This page contains links to free security testing that I found to be useful when testing security.
- Nipper - The Network Infrastructure Parser
Nipper takes input from a network devices configuration file(s), processes it/them and generates a nice friendly report. Nipper supports a variety of different types of device from different manufacturers. With each new version of Nipper, this support is enhanced, expanded and more device types added. The current version of Nipper supports the following different types of device:
- Bay Networks Accelar
- CheckPoint VPN-1/Firewall-1
- Cisco Catalysts (IOS, CatOS and NMP)
- Cisco Content Services Switch (CSS)
- Cisco Routers (IOS)
- Cisco Security Applicances (PIX, ASA and FWSM)
- Juniper NetScreens
- Nokia IP Firewalls
- Notel Passports
- SonicWALL SonicOS Firewalls
Nipper can perform a security audit of a devices configuration. The security audit can include checks of the network filtering, password strength, routing protocols, software versions, management services and a host of other settings. A number of these checks are fully customisable, so that the audit can meet a specific requirement.
Each security issue that Nipper identifies is uniquely described in the report. The security report will describe what was found, why it is a security risk and what the alternatives are for mitigating the risk. The security report also provides a conclusion which gives an overview of the findings.
Nipper can include a report section detailing the configuration settings that were extracted from the report. These can include, depending on the configuration and device, network interfaces, remote management services, routing protocol, network filtering, logging and more.
- RATS - Rough Auditing Tool for Security
RATS - Rough Auditing Tool for Security - is an open source tool developed and maintained by Secure Software security engineers. RATS is a tool for scanning C, C++, Perl, PHP and Python source code and flagging common security related programming errors such as buffer overflows and TOCTOU (Time Of Check, Time Of Use) race conditions.
RATS scanning tool provides a security analyst with a list of potential trouble spots on which to focus, along with describing the problem, and potentially suggest remedies. It also provides a relative assessment of the potential severity of each problem, to better help an auditor prioritize. This tool also performs some basic analysis to try to rule out conditions that are obviously not problems.
As its name implies, the tool performs only a rough analysis of source code. It will not find every error and will also find things that are not errors. Manual inspection of your code is still necessary, but greatly aided with this tool.