Data

Tools

Indexes

Applications

Experiments

Awesome

An open API service indexing awesome lists of open source software.

https://github.com/paulveillard/cybersecurity-dynamic-analysis

An ongoing & curated collection of awesome vulnerability scanning software, libraries and frameworks, best guidelines and technical resources and most important dynamic application security testing (DAST)
https://github.com/paulveillard/cybersecurity-dynamic-analysis

dast dynamic-analysis dynamic-analysis-engines sast static-analysis vulnerabilities vulnerability-assessment vulnerability-identification vulnerability-management vulnerability-scanner vulnerability-scanners

Last synced: 6 months ago
JSON representation

An ongoing & curated collection of awesome vulnerability scanning software, libraries and frameworks, best guidelines and technical resources and most important dynamic application security testing (DAST)

Awesome Lists containing this project

README 

          
# Dynamic Analysis Tools

> An ongoing & curated collection of awesome vulnerability scanning software, libraries and frameworks, best guidelines and technical resources and most important dynamic application security testing (DAST)



## `What is Dynamic Analysis?`

[Dynamic analysis](https://www.intel.com/content/www/us/en/develop/documentation/inspector-user-guide-windows/top/getting-started/dynamic-analysis-vs-static-analysis.html) is the testing and evaluation of an application during runtime.



![dast](https://github.com/paulveillard/cybersecurity-dynamic-analysis/blob/main/img/dast-pipelines.png)



The primary advantage of dynamic analysis: It reveals subtle defects or vulnerabilities whose cause is too complex to be discovered by static analysis. Dynamic analysis can play a role in security assurance, but its primary goal is finding and debugging errors.



![dynamic](https://github.com/paulveillard/cybersecurity-dynamic-analysis/blob/main/img/Application-Security-Testing.png)



## `Table of Contents`



#### [Programming Languages](#programming-languages-1)



 Show languages

  

  



#### [Multiple languages](#multiple-languages-1)



#### [Other](#other-1)



- [API](#api)

  - [Binaries](#binary)

  - [Bytecode/IR](#bytecode)

  - [Containers](#container)

  - [Laravel](#laravel)

  - [Security/DAST](#security)

  - [Web](#web)

  - [WebAssembly](#webassembly)

  - [XML](#xml)

  



---



## `Programming Languages`



.NET



- [Microsoft IntelliTest](https://docs.microsoft.com/en-us/visualstudio/test/intellitest-manual/getting-started?view=vs-2019) — Generate a candidate suite of tests for your .NET code.

- [Pex and Moles](https://www.microsoft.com/en-us/research/project/pex-and-moles-isolation-and-white-box-unit-testing-for-net/) — Pex automatically generates test suites with high code coverage using automated white box analysis.



C



- [CHAP](https://github.com/vmware/chap) — Analyzes un-instrumented ELF core files for leaks, memory growth, and corruption. It helps explain memory growth, can identify some forms of corruption, and  supplements a debugger by giving the status of various memory locations.

- [KLEE](https://github.com/klee/klee) — Symbolic virtual machine built on top of the LLVM compiler infrastructure.

- [LDRA](https://ldra.com) :copyright: — A tool suite including dynamic analysis and test to various standards can ensure test coverage to 100% op-code, branch & decsion coverage.

- [LLVM/Clang Sanitizers](https://github.com/google/sanitizers) — 


- [tis-interpreter](https://github.com/TrustInSoft/tis-interpreter) — An interpreter for finding subtle bugs in programs written in standard C.

- [Valgrind](https://valgrind.org/) — An instrumentation framework for building dynamic analysis tools.



C++



- [CHAP](https://github.com/vmware/chap) — Analyzes un-instrumented ELF core files for leaks, memory growth, and corruption. It helps explain memory growth, can identify some forms of corruption, and  supplements a debugger by giving the status of various memory locations.

- [KLEE](https://github.com/klee/klee) — Symbolic virtual machine built on top of the LLVM compiler infrastructure.

- [LDRA](https://ldra.com) :copyright: — A tool suite including dynamic analysis and test to various standards can ensure test coverage to 100% op-code, branch & decsion coverage.

- [LLVM/Clang Sanitizers](https://github.com/google/sanitizers) — 


- [tis-interpreter](https://github.com/TrustInSoft/tis-interpreter) — An interpreter for finding subtle bugs in programs written in standard C.

- [Valgrind](https://valgrind.org/) — An instrumentation framework for building dynamic analysis tools.



Java



- [Java PathFinder](https://github.com/javapathfinder/jpf-core) — An extensible software model checking framework for Java bytecode programs.

- [Parasoft Jtest](https://www.parasoft.com/products/jtest) :copyright: — Jtest is an automated Java software testing and static analysis product that is made by Parasoft. The product includes technology for Data-flow analysis Unit test-case generation and execution, static analysis, regression testing, code coverage, and runtime error detection.



JavaScript



- [Iroh.js](https://github.com/maierfelix/Iroh) — A dynamic code analysis tool for JavaScript. Iroh allows to record your code flow in realtime, intercept runtime informations and manipulate program behaviour on the fly.

- [Jalangi2](https://github.com/Samsung/jalangi2) — Jalangi2 is a popular framework for writing dynamic analyses for JavaScript.



PHP



- [Enlightn](https://www.laravel-enlightn.com/) — A static and dynamic analysis tool for Laravel applications that provides recommendations to improve the performance, security and code reliability of Laravel apps. Contains 120 automated checks.



Python



- [CrossHair](https://github.com/pschanely/CrossHair) — Symbolic execution engine for testing Python contracts.

