h2\u003e\n\n- [WhiteHat Sentinel Dynamic](https://www.whitehatsec.com/products/dynamic-application-security-testing/) :copyright: — Part of the WhiteHat Application Security Platform. Dynamic application security scanner that covers the OWASP Top 10.\n\n**[`^        back to top        ^`](#)**\n\n## License\nMIT License \u0026 [cc](https://creativecommons.org/licenses/by/4.0/) license\n\n\u003ca rel=\"license\" href=\"http://creativecommons.org/licenses/by/4.0/\"\u003e\u003cimg alt=\"Creative Commons License\" style=\"border-width:0\" src=\"https://i.creativecommons.org/l/by/4.0/88x31.png\" /\u003e\u003c/a\u003e\u003cbr /\u003eThis work is licensed under a \u003ca rel=\"license\" href=\"http://creativecommons.org/licenses/by/4.0/\"\u003eCreative Commons Attribution 4.0 International License\u003c/a\u003e.\n\nTo the extent possible under law, [Paul Veillard](https://github.com/paulveillard/) has waived all copyright and related or neighboring rights to this work.\n\n\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fpaulveillard%2Fcybersecurity-dynamic-analysis","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fpaulveillard%2Fcybersecurity-dynamic-analysis","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fpaulveillard%2Fcybersecurity-dynamic-analysis/lists"}