Security testing is sometimes thought of as being hard to automate or a testing process that lacks tools and resources to help make it easier to learn.
I find most testers are not even aware of the amount of free, open-source security testing tools available to them.
This is a shame because I believe the next wave of DevOps is adding security tests to our pipelines. There’s even a name for this next wave: DevSecOps.
I thought I’d create a quick resource to point you to some security tools that you can start trying out.
Below are some of the best ones I’ve found or have heard about.
I recently interviewed Tanya Janaca, who told me about her project, DevSlop.
You’re probably aware that modern applications often use APIs, microservices and containerization to deliver faster and better products and services.
This changing landscape means security folks need to step up their game. DevSlop (“Sloppy DevOps”) is an exploration into this area via several different modules consisting of pipelines, vulnerable apps, and The DevSlop Show.
If you’re looking to start learning more about adding security to your DevOps pipeline, this is good resource to start with.
Exercise in a Box
Exercise in a Box is a free online tool from the National Cyber Security Centre in the UK. It helps organizations find out how resilient they are to cyber attacks and practice their response in a safe environment.
The service provides exercises based around the main cyber threats that your organization can do in its own time, in a safe environment, as many times as you wish. It includes everything you need for setting up, planning, delivery, and post-exercise activity, all in one place.
To use it you’ll need to register here first.
Mobile Security Framework
Mobile Security Framework (MobSF) describes itself as an automated, all-in-one mobile application (Android/iOS/Windows) pen-testing framework capable of performing static analysis, dynamic analysis, malware analysis, and web API testing. https://opensecurity.in
It can be used for effective and fast security analysis of Android, iOS and Windows mobile applications and supports both binaries (APK, IPA & APPX) and zipped source code. It can also perform dynamic application testing at runtime for Android apps and has Web API fuzzing capabilities powered by CapFuzz, a Web API specific security scanner.
In the spirit of DevSecOps, MobSF is designed to make your CI/CD or DevSecOps pipeline integration seamless.
Needle is the MWR's iOS Security Testing Framework, released at Black Hat USA in August 2016. It is an open- source, modular framework and its goal is to streamline the entire process of conducting security assessments of iOS applications. It also acts as a central point for you to perform all these security activities.
Needle was designed to be useful not only for security professionals but also for developers looking to secure their code.
Some examples of testing Needle can help you with are:
- Data storage
- Inter-process communication
- Network communications
- Static code analysis
- Binary protections.
Needle’s only requirement to run effectively is that you use a jailbroken device.
Frida is a dynamic instrumentation toolkit for developers, reverse engineers, and security researchers. I first heard about it from Jahmel Harris, an ethical hacker, security testing expert and founder of Digital Interruption, who highly recommended it.
Frida is a framework or toolkit for instrumentation also known as application hooking.
On the Frida website, it says to inject your scripts into a black box process. Hook any function, spy, crypto API or trace private application code.
No source code needed.
What is application hacking?
Application hacking means you can change how an application works at runtime by injecting your code into the process.
This effectively means we can have our own code run instead of the original code, or within call functions internal to an application, whenever we choose.
This ability can be incredibly helpful when performing penetration tests. This technique can be useful for forcing errors into an application, such as injecting sleep or reading specific data from a file or network.
To see an example, be sure to register for Secure Guild and view Jahmel’s session on Hacker Tools for Developers and Testers How to Add Security tests into the Pipeline which contains a demo on how to set up and use Frida for this purpose.
He will also demonstrate how to adapt Frida so that you can use it in your CI pipeline.
Tamper Chrome is an extension that allows you to modify HTTP requests on the fly and aid in Web security testing. Tamper Chrome works across all operating systems (including Chrome OS).
Tamper Chrome also allows you to monitor requests sent by your browser as well as the responses.
Is PowerShell your go-to security scripting language?
If so, you should check out the Nishang framework.
It’s a collection of scripts and payloads that enables usage of PowerShell for offensive security, penetration testing and red teaming.
Nishang is useful during all phases of penetration testing.
If you’ve done any type of development in the past, you know how helpful a well-designed IDE can be to your productivity.
But what about for security testing development?
Faraday calls itself an IPE (Integrated Penetration-Test Environment) which is essentially another way of saying a multi-user Penetration Test IDE.
It was designed for distributing, indexing, and analyzing the data generated during a security audit.
Faraday was developed to allow you to take advantage of the available tools in the community in a multi-user way.