- [icontract](https://github.com/Parquery/icontract) — Design-by-contract library supporting behavioral subtyping

There is also a wider tooling around the icontract library such as  a linter (pyicontract-lint) and a plug-in for Sphinx (sphinx-icontract).

- [Scalene](https://github.com/emeryberger/scalene) — A high-performance, high-precision CPU and memory profiler for Python

- [typo](https://github.com/aldanor/typo) — Runtime Type Checking for Python 3.



Ruby



- [suture](https://github.com/testdouble/suture) — A Ruby gem that helps you refactor your legacy code  by the result of some old behavior with a new version.



Rust



- [loom](https://github.com/tokio-rs/loom) — Concurrency permutation testing tool for Rust.  It runs a test many times, permuting the possible concurrent executions of that test.

- [MIRI](https://github.com/rust-lang/miri) — An interpreter for Rust's mid-level intermediate representation, which can detect certain classes of undefined behavior like out-of-bounds memory accesses and use-after-free.

- [puffin](https://github.com/EmbarkStudios/puffin) — Instrumentation profiler for Rust.

- [stuck](https://github.com/jonhoo/stuck) — provides a visualization for quickly identifying common bottlenecks in running, asynchronous, and concurrent applications.



SQL



- [WhiteHat Sentinel Dynamic](https://www.whitehatsec.com/products/dynamic-application-security-testing/) :copyright: — Part of the WhiteHat Application Security Platform. Dynamic application security scanner that covers the OWASP Top 10.



Visual Basic



- [VB Watch](https://www.aivosto.com/vbwatch.html) :copyright: — Profiler, Protector and Debugger for VB6. Profiler measures performance and test coverage. Protector implements robust error handling. Debugger helps monitor your executables.



## Multiple languages



- [Code Pulse](http://code-pulse.com/) — Code Pulse is a free real-time code coverage tool for penetration testing activities by OWASP and Code Dx ([GitHub](https://github.com/codedx/codepulse)).

- [Gcov](https://gcc.gnu.org/onlinedocs/gcc/Gcov.html) — GNU source code coverage program. Code coverage tool and profiling tool which is part of the GCC. Supports C, C++, Fortran.



## Other



API



- [Smartbear](https://smartbear.com/) :copyright: — Test automation and performance testing platform



Binaries



- [angr](https://github.com/angr/angr) — Platform agnostic binary analysis framework from UCSB.

- [BOLT](https://github.com/facebookincubator/BOLT) — Binary Optimization and Layout Tool - A linux command-line utility used for optimizing performance of binaries  with profile guided permutation of linking to improve cache efficiency

- [Dr. Memory](https://drmemory.org/) — Dr. Memory is a memory monitoring tool capable of identifying memory-related programming errors ([Github](https://github.com/DynamoRIO/drmemory)).

- [DynamoRIO](http://www.dynamorio.org/) — Is a runtime code manipulation system that supports code transformations on any part of a program, while it executes.

- [llvm-propeller](https://github.com/google/llvm-propeller) — Profile guided hot/cold function splitting to improve cache efficiency. An alternative to BOLT by Facebook

- [Pin Tools](https://software.intel.com/en-us/articles/pin-a-dynamic-binary-instrumentation-tool) — A dynamic binary instrumentation tool and a platform for creating analysis tools.

- [TRITON](https://triton.quarkslab.com/) — Dynamic Binary Analysis for x86 binaries.



Bytecode/IR



- [souper](https://github.com/google/souper) — optimize LLVM IR with SMT solvers



Containers



- [cadvisor](https://github.com/google/cadvisor) — Analyzes resource usage and performance characteristics of running containers.



Laravel



- [Enlightn](https://www.laravel-enlightn.com/) — A static and dynamic analysis tool for Laravel applications that provides recommendations to improve the performance, security and code reliability of Laravel apps. Contains 120 automated checks.



Security/DAST



- [AppScan Standard](https://www.hcltechsw.com/products/appscan) :copyright: — HCL's AppScan is a dynamic application security testing suite ([previously by IBM](https://newsroom.ibm.com/2018-12-06-HCL-Technologies-to-Acquire-Select-IBM-Software-Products-for-1-8B)).

- [Enlightn](https://www.laravel-enlightn.com/) — A static and dynamic analysis tool for Laravel applications that provides recommendations to improve the performance, security and code reliability of Laravel apps. Contains 120 automated checks.

- [WebScanner](https://www.defensecode.com/web-security-scanner-dast/) :copyright: — WebScanner is a DAST solution for comprehensive security audits of active web applications.

- [WhiteHat Sentinel Dynamic](https://www.whitehatsec.com/products/dynamic-application-security-testing/) :copyright: — Part of the WhiteHat Application Security Platform. Dynamic application security scanner that covers the OWASP Top 10.

- [Full OWASP / Vulnerability Scanners](https://github.com/paulveillard/cybersecurity-dynamic-analysis/blob/main/dynamic-application-security-testing.md)



Web



- [Smartbear](https://smartbear.com/) :copyright: — Test automation and performance testing platform



WebAssembly



- [Wasabi](https://github.com/danleh/wasabi) — Wasabi is a framework for writing dynamic analyses for WebAssembly, written in JavaScript.



XML



- [WhiteHat Sentinel Dynamic](https://www.whitehatsec.com/products/dynamic-application-security-testing/) :copyright: — Part of the WhiteHat Application Security Platform. Dynamic application security scanner that covers the OWASP Top 10.



**[`^        back to top        ^`](#)**



## License

MIT License & [cc](https://creativecommons.org/licenses/by/4.0/) license



Creative Commons License
This work is licensed under a Creative Commons Attribution 4.0 International License.



To the extent possible under law, [Paul Veillard](https://github.com/paulveillard/) has waived all copyright and related or neighboring rights to this work.