Top Free Security Testing Tools
DevSlop
You’re in all probability aware that trendy applications usually use APIs, microservices, and containerization to deliver quicker and higher products and services. This dynamical landscape means that the security of us got to boost up their game. DevSlop (“Sloppy DevOps”) is research into this space via many completely different modules consisting of pipelines, vulnerable apps, and therefore the DevSlop Show.
If you’re trying to start out learning a lot of concerning adding security to your DevOps pipeline, this is often a sensible resource to start out with.
Exercise during a Box
Exercise during a Box may be a free online tool from the National Cyber Security Centre in the UK. It helps organizations resolve however resilient they’re to cyber-attacks and observe their response during safe surroundings.
The service provides exercises primarily based round the main cyber threats that your organization will knock off its own time, during safe surroundings, as repeatedly as you want. It includes everything you would like for fixing, planning, delivery, and post-exercise activity, bushed one place.
Mobile Security Framework
Mobile Security Framework describes itself as an automatic, all-in-one mobile application (Android/iOS/Windows). It is often used for effective and quick security analysis of android, iOS, and Windows mobile applications and supports each binary (APK, IPA & APPX) and zipped source code. It also can perform dynamic application testing at runtime for Android apps and has internet API fuzzing capabilities supercharged by CapFuzz, an online API specific security scanner.
In the spirit of DevSecOps, MobSF is intended to create your CI/CD or DevSecOps pipeline integration seamless.
Needle
The needle is that the MWR’s iOS Security Testing Framework discharged at Black Hat USA in August 2016. it’s an open- supply, standard framework and its goal is to contour the complete method of conducting security assessments of iOS applications. It additionally acts as a central purpose for you to perform these security activities.
The needle was designed to be helpful not just for security professionals however additionally for developers trying to secure their code.
Some samples of testing Needle will assist you with are:
Data storage
Inter-process communication
Network communications
Static code analysis
Hooking
Binary protections.
A needle’s solely demanding to run effectively is that you just use a jailbroken device.
Frida
Frida may be a dynamic instrumentation toolkit for developers, reverse engineers, and security researchers. I initial detected regarding it from Jahmel Harris, a moral hacker, security testing professional and founder of Digital Interruption, who extremely suggested it.
Frida may be a framework or toolkit for instrumentation additionally referred to as application drawing.
On the Frida web site, it says to inject your scripts into a black box method. Hook any operate, spy, crypto API or trace personal application code.
No source code required. What is application hacking?
Application hacking means that you’ll be able to modification however associate degree application works at runtime by injecting your code into the method. This effectively means that we will have our own code run rather than the first code, or inside decision functions internal to an application, whenever we decide. This ability is often improbably useful once acting penetration tests. this method is often helpful for forcing errors into an application, like injecting sleep or reading specific knowledge from a file or network. To see an example, make certain to register for Secure lodge and look at Jahmel’s session on Hacker Tools for Developers and Testers a way to Add Security tests into the Pipeline that contains a
demo on a way to created and use Frida for this purpose.
Tamper
Tamper Chrome is an extension that permits you to change HTTP requests on the fly and aid in internet security testing. Tamper Chrome works across all operating systems (including Chrome OS).
Tamper Chrome additionally permits you to watch requests sent by your browser furthermore because of the responses.
You can conjointly modify requests as they’re going out and to a restricted extent modification the responses (headers, CSS, JavaScript or XMLHttpRequest responseText).
Powershell automation
Is PowerShell your go-to security scripting language?
If so, you ought to look at the Nishang framework.
It’s a group of scripts and payloads that permits usage of PowerShell for offensive security, penetration testing and red teaming.
Nishang is helpful throughout all phases of penetration testing.
Faraday
If you’ve done any form of development within the past, you recognize however useful a well-designed IDE is often to your productivity.
But what concerning security testing development?
Faraday calls itself an IPE (Integrated Penetration-Test Environment) that is basically in a different way of claiming a multiuser Penetration test IDE.
It was designed for distributing, indexing, and analyzing the info generated throughout a security audit.
Faraday was developed to permit you to require advantage of the obtainable tools within the community during a multi-user approach.
They designed it with attention on simplicity, thus users ought to notice no distinction between their terminal application and therefore the one enclosed in faraday. Developed with a specialized set of functionalities to assist users to improve their advancement.
InSpec
At a high level, InSpec is an auditing and software system testing framework.
It’s essentially an open-source testing framework for infrastructure with a human- and machine-readable language for specifying compliance, security and policy needs.
Pocsuite
Pocsuite is an open-source, remote vulnerability testing and proof-of-concept development framework.
It comes with a robust proof-of-concept engine and plenty of niche options for the final word penetration testers and security researchers.
Astra
Need for security tests some APIs?
Astra was created for automatic security testing of REST APIs.
Their GitHub page mentions that security engineers or developers will use Astra as an integral part of their method in order that they will find and patch vulnerabilities early throughout the event cycle. Astra will mechanically find and test login and logout (Authentication API), thus it is simple for anyone to integrate this into a CICD pipeline. Astra will take API assortment as an input, creating it able to tests APIs in standalone mode.
Example of the kinds of security tests you’ll be able to perform with Astra are:
SQL injection
Cross-site scripting
Information leak
Broken authentication and session management
CSRF (including Blind CSRF)
Rate limit
CORS misconfiguration (including CORS bypass techniques)
JWT attack
CRLF detection
Blind XXE injection
Pacu
Speaking of API security testing, are you troubled about your Cloud-based application AWS APIs obtaining hacked?
Pacu is an AWS exploitation framework, designed for testing the protection of Amazon internet services.
Taipan
Taipan is an automatic internet application vulnerability scanner that permits identifying internet vulnerabilities in an automatic fashion. This project is that the core engine of a broader project which has alternative elements, sort of an internet dashboard wherever you’ll be able to manage your vulnerability scans, transfer a PDF report and a scanner agent to run on a specific host.
