๐ Product Security Ecosystem Projects, Communities, and Learning Hubs
Intro: This page builds on the idea behind the public
ECOSYSTEM-PROJECTS.mdseed file from the D3One Product Security Knowledge Base and expands it into a more opinionated 2026 map. The goal is not to list every security project on the internet. The goal is to highlight the projects and communities that repeatedly matter for Product Security programs across AppSec, DevSecOps, cloud, Kubernetes, APIs, supply chain, and secure SDLC.How to use this page
- use it as a discovery map, not as a procurement list;
- prefer official project sites, docs, and community hubs for implementation details;
- use this page to identify where to learn, where to contribute, and which communities keep shaping current practice.
Public seed reference
- D3One public page: https://github.com/D3One/Product-Security-Knowledge-Base/blob/main/docs/ECOSYSTEM-PROJECTS.md
Why this belongs in a Product Security knowledge base
A strong Product Security team does not learn only from vendor docs and internal runbooks. It also learns from:
- standards communities that define the shared language of requirements and verification;
- open-source projects that shape real engineering workflows;
- training projects that make hands-on practice cheap and repeatable;
- research and maintainer communities that influence what โcurrent best practiceโ becomes next.
Short list of high-signal projects and communities
| Project / community | Domain | Why it matters | Official link |
|---|---|---|---|
| OWASP Foundation | AppSec community | umbrella community for ASVS, SAMM, Top 10, API Security, Cheat Sheets, Juice Shop, Security Shepherd, and many other practical projects | https://owasp.org/projects/ |
| OWASP ASVS | verification standard | application security requirements and verification baseline used to translate 'secure by design' into reviewable controls | https://owasp.org/www-project-application-security-verification-standard/ |
| OWASP SAMM | program maturity | open maturity model for building and measuring software security programs across governance, design, implementation, verification, and operations | https://owaspsamm.org/ |
| OWASP API Security Project | API security | maintains the API Security Top 10 and related guidance that product teams still use for review, testing, and education | https://owasp.org/www-project-api-security/ |
| OWASP Cheat Sheet Series | developer reference | one of the highest-signal practical references for developers and reviewers who need short implementation guidance | https://cheatsheetseries.owasp.org/ |
| OWASP Juice Shop | training lab | deliberately vulnerable web/API application for hands-on labs, demos, tool validation, and secure-coding practice | https://owasp.org/www-project-juice-shop/ |
| OWASP Security Shepherd | training lab | older but still useful hands-on AppSec training platform for workshops and internal awareness labs | https://owasp.org/www-project-security-shepherd/ |
| DefectDojo | findings orchestration | open-source vulnerability management and findings aggregation platform widely used by Product Security and AppSec teams | https://defectdojo.org/ |
| OWASP Dependency-Track | SCA/SBOM | software composition and SBOM analysis platform used to track dependency risk and policy outcomes over time | https://dependencytrack.org/ |
| OpenCRE | requirements mapping | open common requirements catalog that helps map security requirements and controls across standards and guidance | https://opencre.org/ |
| OpenSSF | open-source security foundation | industry foundation behind Scorecard, Best Practices Badge, OSV, Sigstore-adjacent collaboration, package security work, and community guidance | https://openssf.org/projects/ |
| OpenSSF Scorecard | supply chain posture | automated checks that help maintainers and consumers reason about repository security hygiene | https://github.com/ossf/scorecard |
| OpenSSF Best Practices Badge | maintainer hygiene | self-service program that helps projects adopt baseline open-source security practices | https://www.bestpractices.dev/ |
| OSV | vulnerability data | open vulnerability format and database model that many supply-chain workflows now rely on | https://osv.dev/ |
| SLSA | build integrity | supply-chain framework for build provenance and build-system hardening, widely used in CI/CD and release governance discussions | https://slsa.dev/ |
| Sigstore | signing and verification | keyless signing and verification ecosystem for software artifacts, with Cosign as the best-known practitioner tool | https://www.sigstore.dev/ |
| in-toto | supply chain attestations | framework for describing and verifying steps in a software supply chain | https://in-toto.io/ |
