Security testing is sometimes thought of as being hard to automate or a testing process that lacks tools and resources to help make it easier to learn.

I find most testers are not even aware of the amount of free, open-source security testing tools available to them.

This is a shame because I believe the next wave of DevOps is adding security tests to our pipelines. There’s even a name for this next wave: DevSecOps.

I thought I’d create a quick resource to point you to some security tools that you can start trying out.

Below are some of the best ones I’ve found or have heard about.

INDEX
DevSlop
Exercise in a Box
Mobile Security Framework
Needle
Frida
Tamper
Nishang
Faraday
InSpec
Pocsuite
OWTF
Astra
Pacu
Taipan
Archery
Retire.JS
mitmproxy
Metasploit Framework
Selenium
ZAP
Secure Guild

DevSlop

You’re probably aware that modern applications often use APIs, microservices, and containerization to deliver faster and better products and services.

This changing landscape means security folks need to step up their game. DevSlop (“Sloppy DevOps”) is an exploration of this area via several different modules consisting of pipelines, vulnerable apps, and The DevSlop Show.

If you’re looking to start learning more about adding security to your DevOps pipeline, this is a good resource to start with.

Exercise in a Box

Exercise in a Box is a free online tool from the National Cyber Security Centre in the UK. It helps organizations find out how resilient they are to cyber-attacks and practice their response in a safe environment.

The service provides exercises based on the main cyber threats that your organization can do in its own time, in a safe environment, as many times as you wish. It includes everything you need for setting up, planning, delivery, and post-exercise activity, all in one place.

Top Free Security Testing Tools

SECURITY TESTING Published on: 05/14/2019

Security testing is sometimes thought of as being hard to automate or a testing process that lacks tools and resources to help make it easier to learn.

I find most testers are not even aware of the amount of free, open-source security testing tools available to them.

This is a shame because I believe the next wave of DevOps is adding security tests to our pipelines. There’s even a name for this next wave: DevSecOps.

I thought I’d create a quick resource to point you to some security tools that you can start trying out.

Below are some of the best ones I’ve found or have heard about.

DevSlop

I recently interviewed Tanya Janaca, who told me about her project, DevSlop.

You’re probably aware that modern applications often use APIs, microservices, and containerization to deliver faster and better products and services.

If you’re looking to start learning more about adding security to your DevOps pipeline, this is a good resource to start with.

Exercise in a Box

To use it, you’ll need to register here first.

Mobile Security Framework

Mobile Security Framework (MobSF) describes itself as an automated, all-in-one mobile application (Android/iOS/Windows) pen-testing framework capable of performing static analysis, dynamic analysis, malware analysis, and web API testing. https://opensecurity.in

It can be used for effective and fast security analysis of Android, iOS, and Windows mobile applications and supports both binaries (APK, IPA & APPX) and zipped source code. It can also perform dynamic application testing at runtime for Android apps and has Web API fuzzing capabilities powered by CapFuzz, a Web API–specific security scanner.

Needle

Needle is the MWR’s iOS Security Testing Framework, released at Black Hat USA in August 2016. It is an open-source, modular framework, and its goal is to streamline the entire process of conducting security assessments of iOS applications. It also acts as a central point for you to perform all these security activities.

Needle was designed to be useful not only for security professionals but also for developers looking to secure their code.

Some examples of testing Needle can help you with are:

Data storage
Inter-process communication
Network communications
Static code analysis
Hooking
Binary protections.

Needle’s only requirement to run effectively is that you use a jailbroken device.

Frida

Frida is a dynamic instrumentation toolkit for developers, reverse engineers, and security researchers. I first heard about it from Jahmel Harris, an ethical hacker, security testing expert, and founder of Digital Interruption, who highly recommended it.

Frida is a framework or toolkit for instrumentation, also known as application hooking.

On the Frida website, it says to inject your scripts into a black–box process. Hook any function, spy, crypto API, or trace private application code.

No source code is needed.

Tamper

Tamper Chrome is an extension that allows you to modify HTTP requests on the fly and aid in Web security testing. Chrome works across all operating systems (including Chrome OS).

Tamper Chrome also allows you to monitor requests sent by your browser as well as the responses.

You can also modify requests as they go out and, to a limited extent, change the responses (headers, CSS, JavaScript, or XMLHttpRequest responseText).

Nishang

Is PowerShell your go-to security scripting language?

If so, you should check out the Nishang framework.

It’s a collection of scripts and payloads that enables the usage of PowerShell for offensive security, penetration testing, and red teaming.

Nishang is useful during all phases of penetration testing.

Faraday

If you’ve done any type of development in the past, you know how helpful a well-designed IDE can be to your productivity.

But what about security testing development?

