Perimeter
2/25/2011
03:30 PM
John H. Sawyer
John H. Sawyer
Commentary
Connect Directly
RSS
E-Mail
50%
50%

The Power Of Open-Source Security Tools

Free, open-source tools like the Metasploit Framework and w3af exemplify the power of community involvement and support

As an attacker and a defender, I've used many open-source tools over the years. Some of them fall to the wayside as newer, better tools get released. Others simply get left behind because they're no longer supported. What I've grown to appreciate more and more is the community support and passion of those involved in the projects responsible for the tools that I've come to rely on regularly.

Two examples that have reaffirmed my belief in open source lately are the Metasploit Framework and w3af projects. The first, Metasploit, has such a strong community built around it that whether you ask a question to the mailing list or the IRC channel, you'll typically have an answer within an hour or less. In addition to the great response time, the question is often answered by a core developer or contributor, and regularly by the actual Metaploit project creator, HD Moore.

Yesterday, in the Metaploit IRC channel, someone had used the new Linux installer for Metasploit and was having a problem starting Postgresql after a reboot. Since I hadn't used the installer yet, I spent about five minutes with a virtual machine to see what it looked like and figure out the answer to the problem. It was great because not only did I help someone else, I also got a chance to test out the new installer.

What I found was a really easy-to-use installer for Linux that should help potential users who aren't very comfortable with the terminal and software installation on Linux. There are a couple of installer versions, including the one I tested that packages Java and Postgresql. Since updates to the Metasploit Framework are a regular occurrence, there's an option included during the install to update regularly via a cron job.

The other open-source project I want to mention is w3af. It is a Web application security testing framework written in Python. It can be used with or without a graphical user interface and is very powerful with a modular architecture that lets you choose only the items you want to use during an assessment. One nice feature that sets w3af apart from many other Web scanners is the ability to exploit found vulnerabilities, like SQL injection, command injection, cross site scripting, and remote file includes.

Besides the w3af being an awesome tool, the support is great. I approached the project lead, Andres Riancho, last week with a bug that he then fixed and updated in the subversion software repository within about 10 minutes. I updated my install and was ready to go again with the fix in place. Similarly, the w3af IRC channel has proved to be a valuable resource as questions come up.

Is open-source software for everyone? No, but as an IT security professional you should certainly be aware of what's out there because it could be useful for a couple of reasons. The first is you might actually come to use an open-source tool that helps you do your job better and earns you a raise (hey, it could happen!). The second is that quite a few open-source security tools are often used for malicious purposes, so it helps to know the abilities of the tools and the artifacts they leave behind so you know what you're up against.

John Sawyer is a Senior Security Analyst with InGuardians. The views and opinions expressed in this blog are his own and do not represent the views and opinions of his employer. He can be reached at johnhsawyer@gmail.com

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading, September 16, 2014
Malicious software is morphing to be more targeted, stealthy, and destructive. Are you prepared to stop it?
Flash Poll
Title Partner’s Role in Perimeter Security
Title Partner’s Role in Perimeter Security
Considering how prevalent third-party attacks are, we need to ask hard questions about how partners and suppliers are safeguarding systems and data.
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-2886
Published: 2014-09-18
GKSu 2.0.2, when sudo-mode is not enabled, uses " (double quote) characters in a gksu-run-helper argument, which allows attackers to execute arbitrary commands in certain situations involving an untrusted substring within this argument, as demonstrated by an untrusted filename encountered during ins...

CVE-2014-4352
Published: 2014-09-18
Address Book in Apple iOS before 8 relies on the hardware UID for its encryption key, which makes it easier for physically proximate attackers to obtain sensitive information by obtaining this UID.

CVE-2014-4353
Published: 2014-09-18
Race condition in iMessage in Apple iOS before 8 allows attackers to obtain sensitive information by leveraging the presence of an attachment after the deletion of its parent (1) iMessage or (2) MMS.

CVE-2014-4354
Published: 2014-09-18
Apple iOS before 8 enables Bluetooth during all upgrade actions, which makes it easier for remote attackers to bypass intended access restrictions via a Bluetooth session.

CVE-2014-4356
Published: 2014-09-18
Apple iOS before 8 does not follow the intended configuration setting for text-message preview on the lock screen, which allows physically proximate attackers to obtain sensitive information by reading this screen.

Best of the Web
Dark Reading Radio