Resources: Security Testing Tools


(Heather) #1

One thing I learned from tonights Ask Me Anything: Security Testing with Dan Billing is that our security testing tools resources are somewhat outdated.

What would you add to (or even remove from) this list?


(Joerg) #2

Hi Heather,

I would add KALI Linux because it combines many security testing tools and is easily available under different OS.

Jogi


(Vishal Dutt) #3

There are many tools for Security testing which top software testing companies are using these days:

  • Google Nogotofail: Google Nogotofail is used as router, VPN server or proxy server as network traffic security testing. It is used for checking TLS/SSL vulnerabilities and micro configurations.
  • Flawfinder: It is used to report security flaws for C/C++ source code.
  • Wapiti: Wapiti is a black-box scanner which is used to inject payloads to check if a script is vulnerable or not. Wapiti supports both GET as well as POSTHTTP attack methods. Wapiti is used for vulnerabilities like file inclusion, cross Site Scripting (XSS), etc.
  • Iron Wasp: It is built on Python and Ruby language which is GUI-based scanning tool which for checking 25 kinds of web vulnerabilities. It is helpful in finding false positive as well as false negatives.
  • Knock Subdomain Scan: Knockpy is a Python tool designed to scan Transfer Zone discovery, Wildcard testing with internal or external wordlist etc. This tool is essential for black box penetration testing.
  • ZED Attack Proxy (ZAP): It is used to intercept a proxy to test web pages manually. Main features of ZAP are AJAX spider, Fuzzer, Web Socket support etc. ZAP is compatible for all Three major Operating system (Windows, Linux/Unix and Macintosh).
  • Ettercap: Ettercap is open source network security tool which is used for MITM attacks. Ettercap is used to analyze computer network protocols.
  • Kiuwan Security: It is the (SaaS) static program which is used to analyze multi-technology platform for software analytic, covering security, code analysis, life cycle etc.
  • Paros: It is used for checking web application based vulnerabilities, which used Java based HTTP/HTTPS proxy between server and client, including cookies and form fields.
  • Brakeman: Brakeman is for Ruby on Rails applications which is used to check open source vulnerabilities to find security issues at any point of development.

Hope this information is useful for you.