Times are tough, but people who want to break your software aren't relaxing and neither should you. In this column, Bryan Sullivan takes a look at some free security tools that can help you to protect your software without breaking the bank.
When I wrote my most recent StickyMinds column "Doing More With Less," I never expected the outpouring of response I would receive. While it's a little disheartening that so many of you feel the economic pinch these days, I am hugely encouraged by the fact that you're still interested in improving your security processes. The question that seems to be on everyone's mind is, “Where can I find all these free security tools you keep talking about?” Below you will find a list of some of my favorites. Please keep in mind that this list is somewhat skewed towards both the Web application space and Microsoft .NET framework-based applications, which is where I focus the majority of my attention.
My favorite free security tool-one that I use on an almost daily basis-has to be Fiddler. Fiddler is an HTTP/S debugging proxy. Basically, it lets you view and change (i.e., "fiddle with") the raw bytes going over the wire to and from Web servers. Fiddler is extremely extensible. You can write your own extensions for it to customize its behavior and the Fiddler Web site includes a "cookbook" of sample code to help you get started. I can't emphasize this point enough: hackers do not always use Web browsers to attack your applications! If the only testing tool you use is a browser, you're bringing a knife to a gun fight. It's critical to know exactly what information is being sent over the wire, especially when you're testing rich Internet applications like Ajax-or Silverlight#151;based applications.
Fiddler is indeed a powerful tool, but it has no security knowledge built in, so you have to know exactly what you're looking for. To address this, Casaba Security recently has released a free plugin for Fiddler called Watcher. Watcher will passively analyze all of the Web traffic passing through Fiddler and check for potential security vulnerabilities. For example, if Watcher sees HTTP cookies missing HttpOnly attributes, it will flag that as a security warning.