Tech Insight: Updating Your Security Toolbox

Every now and then, security departments should take a look at their "toolboxes" and ask whether they have all of the right tools to deal with the current range of threats. What open-source tools are available to help combat new exploits, analyze defenses, or automate our jobs so we can work less and slack off more?

As threats change, new technologies are released, and tools are updated, we occasionally must replace our old favorites with the new hotness. After digging through my applications folder, speaking to consultants and security teams, I've compiled a list of some trusty tools that you should think about keeping on hand. And here's a bonus: These are all open-source products. No big corporate budgets required.

In no particular order, let's look at some tools that we use regularly and can’t live without. We’ll start with a few oldies that we still love:

Burp and Paros proxies. Burp and Paros are client-side proxies used to intercept, modify, replay, and craft HTTP requests. They are very similar, so most people use whichever one they like best. I like Paros; when performing a Web application assessment, I use it to intercept and modify HTTP requests for a variety of reasons, from understanding what the application is doing to cookie manipulation. I even use Paros occasionally when I need to debug and test Web applications I’m developing.

Firebug and Tamper Data. Both Firebug and Tamper Data are FireFox plug-ins designed to help Web developers debug their code in the browser. Many security experts use these to understand Web applications, quickly examine code, and follow JavaScript logic in AJAX calls. Both are valuable tools for Web application assessments.

Metasploit. The one, the only, and a favorite of penetration teams. Metasploit is about as simple as it gets when trying to exploit a system and obtain pure ownage. In the good ol' days, we had to obtain, compile, and pray an exploit worked. Now Metasploit takes much of the work out of exploitation.

W3af. This Web application attack and audit framework has been called the Metasploit of Web application security. Its goal is simple: to make it easy to find and exploit Web application defects. This project is still much younger than many other tools, but shows promise and is sponsored by the owners of Metasploit, Rapid 7.

Skipfish. Skipfish is a Web application scanner developed by Google that is offered as an open-source tool and overcomes some problems that are common to other scanners. It works in a way that is similar to other scanners, crawling a Web application and testing for common vulnerabilities. Skipfish claims high performance, ease of use, and well-designed security checks.

Selenium. Selenium is a suite of tools used to automate Web application testing. While Selenium wasn’t developed for security teams, it is used by some security organizations to help automate testing of common Web application security problems in place of commercial testing suites.

EtherApe. EtherApe is a graphical network monitoring tool useful for inspecting network traffic and seeing what is coming and going on a host.

BackTrack. Technically, BackTrack is actually a collection of tools, but we couldn’t leave it out of this list. It’s a great place to start when building a toolkit and features some of the most common tools ready to work out of the box.

Nessus. While no longer officially an open-source product, Nessus is still the de facto free vulnerability scanning tool. Many network penetration tests start by using Nessus to sweep across infrastructure and identify services, hosts, and vulnerabilities.

There are more -- Ophcrack, Kismet/Kismac, and John the Ripper -- come to mind -- but this small set of open-source tools is a great start for security departments that are just starting out or looking to update their arsenals. If you haven't taken a look at these tools yet, then check them out -- they might be just the ones you need for the next new threat.

Have a comment on this story? Please click "Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.