Over the past quarter of a century, the open source movement has gone from strength to strength. But that success and the openness inherent in the community have led to a major challenge – security. The more software that is developed, the greater the likelihood there is for vulnerabilities.
To make matters worse, the open source world prides itself on openness and transparency. Therefore, any security vulnerabilities are disclosed publicly. In this age of organized gangs of cybercriminals, that is like placing an ad asking for an attack.
This has given rise to a large number of open source security tools. They take care of all aspects of the management of security in open source components, examine dependencies, fix bugs in code, and lower risk.
However, the tools themselves vary considerably in scope, sophistication, and function. The editors of eSecurity Planet find the following 20 open source security tools to be particularly useful. Some are open source, some are commercial, but all are good security options for open source environments.
If you’re interested in learning more about Open Source Security check out this book!
The Best Open Source Security Tools
WhiteSource detects all vulnerable open source components, including transitive dependencies, in more than 200 programming languages. It matches reported vulnerabilities to the open source libraries in code, reducing the number of alerts. With more than 270 million open source components and 13 billion files, its vulnerability database continuously monitors multiple resources and a wide range of security advisories and issue trackers. WhiteSource is also a CVE Numbering Authority, which allows it to responsibly disclose new security vulnerabilities found through its own research. It identifies and prioritizes the most critical open source security vulnerabilities so users can fix what matters most first.
Metasploit covers the scanning and testing of vulnerabilities. Backed by a huge open source database of known exploits, it also provides IT with an analysis of pen testing results so remediation steps can be done efficiently. However, it doesn’t scale up to enterprise level and some new users say it is difficult to use at first.
FlexNet Code Aware by Revenera can find security threats and intellectual property (IP) compliance issues in open source code. It scans Java, NuGet, and NPM packages. In addition, the company offers a full enterprise platform for open source security and license compliance, with support for all major software languages. It has more than 70 extensions, and a knowledge base with more than 14 million open source components.
Black Duck software composition analysis (SCA) by Synopsys helps teams manage the security, quality, and license compliance risks that come from the use of open source and third-party code in applications and containers. It integrates with build tools like Maven and Gradle to track declared and transitive open source dependencies in applications’ built-in languages like Java and C#. It maps string, file, and directory information to the Black Duck KnowledgeBase to identify open source and third-party components in applications built using languages like C and C++. The SCA tool also identifies open source within compiled application libraries and executables (no source code or build system access required) and finds parts of open source code that have been copied within proprietary code, which can potentially expose you to license violations and conflicts.
Burp Suite Community Edition by Portswigger is an open source manual version of a popular web vulnerability scanner used in a great many organizations. It can be used by skilled security professionals to find vulnerabilities rapidly.
Read more: Burp Scanner Features & Pricing
OSSEC is open source and free. It can be tailored to security needs through its configuration options, adding custom alert rules and scripts to take action when alerts occur. It offers comprehensive host-based intrusion detection across multiple platforms, including Linux, Solaris, AIX, HP-UX, BSD, Windows, Mac and VMware ESX. Additionally, it helps organizations meet specific compliance requirements such as PCI-DSS. It detects and alerts on unauthorized file system modification and malicious behavior that could lead to non-compliance.
Acunetix is primarily a web application security scanner, with additional network infrastructure scanning capabilities. It uses the popular open source vulnerability scanning project OpenVAS as its scanning engine. Its multi-threaded scanner can crawl across hundreds of thousands of pages rapidly and it also identifies common web server configuration issues. It is particularly good at scanning WordPress.
Sonatype offers one tool that scales open source security monitoring across the software supply chain. An evolving database of known vulnerabilities is available to help users detect threats and inconsistencies before suffering an attack. Features include: Automatic detection and fixing of open source dependency vulnerabilities; integration of security vulnerability tools into git repositories already in use; and avoiding attacks through scaled secure development practices across dev and ops teams.