They designed it with a focus on simplicity, so users should notice no difference between their terminal application and the one included in Faraday.
Developed with a specialized set of functionalities to help users improve their workflow.
At a high level, InSpec is an auditing and software testing framework.
It’s basically an open-source testing framework for infrastructure with a human- and machine-readable language for specifying compliance, security and policy requirements.
Pocsuite is an open-source, remote vulnerability testing and proof-of-concept development framework.
It comes with a powerful proof-of-concept engine and many niche features for the ultimate penetration testers and security researchers.
Offensive Web Testing Framework (OWTF) is a framework which tries to unite great tools and make pen testing more efficient.
Need to security tests some APIs?
Astra was made for automated security testing of REST APIs.
Their GitHib page mentions that security engineers or developers can use Astra as an integral part of their process so they can detect and patch vulnerabilities early during the development cycle. Astra can automatically detect and test login and logout (Authentication API), so it's easy for anyone to integrate this into a CICD pipeline. Astra can take API collection as an input, making it able to tests APIs in standalone mode.
Example of the types of security tests you can perform with Astra are:
- SQL injection
- Cross-site scripting
- Information leakage
- Broken authentication and session management
- CSRF (including Blind CSRF)
- Rate limit
- CORS misconfiguration (including CORS bypass techniques)
- JWT attack
- CRLF detection
- Blind XXE injection
Speaking of API security testing, are you worried about your Cloud-based application AWS APIs getting hacked?
Pacu is an AWS exploitation framework, designed for testing the security of Amazon Web services.
Taipan is an automated web application vulnerability scanner that allows identifying web vulnerabilities in an automatic fashion. This project is the core engine of a broader project which includes other components, like a web dashboard where you can manage your vulnerability scans, download a PDF report and a scanner agent to run on a specific host.
Archery is an open source vulnerability assessment and management tool which helps developers and pentesters to perform scans and manage vulnerabilities.
Archery uses popular opensource tools to perform a comprehensive scanning tool for web application and network. It also performs web application dynamic authenticated scanning and covers the whole applications by using selenium. The developers can also utilize the tool for the implementation of their DevOps CI/CD environment.
Need a way an intercepting proxy for your security testing and be able to run it from the command line?
Check out mitmproxy which is one of the highest rated (14,997 stars) on GitHub. Their GitHib page describes it as An interactive TLS-capable intercepting HTTP proxy for penetration testers and software developers.
Metasploit Framework is one of the more popular penetration testing tools out there. It was designed specifically for penetration testing—like how to attack MS SQL, browser-based and file exploits, and social engineering attacks. This is one of the main tools used by hard-core security professionals.
Metasploit contains a suite of tools that can help you do things like performing attacks and test security vulnerabilities. It contains a number of different modules that can test your application against common vulnerabilities that many hackers exploit. You can also use it to develop your own exploits. In Metasploit, a module is a software component that performs a chosen attack on a specified target.
With Metasploit, you run commands that choose a module that contains an exploit that you want to run against your application in order to try to break it. For example, many REST API’s rely heavily on SSL.
Using Metasploit, you can test your system to see how it handles common SSL exploits like the infamous Heartbleed vulnerability. Metasploit has hundreds of exploits you can use and, of the three tools we’ve covered, is the most complicated. But it also offers the most penetration testing-specific features.
Umm… what is Selenium—a functional automation testing library—doing on this list?
Well, believe it or not, there are many ways to leverage existing functional automated tests to also include security testing.
For example, in his Secure Guild session on integrated security testing, Morgan Roman will demonstrate how he leverages his existing Selenium tests to check his applications for cross-site vulnerabilities.
This works mainly by taking existing Selenium tests (or any other kind of test) and then adding a simple security payload to it, and finally injecting some extra detection into it.
This may seem complex at first, but he’ll show us just how simple it is. Register for Secure Guild and check out his session now
Speaking of Selenium, another popular way of expanding its capabilities is to use it with the OWASP Zed Attack Proxy (ZAP).
ZAP can help you automatically find security vulnerabilities in your Web applications while you’re developing and testing your applications. It’s also a great tool for experienced Pen testers to use for manual security testing.
Many testers have leveraged ZAP within their Selenium tests to help with their security testing efforts.
As you can see, there are many tool options available to testers who are looking to get more familiar with Security Testing.
Also, if you are just beginning your security testing career, another resource you should check out is Secure Guild, an online conference 100% dedicated to security testing. Learn more here.