Faraday calls itself an IPE (Integrated Penetration-Test Environment), which is essentially another way of saying a multi-user Penetration Test IDE.

It was designed for distributing, indexing, and analyzing the data generated during a security audit.

Faraday was developed to allow you to take advantage of the available tools in the community in a multi-user way.

They designed it with a focus on simplicity, so users should notice no difference between their terminal application and the one included in Faraday.

Developed with a specialized set of functionalities to help users improve their workflow.

InSpec

At a high level,InSpec is an auditing and software testing framework.

It’s basically an open-source testing framework for infrastructure with a human- and machine-readable language for specifying compliance, security, and policy requirements.

Pocsuite

Pocsuite is an open-source, remote vulnerability testing and proof-of-concept development framework.

It comes with a powerful proof-of-concept engine and many niche features for the ultimate penetration testers and security researchers.

OWTF

Offensive Web Testing Framework (OWTF) is a framework that tries to unite great tools and make pen testing more efficient.

Astra

Need to security test some APIs?

Astra was made for automated security testing of REST APIs.

Their GitHub page mentions that security engineers or developers can use Astra as an integral part of their process so they can detect and patch vulnerabilities early during the development cycle. Astra can automatically detect and test login and logout (Authentication API), so it’s easy for anyone to integrate this into a CICD pipeline. Astra can take API collection as an input, making it able to test APIs in standalone mode.

Examples of the types of security tests you can perform with Astra are:

SQL injection
Cross-site scripting
Information leakage
Broken authentication and session management
CSRF (including Blind CSRF)
Rate limit
CORS misconfiguration (including CORS bypass techniques)
JWT attack
CRLF detection
Blind XXE injection

Pacu

Speaking of API security testing, are you worried about your Cloud-based application AWS APIs getting hacked?

Pacu is an AWS exploitation framework, designed for testing the security of Amazon Web services.

Taipan

Taipan is an automated web application vulnerability scanner that allows identifying web vulnerabilities in an automatic fashion. This project is the core engine of a broader project which includes other components, like a web dashboard where you can manage your vulnerability scans, download a PDF report, and a scanner agent to run on a specific host.

Archery

Archery is an open–source vulnerability assessment and management tool which helps developers and pentesters to perform scans and manage vulnerabilities.

It uses popular open-source tools to perform a comprehensive scanning tool for web applications and networks. It also performs web application dynamic authenticated scanning and covers the whole application using selenium. The developers can also utilize the tool for the implementation of their DevOps CI/CD environment.

Retire.JS

Have a bunch of javascript that you would like to scan for different types of vulnerabilities?

Try Retire.JS, which can scan your code for the use of JavaScript libraries with known vulnerabilities

mitmproxy

Need a way an intercepting proxy for your security testing and be able to run it from the command line?

Check out mitmproxy, which is one of the highest–rated (14,997 stars) on GitHub. Their GitHub page describes it as An interactive TLS-capable intercepting HTTP proxy for penetration testers and software developers.

Metasploit Framework

Metasploit Framework is one of the more popular penetration testing tools out there. It was designed specifically for penetration testing—like how to attack MS SQL, browser-based and file exploits, and social engineering attacks. This is one of the main tools used by hard-core security professionals.

Metasploit contains a suite of tools that can help you do things like performing attacks and testing security vulnerabilities. It contains a number of different modules that can test your application against common vulnerabilities that many hackers exploit. You can also use it to develop your own exploits. In Metasploit, a module is a software component that performs a chosen attack on a specified target.

Selenium

Umm… what is Selenium—a functional automation testing library—doing on this list?

Well, believe it or not, there are many ways to leverage existing functional automated tests, including security testing.

For example, in his Secure Guild session on integrated security testing, Morgan Roman will demonstrate how he leverages his existing Selenium tests to check his applications for cross-site vulnerabilities.

This works mainly by taking existing Selenium tests (or any other kind of test) and then adding a simple security payload to it, and finally injecting some extra detection into it.

This may seem complex at first, but he’ll show us just how simple it is. Register for Secure Guild and check out his session now

ZAP

Speaking of Selenium, another popular way of expanding its capabilities is to use it with the OWASP Zed Attack Proxy (ZAP).

ZAP can help you automatically find security vulnerabilities in your Web applications while you’re developing and testing your applications. It’s also a great tool for experienced Pen testers to use for manual security testing.

Many testers have leveraged ZAP within their Selenium tests to help with their security testing efforts.

Secure Guild

As you can see, there are many tool options available to testers who are looking to get more familiar with Security Testing.

Also, if you are just beginning your security testing career, another resource you should check out is Secure Guild, an online conference 100% dedicated to security testing. Learn more here.

Source