More Free Security Tools


Additionally, if you're doing any kind of .NET development#151;Web-based or Windows-based#151, you should also use FxCop, which is another static analysis tool for .NET applications. It's not strictly focused on security issues, but it does include some useful security checks, mostly around aspects of the .NET code access security model.

In September of last year, I wrote a column for StickyMinds titled, "Warm and Fuzzy," in which I discussed the benefits of performing fuzz testing against your applications. Fuzzing can often reveal subtle security vulnerabilities in your code; there are several excellent fuzzers and fuzzing frameworks that are freely available, including:

·         Peach-a smart (i.e., format-aware) fuzzing platform developed by Michael Eddington of Leviathan Security Group

·         SPIKE and SPIKE Proxy-a general-purpose fuzzer and a Web application fuzzer, respectively, both developed by Immunity

In addition to the tools I've listed here, you can find a complete list of the top one hundred network security tools as voted by Nmap users at The list is a bit dated at this point (2006), but includes both free and commercial tools. It's still a good resource.

I hope I've encouraged you to start using some new security testing tools even if you don't have the budget for commercial tools right now. I'd also like to encourage you to take advantage of the many Web sites that offer free security training as well. After all, if you're unfamiliar with the underlying principles of the vulnerabilities for which you're testing, it'll be much more difficult for you to effectively use even the most user-friendly security tool.

If I've missed your favorite free tool on this list, tell me about it. Post a note on the discussion board and we'll continue the conversation there. Alternatively, I'll have to start a new quarterly column on StickyMinds called, "The Frugal Pentester". 

About the author

Bryan Sullivan's picture Bryan Sullivan

Bryan Sullivan is a security program manager on the Security Development Lifecycle (SDL) team at Microsoft. He is a frequent speaker at industry events, including Black Hat, BlueHat, and RSA Conference. Bryan is also a published author on Web application security topics. His first book, Ajax Security was published by Addison-Wesley in 2007.

AgileConnection is one of the growing communities of the TechWell network.

Featuring fresh, insightful stories, is the place to go for what is happening in software development and delivery.  Join the conversation now!