Perimeter
2/25/2011
03:30 PM
John H. Sawyer
John H. Sawyer
Commentary
50%
50%

The Power Of Open-Source Security Tools

Free, open-source tools like the Metasploit Framework and w3af exemplify the power of community involvement and support

As an attacker and a defender, I've used many open-source tools over the years. Some of them fall to the wayside as newer, better tools get released. Others simply get left behind because they're no longer supported. What I've grown to appreciate more and more is the community support and passion of those involved in the projects responsible for the tools that I've come to rely on regularly.

Two examples that have reaffirmed my belief in open source lately are the Metasploit Framework and w3af projects. The first, Metasploit, has such a strong community built around it that whether you ask a question to the mailing list or the IRC channel, you'll typically have an answer within an hour or less. In addition to the great response time, the question is often answered by a core developer or contributor, and regularly by the actual Metaploit project creator, HD Moore.

Yesterday, in the Metaploit IRC channel, someone had used the new Linux installer for Metasploit and was having a problem starting Postgresql after a reboot. Since I hadn't used the installer yet, I spent about five minutes with a virtual machine to see what it looked like and figure out the answer to the problem. It was great because not only did I help someone else, I also got a chance to test out the new installer.

What I found was a really easy-to-use installer for Linux that should help potential users who aren't very comfortable with the terminal and software installation on Linux. There are a couple of installer versions, including the one I tested that packages Java and Postgresql. Since updates to the Metasploit Framework are a regular occurrence, there's an option included during the install to update regularly via a cron job.

The other open-source project I want to mention is w3af. It is a Web application security testing framework written in Python. It can be used with or without a graphical user interface and is very powerful with a modular architecture that lets you choose only the items you want to use during an assessment. One nice feature that sets w3af apart from many other Web scanners is the ability to exploit found vulnerabilities, like SQL injection, command injection, cross site scripting, and remote file includes.

Besides the w3af being an awesome tool, the support is great. I approached the project lead, Andres Riancho, last week with a bug that he then fixed and updated in the subversion software repository within about 10 minutes. I updated my install and was ready to go again with the fix in place. Similarly, the w3af IRC channel has proved to be a valuable resource as questions come up.

Is open-source software for everyone? No, but as an IT security professional you should certainly be aware of what's out there because it could be useful for a couple of reasons. The first is you might actually come to use an open-source tool that helps you do your job better and earns you a raise (hey, it could happen!). The second is that quite a few open-source security tools are often used for malicious purposes, so it helps to know the abilities of the tools and the artifacts they leave behind so you know what you're up against.

John Sawyer is a Senior Security Analyst with InGuardians. The views and opinions expressed in this blog are his own and do not represent the views and opinions of his employer. He can be reached at johnhsawyer@gmail.com

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading December Tech Digest
Experts weigh in on the pros and cons of end-user security training.
Flash Poll
Title Partner’s Role in Perimeter Security
Title Partner’s Role in Perimeter Security
Considering how prevalent third-party attacks are, we need to ask hard questions about how partners and suppliers are safeguarding systems and data.
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-1421
Published: 2014-11-25
mountall 1.54, as used in Ubuntu 14.10, does not properly handle the umask when using the mount utility, which allows local users to bypass intended access restrictions via unspecified vectors.

CVE-2014-3605
Published: 2014-11-25
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2014-6407. Reason: This candidate is a reservation duplicate of CVE-2014-6407. Notes: All CVE users should reference CVE-2014-6407 instead of this candidate. All references and descriptions in this candidate have been removed to pre...

CVE-2014-6093
Published: 2014-11-25
Cross-site scripting (XSS) vulnerability in IBM WebSphere Portal 7.0.x before 7.0.0.2 CF29, 8.0.x through 8.0.0.1 CF14, and 8.5.x before 8.5.0 CF02 allows remote authenticated users to inject arbitrary web script or HTML via a crafted URL.

CVE-2014-6196
Published: 2014-11-25
Cross-site scripting (XSS) vulnerability in IBM Web Experience Factory (WEF) 6.1.5 through 8.5.0.1, as used in WebSphere Dashboard Framework (WDF) and Lotus Widget Factory (LWF), allows remote attackers to inject arbitrary web script or HTML by leveraging a Dojo builder error in an unspecified WebSp...

CVE-2014-7247
Published: 2014-11-25
Unspecified vulnerability in JustSystems Ichitaro 2008 through 2011; Ichitaro Government 6, 7, 2008, 2009, and 2010; Ichitaro Pro; Ichitaro Pro 2; Ichitaro 2011 Sou; Ichitaro 2012 Shou; Ichitaro 2013 Gen; and Ichitaro 2014 Tetsu allows remote attackers to execute arbitrary code via a crafted file.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Now that the holiday season is about to begin both online and in stores, will this be yet another season of nonstop gifting to cybercriminals?