Essential Open-Source Security Tools for Application Development: A Comprehensive Guide

You don’t need to spend a lot of money to integrate strong security into your application development and delivery process. This guide to open-source security tools is intended to assist teams in exploring available options for application security software within the open-source realm. A guide to commercial application security vendors will be provided later.

Why do you need a free app sec tool guide? Generally speaking, information about application security can be confusing because websites often showcase their product strengths without clearly describing the category of solutions provided. This makes it difficult to compare one product with the next. Open-source project websites typically provide very detailed information about specific tools, which requires readers to already know how and why to use a particular tool.

The Value of Open Source App Sec Tools

Most open-source projects are designed for app sec requirements on a scale smaller than commercial vendors tend to target. Nonetheless, we believe that this highly focused list of open-source application providers should be familiar to security enthusiasts looking for new creative approaches to certain types of cyber threats.

Some of these operating system projects are very active and frequently updated with new features; others, well, not so much, but they’re worth a try. Some of the stronger OS technologies have been around since the dawn of the web; others are new and gathering increasing followings on Twitter and elsewhere.

Please note that some of the listings here are free “community editions” of premium commercial products. Also note that you can no longer identify open-source projects by the .org or .net suffix. As you will see, many now use the .com convention and many other URL conventions.

Andiparos

A fork of the well-known Paros Proxy, an open-source web application security assessment tool, giving penetration testers the ability to crawl websites, analyze content, and intercept and modify requests

URL: https://code.google.com/archive/p/andiparos

BackTrack

This distribution is known as a Linux-based penetration testing tool configured with hundreds of security testing tools and scripts.

URL: http://www.backtrack-linux.org

BeEF

Open-source penetration testing

URL: http://beefproject.com

Caja

A compiler for safely embedding third-party HTML, CSS, and JavaScript into websites. It uses a capability-based security model to enable various flexible security policies.

URL: http://developers.google.com/caja

ClamAV

An open-source antivirus engine for detecting Trojans, viruses, malware, and other malicious threats

URL: http://clamav.net

DOM Snitch

An experimental Chrome extension that allows developers and testers to identify common unsafe practices in client-side code. Developers and testers can perform DOM modifications within the browser without using a debugger to step through JavaScript code or pausing the execution of their application

URL: https://code.google.com/archive/p/domsnitch

Ettercap

Called “a comprehensive suite for man-in-the-middle attacks… with sniffing live connections, dynamic content filtering, and many other interesting tricks.”

URL: http://ettercap.github.io/ettercap

GoLismero

A free software framework for security testing.

URL: http://www.golismero.com

Google Hacking Database (GHDB)

Described by SecTools.org as “a goldmine for security researchers and penetration testers,” this site is part of the Exploit Database, a nonprofit project provided as a public service by Offensive Security.

URL: https://www.exploit-db.com/google-hacking-database

Google App Security Tools

Google says these tools “address gaps present in other open-source tools. These tools may require some tweaking or compilation to run on your system.” Some are listed individually in this listing.

URL: https://www.google.com/about/appsecurity/tools

Grabber

A web application scanner capable of detecting many security vulnerabilities in web applications. An open-source web application penetration testing tool

URL: http://rgaucher.info/beta/grabber

Grendel

A tool for scanning web applications for security vulnerabilities; features are also available for manual penetration testing

URL: https://sourceforge.net/projects/grendel

Gruyere

Described as a “small, cheesy web application”; allows users to post code snippets and store various files. Warning: Gruyere has multiple security vulnerabilities, including cross-site scripting and cross-site request forgery, information disclosure, denial of service, and remote code execution

URL: http://google-gruyere.appspot.com

Kali

Linux penetration testing

URL: http://kali.org

Keyczar

An open-source cryptographic toolkit designed to make it easier and safer for developers to use cryptography in their applications. It supports authentication and encryption with symmetric and asymmetric keys; designed for openness, extensibility, and cross-platform compatibility.

URL: https://github.com/google/keyczar

Kismet

A wireless network detector, sniffer, and intrusion detection system. Kismet primarily uses Wi-Fi (IEEE 802.11) networks, but can be extended via plugins to handle other network types.

URL: http://kismetwireless.org

Malwarebytes

An endpoint security malware scanner for Windows.

URL: http://malwarebytes.org

Metasploit

Penetration testing with Rapid7’s open-source Metasploit

URL: http://metasploit.com

ModSecurity

WAF open-source

URL: http://modsecurity.org

Nagios

Monitors entire IT infrastructure to ensure systems, applications, services, and business processes operate properly.

