Full text

Who doesn't love free software?

Infosec professionals are fortunate to have many good free tools for a range of tasks. The following list of two dozen tools include everything from password crackers to vulnerability management systems to networks analyzers. Whatever your security role is, you'll find something useful here.

[ Keep up with 8 hot cyber security trends (and 4 going cold). Give your career a boost with top security certifications: Who they're for, what they cost, and which you need. | Sign up for CSO newsletters. ]Maltego

Paterva develops this forensics and open-source intelligence app, designed to deliver a clear threat picture for the user's environment. It will demonstrate the complexity and severity of single points of failure as well as trust relationships that exist within the scope of one's infrastructure. It pulls in information posted all over the Internet, whether it's the current configuration of a router on the edge of the company network or the current whereabouts of your company's vice president. The commercial license does have a price tag, but the community edition is free with some restrictions.

OWASP Zed Attack Proxy (ZAP)

The Zed Attack Proxy (ZAP) is a user-friendly penetration testing tool that finds vulnerabilities in web apps. It provides automated scanners and a set of tools for those who wish to find vulnerabilities manually. It's designed to be used by practitioners with a wide range of security experience, and is ideal for functional testers who are new to pen testing, or for developers: There’s even an official ZAP plugin for the Jenkins continuous integration and delivery application.

Samurai Web Testing Framework

The Samurai Web Testing Framework is a virtual machine packed with some of the other items you'll see in this slideshow, and functions as a web pen-testing environment. You can download a ZIP file containing a VMware image with a host of free and open source tools to test and attack websites.

Tools include the Fierce domain scanner and Maltego. For mapping it uses WebScarab and ratproxy. Discovery tools include w3af and burp. For exploitation, the final stage, it includes AJAXShell, the browser exploitation framework BeEF and others. There’s a trade-off for all this convenience, though: The developers’ mailing list has been dormant for the last couple...