Sometimes, considered as hard to automate, security testing lacks the resources and tools that assist in making it simple to learn. We have found many testers unaware of the free and open source security testing tools that are available to them. This is a shame because we believe that the next wave of DevOps, DevSecOps, is appending security tests to our pipelines.
We thought of creating a rapid resource to reveal some security tools that you all may start trying. Below are a few that we have found and heard more about.
Excercise in a Box
A free, online tool, Exercise in a Box, is from the National Cyber Security Center in the UK. It aids organizations to find out how susceptible they are to cyberattacks.
The service offers exercises that allow your organization to practice their response to within its time, in a safe environment, repeatedly as much you want. It clutches everything you require for planning, setting up, delivery, and post-exercise activity, all at one spot.
You may also like: Security Testing in the Cloud: What to Know.
The iOS Testing Framework of MWR, Needle was launched at Black Hat USA. It is a modular, open-source framework, and its target is to streamline the whole process of carrying security assessments of iOS apps. It also poses as the main point for you to carry all these security activities.
It was designed to be employed by security professionals as well as developers needing to secure their code.
You might be informed about modern apps that often employ microservices, APIs, and containerization to present better and faster products and services.
This altering landscape means that security folks need to take these technologies into consideration when securing applications. Sloppy DevOps, DevSlop, is researching this through various distinct modules, embracing vulnerable apps, pipelines, and the DevSlop Show.
If you are thinking to start getting more about enhancing the security of your DevOps pipeline, this is a good resource to get started.
Mobile Security Framework
Mobile Security Framework describes itself as an all-in-one and automated mobile app pen-testing framework that can perform dynamic analysis, static analysis, web APT testing, and malware analysis.
It can be employed for fast and effective security analysis of iOS, Android, and Windows mobile apps and aids both sipped and binaries source code. It can also do dynamic application testing for Android applications at runtime and holds Web API fuzzing calibers powered by a Web API specific security scanner, CapFuzz.
A dynamic instrumentation toolkit for the reverse engineers, developers, and security researchers, Frida is a toolkit or framework for the implementation of application hooking.
On the Frida site, it asks to put your scripts into a black-box process. Hook any of the functions, crypto API, spy or trace the private app code. No source code is needed.
If your go-to security scripting language is PowerShell, then you should examine the Nishang framework. It’s a blend of payloads and scripts that permits the use of PowerShell for penetration testing, offensive security, and red teaming. It is also employed during all the phases of penetration testing.
An extension, Tamper Chrome permits us to change HTTP requests on the fly and assist in Web security testing. It works across all the operating systems (embracing Chrome OS).
It also enables us to check the requests sent by the browser and also the responses.
InSpec is a software testing and auditing framework at a high level. Basically, it’s an open source framework for the infrastructure with a human-readable and machine-readable language for clarifying the security, compliance, and policy needs.
Faraday is an IPE (Integrated Penetration-Test Environment) that is an added way of stating a multi-user Penetration Test. It was crafted for indexing, distributing, and analyzing data produced during a security audit.
Faraday was developed to permit you to take benefit of the tools available in the community in a multi-user way. They crafted it with simplicity in mind, so users should notice no distinction between their terminal and the one present in Faraday. It’s developed with a special set of features to aid users in improving their workflow.
Pocsuite is a proof-of-concept and remote vulnerability testing development framework. It comes along a robust proof-of-concept engine and various niche features for security researchers and penetration testers.
An automated web app vulnerability scanner, Taipan permits recognizing web vulnerabilities in an automatic way. This project is the main engine of a wide project that embraces other components, akin to a web dashboard where one can manage vulnerabilities, scan, and download a scanner agent and a PDF report to run a particular host.
An AWS exploitation framework, Pacu is designed for security testing of Amazon Web Services.
As one can notice, there are various tool pics available to the testers who are trying to know more about Security Testing.
Moreover, if you are just starting with your career with security testing, another resource that you should check out is the Secure Guild, which is an online conference wholly dedicated to the security testing.