| GUAC | artifact graphing | graph for understanding relationships between source, build, SBOM, vulnerabilities, and attestations | https://guac.sh/ |
| GitHub Security Lab | research and education | high-signal community and research hub around CodeQL, advisory curation, secure coding, and open-source vulnerability research | https://securitylab.github.com/ |
| CNCF TAG Security | cloud-native community | community working group that publishes cloud-native security guidance, threat modeling material, and supply-chain reference content | https://tag-security.cncf.io/ |
| Kubernetes SIG Security | Kubernetes security community | core community location for Kubernetes security audits, docs, tools, and discussion | https://github.com/kubernetes/sig-security |
| Falco | runtime detection | CNCF project for runtime threat detection across hosts, containers, Kubernetes, and cloud signals | https://falco.org/ |
| SPIFFE / SPIRE | workload identity | community and tooling around workload identity and service-to-service trust | https://spiffe.io/ |
| cert-manager | certificate automation | de facto Kubernetes certificate automation project for internal PKI, ingress certs, and trust distribution workflows | https://cert-manager.io/ |
| Kyverno | policy | Kubernetes-native policy engine used for validation, mutation, and policy-driven deployment safeguards | https://kyverno.io/ |
| OPA / Gatekeeper | policy | general policy-as-code ecosystem and Kubernetes admission control pattern used in many platform teams | https://openpolicyagent.org/ |
| Cloud Security Alliance | cloud community | maintains CCM, STAR, and other cloud security control and assurance references | https://cloudsecurityalliance.org/ |
| Prowler | cloud posture | well-known open-source AWS/Azure/GCP security assessment project used for posture reviews and checks-as-code | https://prowler.com/ |
| ScoutSuite | cloud auditing | multi-cloud open-source posture auditor that is still useful for broad account reviews and demos | https://github.com/nccgroup/ScoutSuite |
| Cloud Custodian | policy enforcement | policy-as-code project used for cloud governance, cleanup, and preventive/response automation | https://cloudcustodian.io/ |
| ProjectDiscovery | ASM and testing | community and tooling ecosystem around recon, detection, and exposure discovery, especially useful for AppSec and external attack surface work | https://projectdiscovery.io/ |
Practical grouping by Product Security domain
1) AppSec and secure SDLC foundations
Start here when you need the common language of Product Security:
- OWASP ASVS for requirements and verification.
- OWASP SAMM for program maturity.
- OWASP Cheat Sheet Series for implementation guidance.
- OWASP API Security Project for modern API-specific risks.
2) Hands-on labs and teaching tools
Use these when you need people to practice, not just read:
- OWASP Juice Shop for web/API attack paths.
- OWASP Security Shepherd for structured workshops.
- Kubernetes Goat and related labs for cluster security.
3) Supply chain and CI/CD trust
Use these when the conversation shifts from โis the code secure?โ to โcan we trust what we built and shipped?โ
- OpenSSF
- SLSA
- Sigstore
- in-toto
- GUAC
- GitHub Security Lab
4) Cloud and Kubernetes posture
Use these when the conversation is mostly about configuration, identity, policy, and runtime behavior:
- CNCF TAG Security
- Kubernetes SIG Security
- Falco
- SPIFFE / SPIRE
- cert-manager
- Kyverno
- OPA / Gatekeeper
- CSA
- Prowler / ScoutSuite / Cloud Custodian
Pattern matching: what each ecosystem is best for
| Need | Best places to start |
|---|---|
| application requirements and verification | OWASP ASVS, OWASP Cheat Sheet Series |
| program maturity and transformation | OWASP SAMM, OpenSSF guidance |
| API review and abuse reasoning | OWASP API Security Project, Juice Shop |
| supply chain integrity and provenance | SLSA, Sigstore, in-toto, GUAC |
| cloud-native security design and community guidance | CNCF TAG Security, Kubernetes SIG Security, SPIFFE / SPIRE |
| Kubernetes policy and certificate automation | Kyverno, OPA / Gatekeeper, cert-manager |
| runtime detection and live-environment response | Falco |
| cloud posture and governance automation | CSA, Prowler, ScoutSuite, Cloud Custodian |
What to avoid when using ecosystem lists
- Do not treat popularity as proof of fit. A project can be famous and still be wrong for your environment.
- Do not use โawesome listsโ as the source of truth. Use them to discover, then confirm with official docs and current release activity.
- Do not confuse community health with product maturity. Some projects are best for learning, others for production.
- Do not freeze on one ecosystem. Product Security is cross-domain by design.