I feel like this is a "let me Google that for you" sort of question... so I did. Here is a list of 20 tools https://www.helpnetsecurity.com/2023/06/08/github-cybersecurity-projects/ Here are 14 network analysis tools with links to descriptions, including what license model they are provided under (not all open source is created equal after all) https://www.linuxlinks.com/best-free-open-source-network-analyzers/ Need IDS/IPS? Here are 5, Suricata is very popular and is the backbone of many professional commercial tools today too (others are too, I just hear about Suricata the most in passing over the last couple years) It has been used in tandem with Zeke (formerly Bro) too. https://www.google.com/amp/s/www.csoonline.com/article/570075/5-open-source-intrusion-detection-systems-for-smbs.html/amp/ Let's cover CIS 1 and 2 with some asset management: https://www.quidlo.com/blog/free-open-source-asset-tracking-software/ Let's find the things we have too https://github.com/redhuntlabs/Awesome-Asset-Discovery Let's scan for and manage vulnerabilities https://www.breachlock.com/resources/blog/top-5-open-source-tools-for-network-vulnerability-scanning/ SIEM: Let's do something with all the logs and telemetry these other tools give us and build an open source SIEM https://www.exabeam.com/explainers/siem-tools/7-open-source-siems/ (even the commercial companies provide links) https://www.comparitech.com/net-admin/open-source-siem-tools/ And here is a reddit discussion on the topic: https://www.reddit.com/r/cybersecurity/comments/111btcu/opensource_siem_systems_any_povs_and_opinions/ Intelligence tools: https://www.google.com/amp/s/www.csoonline.com/article/567859/what-is-osint-top-open-source-intelligence-tools.html/amp/ And here is a list of projects people can do to learn or get better. Each project could be the basis for another search, for example: the first project listed is "packet sniffing" and a search for "open source packet sniffer" returns "wireshark.org" as the first result. https://www.simplilearn.com/top-cyber-security-projects-article This list is nowhere near exhaustive. You could Google the top 100 cybersecurity concepts and then use each term followed by "open source" and probably come up with multiple projects to check out. You could probably do the same with the CIS controls too. Hope this is helpful. More on reddit.com

This isn't the wrong sub, and you may get some good suggestions here, but you might also try posting your question over in r/netsec, r/AskNetsec, r/Pentesting and other similar sub-reddits.

More on reddit.com

No, if anything it demonstrates the opposite, to move more into open-source projects. Those vulnerabilities being discovered and disseminated will allow developers to fix them and avoid making those mistakes in the future. That's one of the benefits. Large communities that are constantly evaluating and punishing projects in different ways to try to find things that break. Of course, not everyone has the same motivation. But more people looking at code, more eyes to find things that can be fixed and improved, that can move things forward very positive ly. It happens. It's why open-source is a good thing. Closed-source projects don't have that luxury. They have teams, sometimes large, to work on stuff. But if someone outside the organization discovers a vulnerability, it's more often not to try to help and make things better. More on reddit.com

You need to define what "safety" means to you. There are lots of different techniques that you can use to determine if a given third-party component is appropriate for your use, and then once you select a third-party component, ensure that it continues to be appropriate. A vendor assessment would be a good first step. The popularity of a project is one potential measure to consider, but you can also look at things like how many contributors there are and who those contributors are, how frequently changes are made, how frequently new releases are made available, how responsive the maintainers are to issues or answering support questions, how big the community is (such as non-maintainers talking about or helping with the use of the component). You can also check for open CVEs against the component. Assessing the vendor is a point-in-time measure, though. It is something that you'll want to continue to monitor. Especially with open source components, someone may create a fork that supersedes the original in terms of use and support. Maintainers may also simply stop supporting a project with little notice. The use of software composition analysis tools can help. There are several options out there that will monitor your project dependencies and provide information about reported vulnerabilities, releases of new versions, or if it looks like a project is no longer actively maintained. You can use this as one input into a process for dependency management. Since the project is open-source, you can do some things on your own. If you're concerned with secure coding practices being used, you can use your own static and dynamic analysis tools on the project to find potential issues. Instead of trusting binaries provided by the author, you can build it yourself from source to ensure that any binaries directly correspond to the source code that you are looking for. You can also scan these binaries with malware detection tools. Hosting your own artifact repository can help you make sure that you're always using an appropriately reviewed and approved version of the artifact, without depending on someone else's processes. Analysis tools may not find all problems. For example, if you're concerned that the application is designed to send data to a third-party, you may only find that by reading the code. Configuring your network appropriately may prevent data from being transmitted without your knowledge. There are also tools to monitor data being sent over a network to identify anything suspicious. A combination of manual code reviews to assess the functionality of components and testing in environments that don't have sensitive data can help to increase confidence. If your end goal is to absolve yourself of any responsibility, I'm not aware of any product or service that would offer that. Even third-party security organizations have limits to what they are capable of providing. The best that you can do is to determine what your threats are and mitigate each one to a point where the risk is acceptable. By building software with a third-party component, you're accepting the benefits and the risks of that decision. More on reddit.com