Any system, no matter how secure, is subject to some form of vulnerability. Unless a systematic attack is mounted on the network from outside the firewall, the ability of hackers to infiltrate your organization’s data will never be known. Penetration testing (or Pen Test) is a legal attempt to hack into computer systems or networks, often conducted by external ethical hackers or by security organizations one can hire, to conduct an audit.On successfully compromising a system, the vulnerability is rated or classified into three threat level buckets – low, medium or high, and remedies for the flaws are determined and the vulnerabilities are fixed.Usually, organizations go to a vendor they have already worked with and of course, they use whatever pen testing tool the vendor is proficient with. However, in most cases, it is advisable to conduct an audit to determine which tool is ideal for your particular situation, given the plethora of offerings available in this space, and then go with that tool in mind, to a vendor.How does one determine which tool is right for the organization?The first thing you need to do, is create a list of requirements against which you will evaluate the tool. In the absence of such a list, you may spend several wasted hours downloading and evaluating tools that meet some but not all of your needs.The security tool should be compatible with the framework and databases you are working with. In addition, the pen test tool should also work with your code management tool and refrain from throwing up false positives.
The following 7 tips may help you choose what is right for you:
2. Results: Developers should be able to comprehend the scan results and locate the flaws or vulnerabilities in the system easily
3. Compatibility: As mentioned before, the tool should integrate with your framework and the databases you are using
4. Development environment: The tool you choose should be able to work with the code management tool as well as the development environment
5. Waterfall and Agile: When working with waterfall, there isn’t time to work through false positives – this should be taken care of, and Agile environment security solutions should blend in well
6. Budget: Source Code Analysis is recommended when working with a tight budget.It is also better to combine SAST/DAST security tools along with the pen testing tool
7. Support: Perhaps the more important in this list of considerations, a good support team is essential for the proper implementation of a pen test. Technical documentation and online information is equally critical
Having said that, let us take a look at some of the tools that are available in the market:
1. Arachni: A feature-full, high-performance Ruby framework, that trains itself from the HTTP responses it receives during the audit process.
2. OWASP Zed Attack Proxy Project (ZAP): An integrated penetration testing tool that is designed to be used by people with a wide range of security experience
3. w3af: Creates a framework to find and exploit web application vulnerabilities
4. Vega: Helps you find and validate SQL Injections, Cross-Site Scripting (XSS), inadvertently disclosed sensitive information, and other vulnerabilities.
5. Acunetix: Automatically checks your web applications for SQL Injection, XSS & other web vulnerabilities.
6. Skipfish: Prepares an interactive sitemap for the targeted site by carrying out a recursive crawl and dictionary-based probes.
7. Websecurity: Uses advanced browser automation, discovery and fuzzing technologies.
8. Burp: Progresses from initial mapping and analysis of an application’s attack surface, to finding and exploiting security vulnerabilities.
9. Netsparker: Tries lots of different things to confirm identified issues. If it can’t confirm it and if it requires manual inspection, it’ll inform you about a potential issue.
10. WebSurgery: Uses an efficient, fast and stable Web Crawler, File/DirBruteforcer and Fuzzer for advanced exploitation of known and unusual vulnerabilities such as SQL Injections, Cross site scripting (XSS), brute-force for login forms, identification of firewall-filtered rules etc.
Having chosen a tool that works for you and a vendor you complies with your business processes, understands the tool you recommend, and is willing to extend support, you may still need to have a Windows Virtual Machine with some tools to be used for the engagement. (Most pen testers use either a Mac or a Linux-based platform for their activities.)
To get you on the road, some of the tools that work well with Microsoft Virtual Machine include Net Cat, Metaspoilt, Cain & Abel, GranItAll, Winfo and others.
As long as you are prepared with the right security tools and follow right business processes (Non-disclosure agreement, project plan, service level agreement…) with your vendor, your network should remain protected. And that means, for the organization, business as usual.
Manoj Rai has around 14 years of IT experience in Enterprise Applications, Mobile and Infrastructure security. Has rich and diverse global experience in leading large engagements and building deep technology expertise in security testing domain.
Manoj is a Bachelor of Engineering in Computer Science with MBA in Systems and Executive Delivery Program from IIM-Bangalore. A regular speaker on various technical subjects like Ethical Hacking, Mobile security, Secure SDLC and Cloud Security areas in CISO platforms, OWASP, BLUG, NULL etc. Has been a regular blogger and has published white papers on threat management and best practices in various social groups.