URL: http://nagios.org

Native Client (NaCl)

A technology for executing native compiled code in the browser. NaCl is aimed at maintaining the operating system portability and security of web applications

URL: http://developer.chrome.com/native-client

Nikto2

A web server assessment tool for finding known vulnerable scripts, misconfigurations, and security issues

URL: http://cirt.net/nikto2

NMAP

A penetration testing utility for network discovery and security auditing using NSE scripts, capable of detecting vulnerabilities, misconfigurations, and security-relevant information in network services

URL: http://nmap.org

NoScript

A Firefox plugin providing extra protection for Firefox, Seamonkey, and other Mozilla-based browsers; allows JavaScript, Java, Flash, and other plugins to be executed only by trusted websites you choose

URL: http://noscript.net

OpenSSH

Secures traffic between two points by tunneling insecure protocols through SSH tunneling

URL: http://www.openssh.com

OpenVAS

An open-source vulnerability scanning suite

URL: http://openvas.org

OSSEC

A host-based intrusion detection system or HIDS

URL: http://ossec.github.io

OWASP

owasp.org provides a large category of open-source sec testing tools

URL: https://www.owasp.org/index.php/Appendix_A:_Testing_Tools

Packet Storm

Offers a variety of scanner tools for vulnerabilities and penetration

URL: http://packetstormsecurity.org/files/tags/scanner

Paros Proxy

A testing tool for security and vulnerability testing, used for crawling/scraping entire sites and then executing pre-installed vulnerability scanner tests

URL: http://www.testingsecurity.com/paros_proxy

Powerfuzzer

An HTTP protocol-based application fuzzer based on many other open-source fuzzers

URL: http://www.powerfuzzer.com

Ratproxy

Designed to overcome user-related issues commonly faced when using other proxy tools for security audits; capable of distinguishing between CSS stylesheets and JavaScript code

URL: https://code.google.com/archive/p/ratproxy

Secunia PSI

A free computer security solution that identifies vulnerabilities in applications on private PCs

Web: http://learn.flexerasoftware.com/SVM-EVAL-Personal-Software-Inspector

Security Onion

A Linux distribution for intrusion detection, network security monitoring, and log management

URL: http://blog.securityonion.net

Skipfish

An active web application security reconnaissance tool. It prepares an interactive sitemap for the site through recursive crawling and dictionary-based tests. Written in C with a custom HTTP stack, it is high-performance, easy to use, and reliable

URL: https://code.google.com/archive/p/skipfish

Snort

An open-source, free, and lightweight network intrusion detection system (NIDS) for UNIX derivatives and Windows

URL: http://snort.org

SonarQube

SonarQube™ software (formerly known as “Sonar”) is an open platform for managing code quality. It encompasses seven axes of code quality.

URL: https://github.com/SonarSource/sonarqube

SQLMAP

A penetration testing tool that automates the process of finding and exploiting SQL injection vulnerabilities in website databases

URL: http://sqlmap.org

TCPDUMP

Referred to on its website as a “powerful command-line packet analyzer,” many still use this tool as an alternative to the resource-intensive Wireshark.

URL: http://tcpdump.org

Vega

A web vulnerability scanner and testing platform; SQL injection, cross-site scripting, etc.

URL: https://subgraph.com/vega

W3AF

SQL injection, cross-site scripting detection tool

URL: http://w3af.org

Wapiti

A web vulnerability scanner that lets you audit the security of your web applications. It performs black-box scans by crawling web pages and injecting data

URL: http://wapiti.sourceforge.net

Watcher

A Fiddler plugin that helps penetration testers passively discover web application vulnerabilities

URL: http://websecuritytool.codeplex.com

WATOBO

Performs efficient (semi-automated) web application security audits

URL: http://watobo.sourceforge.net/index.html

WebScarab

A Java-based security framework for analyzing web applications using the HTTP or HTTPS protocol. Written in Java, portable to many platforms; provides various operational modes, implemented by multiple plugins. In its most typical usage, WebScarab operates as an intercepting proxy

URL: http://www.owasp.org/index.php/Category:WHASP_WebScarab_Project

Websecurify

GNUCITIZEN (see commercial vendors list)

URL:

Wfuzz

A free, open-source tool for web application penetration testing. It can be used to brute-force GET and POST parameters to test for many types of injections such as SQL, XSS, LDAP, etc.

URL: http://code.google.com/p/wfuzz

SensePost

Tools for vulnerabilities in devices, networks, and applications. Tools include autoDANE, reGeorg, Jack, and the SensePost Maltego toolset

URL: http://sensepost.com

Wireshark

Wireshark penetration testing and packet-level monitoring open-source; check detailed traffic as needed; monitor network flows and find problems

URL: http://wireshark.org

Zed Attack Proxy

Also known as Zap. An open-source, intercepting proxy that is a fork and updated from the severely outdated Paros Proxy. Fairly powerful for manual testing, with some automated testing features included.

URL: https://www.owasp.org

This article: http://pub.intelligentx.net/57-open-source-app-sec-tools-guide-free-application-security-software

Original article: https://techbeacon.com/app-dev-testing/57-open-source-app-sec-tools-guide-free-application-security-software

httpWebsitehttpsGoSecurity Vulnerabilities