Fiddler by Telerik is a useful collection of manual tools to deal with web debugging, web session manipulation, and security/performance testing. However, it is probably most useful for those deploying the paid version on the .NET framework, as that comes with many automation features.
OWASP Zed Attack Proxy (ZAP) is said to be the most widely used web application scanner. It grew out of the OWASP Foundation that works to improve the security of software through its community-led open source software projects, worldwide chapters, membership base, and by hosting local and global conferences.
Nmap is a port scanner that also aids pen testing by flagging the best areas to target in an attack. That is useful for ethical hackers in determining network weaknesses. As it’s open source, it’s free. That makes it handy for those familiar with the open source world, but it may be a challenge for someone new to such applications. Although it runs on all major OSes, Linux users will find it more familiar.
Security Onion Solutions creates and maintains Security Onion, a free and open platform for threat hunting, network security monitoring, and log management. It includes best-of-breed free and open tools, including Suricata, Zeek, Wazuh, the Elastic Stack, and many others.
Wireshark is often used to point out what is happening with the network and assess traffic for vulnerabilities in real time. By reviewing connection-level information as well and the constituents of data packets, it highlights their characteristics, origin, destination, and more. While it flags potential weaknesses, a pen testing tool is still required to exploit them.
Aircrack-ng is the go-to tool for analysis and cracking of wireless networks. All the various tools within it use a command line interface and are set up for scripting. It focuses on different areas of Wi-Fi security, including: Packet capture and export of data to text files for further processing by third-party tools; replay attacks, de-authentication, fake access points, and others via packet injection; Checking Wi-Fi cards and driver capabilities (capture and injection); and WEP and WPA PSK (WPA 1 and 2) cracking.
VeraCrypt is free, open source disk encryption software for Windows, Mac OSX and Linux. It was created by Idrix and is based on TrueCrypt 7.1a. It creates a virtual encrypted disk within a file and mounts it as a real disk. It can encrypt an entire partition or storage device such as USB flash drive or hard drive, or any partition or drive where Windows is installed. Encryption is automatic and is done in real time.
John the Ripper
John the Ripper is the tool most used to check out password vulnerability. It combines several approaches to password cracking into one package. It supports hundreds of hash and cipher types, including: user passwords of Unix flavors (Linux, *BSD, Solaris, AIX, QNX, etc.), macOS, Windows, “web apps” (e.g., WordPress), groupware (e.g., Notes/Domino), and database servers (SQL, LDAP, etc.); network traffic captures (Windows network authentication, WiFi WPA-PSK, etc.); encrypted private keys (SSH, GnuPG, cryptocurrency wallets, etc.), filesystems and disks (macOS .dmg files and “sparse bundles,” Windows BitLocker, etc.), archives (ZIP, RAR, 7z), and document files (PDF, Microsoft Office, etc.).
Nikto is a web server scanner that performs tests against web servers for multiple items, including over 6,400 potentially dangerous files/CGIs, checks for outdated versions of over 1,200 servers, and version-specific problems on over 270 servers. It also checks for server configuration items such as the presence of multiple index files and HTTP server options, and will attempt to identify installed web servers and software. Scan items and plugins are frequently updated and can be automatically updated.
Snort is an open source Intrusion Prevention System (IPS). It uses rules to define malicious network activity and find packets that match against them, generating alerts for users. Snort can also be deployed inline to stop these packets. It is primarily used as a packet sniffer, a packet logger, or as a full-blown network intrusion prevention system.
OpenSSH is a connectivity tool for remote login with the SSH protocol. It encrypts all traffic to eliminate eavesdropping, connection hijacking, and other attacks. In addition, it provides a suite of secure tunneling capabilities, several authentication methods, and configuration options.
Tcpdump is a powerful command-line packet analyzer, developed by the same people as libpcap, a portable C/C++ library for network traffic capture. It prints out a description of the contents of packets on a network interface, preceded by a time stamp. It can save packet data to a file for later analysis, and read from a saved packet file rather than reading packets from a network interface. It can also read a list of saved packet files.