Times are tough, but people who want to break your software aren't relaxing and neither should you. In this column, Bryan Sullivan takes a look at some free security tools that can help you to protect your software without breaking the bank.
When I wrote my most recent StickyMinds column "Doing More With Less," I never expected the outpouring of response I would receive. While it's a little disheartening that so many of you feel the economic pinch these days, I am hugely encouraged by the fact that you're still interested in improving your security processes. The question that seems to be on everyone's mind is, “Where can I find all these free security tools you keep talking about?” Below you will find a list of some of my favorites. Please keep in mind that this list is somewhat skewed towards both the Web application space and Microsoft .NET framework-based applications, which is where I focus the majority of my attention.
My favorite free security tool-one that I use on an almost daily basis-has to be Fiddler. Fiddler is an HTTP/S debugging proxy. Basically, it lets you view and change (i.e., "fiddle with") the raw bytes going over the wire to and from Web servers. Fiddler is extremely extensible. You can write your own extensions for it to customize its behavior and the Fiddler Web site includes a "cookbook" of sample code to help you get started. I can't emphasize this point enough: hackers do not always use Web browsers to attack your applications! If the only testing tool you use is a browser, you're bringing a knife to a gun fight. It's critical to know exactly what information is being sent over the wire, especially when you're testing rich Internet applications like Ajax-or Silverlight#151;based applications.
Fiddler is indeed a powerful tool, but it has no security knowledge built in, so you have to know exactly what you're looking for. To address this, Casaba Security recently has released a free plugin for Fiddler called Watcher. Watcher will passively analyze all of the Web traffic passing through Fiddler and check for potential security vulnerabilities. For example, if Watcher sees HTTP cookies missing HttpOnly attributes, it will flag that as a security warning. Two more of my favorite free tools are CAT.NET and PREfast. CAT.NET is a static analysis tool designed to work with ASP.NET applications, and PREfast is a source analysis tool that works on native C/C++ code.
PREfast focuses on native code issues, including:
· Buffer overflows
· Memory leaks
· Infinite loops
· Type mismatches
· Operator precedence issues
· Many other errors
Similarly, CAT.NET will detect many of the most common Web application vulnerabilities:
· Cross-site scripting
· SQL injection
· XPath and LDAP injection
· Open redirects
· Process command execution
· File canonicalization issues
· Overly descriptive error messages
Additionally, if you're doing any kind of .NET development#151;Web-based or Windows-based#151, you should also use FxCop, which is another static analysis tool for .NET applications. It's not strictly focused on security issues, but it does include some useful security checks, mostly around aspects of the .NET code access security model.
In September of last year, I wrote a column for StickyMinds titled, "Warm and Fuzzy," in which I discussed the benefits of performing fuzz testing against your applications. Fuzzing can often reveal subtle security vulnerabilities in your code; there are several excellent fuzzers and fuzzing frameworks that are freely available, including:
· Peach-a smart (i.e., format-aware) fuzzing platform developed by Michael Eddington of Leviathan Security Group
· SPIKE and SPIKE Proxy-a general-purpose fuzzer and a Web application fuzzer, respectively, both developed by Immunity
In addition to the tools I've listed here, you can find a complete list of the top one hundred network security tools as voted by Nmap users at sectools.org. The list is a bit dated at this point (2006), but includes both free and commercial tools. It's still a good resource.
I hope I've encouraged you to start using some new security testing tools even if you don't have the budget for commercial tools right now. I'd also like to encourage you to take advantage of the many Web sites that offer free security training as well. After all, if you're unfamiliar with the underlying principles of the vulnerabilities for which you're testing, it'll be much more difficult for you to effectively use even the most user-friendly security tool.
If I've missed your favorite free tool on this list, tell me about it. Post a note on the discussion board and we'll continue the conversation there. Alternatively, I'll have to start a new quarterly column on StickyMinds called, "The Frugal Pentester".