Thursday, July 03, 2008

Free & open source security testing tools

HP recently released its free Scrawlr tool, a dumbed-down version of the former SPI Dynamics tools that can find some forms of SQL injection. Google released the source code for their RatProxy tool that can "pick up cross-site scripting flaws and incomplete cross-site defence mechanisms, as well as potential data leak sources and risky code that retrieves data from outside domains".

Making tools freely available is a Good Thing(TM). But the real question is - will they get used by companies and individuals to find vulnerabilities in their sites, and even more critically, will they fix the problems identified? Like almost any security tool, Scrawlr and RatProxy are dual-use technologies - they can be used by defenders to find problems (and verify that the fixes work), but they can also be used by adversaries to figure out the most promising avenues for attack.

No one should rely on these tools as the sole measure of a web site's security, but they're ignored at your own peril.

Put another way: any web site owner who has dynamic content and is NOT using these free tools (or something better) AND fixing the problems they identify is taking a big risk - if you don't use them yourself, the bad guys will!


Post a Comment

Subscribe to Post Comments [Atom]

<< Home