Perimeter
2/25/2011
03:30 PM
John H. Sawyer
John H. Sawyer
Commentary
Connect Directly
RSS
E-Mail
50%
50%
Repost This

The Power Of Open-Source Security Tools

Free, open-source tools like the Metasploit Framework and w3af exemplify the power of community involvement and support

As an attacker and a defender, I've used many open-source tools over the years. Some of them fall to the wayside as newer, better tools get released. Others simply get left behind because they're no longer supported. What I've grown to appreciate more and more is the community support and passion of those involved in the projects responsible for the tools that I've come to rely on regularly.

Two examples that have reaffirmed my belief in open source lately are the Metasploit Framework and w3af projects. The first, Metasploit, has such a strong community built around it that whether you ask a question to the mailing list or the IRC channel, you'll typically have an answer within an hour or less. In addition to the great response time, the question is often answered by a core developer or contributor, and regularly by the actual Metaploit project creator, HD Moore.

Yesterday, in the Metaploit IRC channel, someone had used the new Linux installer for Metasploit and was having a problem starting Postgresql after a reboot. Since I hadn't used the installer yet, I spent about five minutes with a virtual machine to see what it looked like and figure out the answer to the problem. It was great because not only did I help someone else, I also got a chance to test out the new installer.

What I found was a really easy-to-use installer for Linux that should help potential users who aren't very comfortable with the terminal and software installation on Linux. There are a couple of installer versions, including the one I tested that packages Java and Postgresql. Since updates to the Metasploit Framework are a regular occurrence, there's an option included during the install to update regularly via a cron job.

The other open-source project I want to mention is w3af. It is a Web application security testing framework written in Python. It can be used with or without a graphical user interface and is very powerful with a modular architecture that lets you choose only the items you want to use during an assessment. One nice feature that sets w3af apart from many other Web scanners is the ability to exploit found vulnerabilities, like SQL injection, command injection, cross site scripting, and remote file includes.

Besides the w3af being an awesome tool, the support is great. I approached the project lead, Andres Riancho, last week with a bug that he then fixed and updated in the subversion software repository within about 10 minutes. I updated my install and was ready to go again with the fix in place. Similarly, the w3af IRC channel has proved to be a valuable resource as questions come up.

Is open-source software for everyone? No, but as an IT security professional you should certainly be aware of what's out there because it could be useful for a couple of reasons. The first is you might actually come to use an open-source tool that helps you do your job better and earns you a raise (hey, it could happen!). The second is that quite a few open-source security tools are often used for malicious purposes, so it helps to know the abilities of the tools and the artifacts they leave behind so you know what you're up against.

John Sawyer is a Senior Security Analyst with InGuardians. The views and opinions expressed in this blog are his own and do not represent the views and opinions of his employer. He can be reached at johnhsawyer@gmail.com

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2012-3946
Published: 2014-04-24
Cisco IOS before 15.3(2)S allows remote attackers to bypass interface ACL restrictions in opportunistic circumstances by sending IPv6 packets in an unspecified scenario in which expected packet drops do not occur for "a small percentage" of the packets, aka Bug ID CSCty73682.

CVE-2012-5723
Published: 2014-04-24
Cisco ASR 1000 devices with software before 3.8S, when BDI routing is enabled, allow remote attackers to cause a denial of service (device reload) via crafted (1) broadcast or (2) multicast ICMP packets with fragmentation, aka Bug ID CSCub55948.

CVE-2013-6738
Published: 2014-04-24
Cross-site scripting (XSS) vulnerability in IBM SmartCloud Analytics Log Analysis 1.1 and 1.2 before 1.2.0.0-CSI-SCALA-IF0003 allows remote attackers to inject arbitrary web script or HTML via an invalid query parameter in a response from an OAuth authorization endpoint.

CVE-2014-2391
Published: 2014-04-24
The password recovery service in Open-Xchange AppSuite before 7.2.2-rev20, 7.4.1 before 7.4.1-rev11, and 7.4.2 before 7.4.2-rev13 makes an improper decision about the sensitivity of a string representing a previously used but currently invalid password, which allows remote attackers to obtain potent...

CVE-2014-2392
Published: 2014-04-24
The E-Mail autoconfiguration feature in Open-Xchange AppSuite before 7.2.2-rev20, 7.4.1 before 7.4.1-rev11, and 7.4.2 before 7.4.2-rev13 places a password in a GET request, which allows remote attackers to obtain sensitive information by reading (1) web-server access logs, (2) web-server Referer log...

Best of the Web