SecureMCP is a security auditing tool designed to identify vulnerabilities in applications utilizing the Model Context Protocol (MCP). It offers comprehensive scanning capabilities for threats such as OAuth token leakage and prompt injection vulnerabilities, providing detailed reports with remediation suggestions. The tool is suitable for AI developers, security teams, and auditors looking to enhance application security.

npq is a tool designed to audit npm packages before installation, enhancing security by checking for vulnerabilities, package age, download counts, and other criteria. It integrates seamlessly with npm and can be used with other package managers by specifying environment variables, thus ensuring a safer installation process for developers. However, it is important to note that no tool can guarantee absolute safety from malicious packages.

Commit Stomping is a technique used to manipulate Git commit timestamps, misleading observers about when changes were made. This method can obscure the true timeline of code changes, complicating audits and incident investigations, and poses significant risks in software supply chain security. The article discusses how to execute this technique, its implications, and strategies for detection and prevention.

Verified Entity Identity Lock is a tool that identifies IAM principals in an AWS account that can assume specific permissions, facilitating the auditing of trust relationships. It outputs results in JSON format, allowing users to see who has access and to compare account IDs against a trusted list. The tool can be installed via the Go toolchain or by downloading a pre-built binary.

A PowerShell tool for managing and auditing Role-Based Access Control (RBAC) in Microsoft Intune offers detailed insights into RBAC configurations, including role assignments and permissions. It features an interactive HTML report with security analysis, a permissions matrix, and a new security review dashboard to assess risk levels and security posture. Utility scripts facilitate specific RBAC management tasks such as exporting roles and assigning scope tags.

The article discusses the often-overlooked vulnerabilities associated with SCIM (System for Cross-domain Identity Management) implementations, emphasizing the need for comprehensive security audits beyond traditional Single Sign-On (SSO) concerns. It highlights common bugs, such as authentication bypasses and internal attribute manipulation, that can arise due to the complexities of integrating SCIM with various platforms. The author provides insights into potential attack vectors and best practices for securing SCIM systems.

WPAUDIT is a comprehensive WordPress security audit tool aimed at ethical hackers and security professionals, offering advanced features for vulnerability scanning and penetration testing. Its modular architecture allows for customizable scan profiles and integration with various security tools, making it an essential resource for thorough security assessments of WordPress installations. The documentation provides detailed guidance on setup, usage, and extending its functionalities.

Hard-coded secrets in Docker images pose significant security risks, as they can be inadvertently leaked and exploited by attackers. A recent analysis of 15 million Docker images on DockerHub revealed over 100,000 valid secrets, many of which date back years, highlighting the need for organizations to regularly audit their Docker images to prevent potential breaches.

The GitHub repository provides a collection of potentially dangerous API calls, known as "scary strings," that can assist in security auditing of source code. By identifying these strings, developers can spot vulnerabilities, verify safe handling practices, and enhance the overall security of their applications. The repository includes technology-specific wordlists and comments that could indicate areas for further investigation or potential security risks.

IAM Lens is a tool that enables users to analyze and audit IAM permissions across AWS accounts using collected IAM policies. It provides features to simulate requests, discover who can access resources, and evaluate effective permissions for principals. The tool enhances visibility into IAM configurations, allowing for better security and compliance management.

Go-over is a tool designed for auditing Erlang and Elixir dependencies in gleam projects, ensuring they are secure and up to date. While it supports various output formats and integrates with tools like Git and JavaScript, it currently does not monitor security advisories due to the newness of the gleam language. Users can configure caching, output formats, and ignore specific dependencies in their project's configuration file.

ssh-audit is a tool designed for auditing SSH server and client configurations, allowing users to assess security settings, recognize software and operating systems, and identify weaknesses in algorithms. It supports various features such as policy scans, key exchange analysis, and compatibility checks, and can be run on both Linux and Windows without dependencies. The tool includes built-in hardening guides and maintains compatibility with Python versions 3.9 to 3.13.