There is a wide variety of security tools that help pentesters, developers, and analysts when it comes to services and applications, whether they need to find weaknesses, better understand in-depth behaviour, or simply monitor usage. At their core, security tools are simply the means by which a user can act in accordance with their intention, whether that’s attacking or defending. As you might expect, the boundary between these two territories is often rather blurry.
Tools of the offensive and defensive side
Nowadays, tools on the offensive side can mostly be taken care of by operating systems such as Kali Linux or Parrot OS. Fortunately, blue teams are also armoured with the right options to defend against threats. But in order to use these tools properly, one needs not only the right mindset, but field expertise as well.
What are some examples of security tools?
Without getting lost in the massive amount of opportunities available today, we’ve provided some categories below that may help you learn more about these tools. As contemporary tools offer several different services, the categories may overlap.
Tools for static code analysis
Static Application Security Testing (SAST) is designed for white-box source code analysis and can range from a package-based approach (e.g. bandit) designed for a specific language to more complex scanners such as Contrast Security’s SAST tool. Other Software Composition Analysers (e.g. Snyk) are designed to catch known vulnerabilities in third-party components. However, when it comes to understanding the internal logic of compiled native binaries, we need proper tools like IDA Pro, Binary Ninja, or Radare 2. These help reveal all the code paths that an application may take without executing the application itself.
Tools for dynamic application analysis
Dynamic Application Security Testing (DAST) checks the runtime behaviour of applications without accessing their source code. Veracode is an example of a vendor which offers such solutions. Modern approaches include Runtime Application Self Protection (RASP), which provides runtime protection to keep applications from being exploited (e.g. Contrast Security’s RASP solution). Fuzzers such as AFL help manipulate executable inputs to trigger potential security bugs. Others, such as the Unicorn CPU Emulators, allow for emulating binaries cross platform.
Tools for the web
In order to protect your code against the most critical web vulnerabilities, you first need to use proper frameworks such as Angular, Django, or Laravel that help eliminate the most obvious security issues. Other tools, such as Bleach or CSP evaluator can add an extra layer of security against XSS as long as they are bug-free. However, it’s still best to be prepared against all the vectors that OWASP top 10 collected.
Tools related to networks
The main objective of these tools is to intercept or record network traffic and allow analysts to monitor, analyse, or modify the requests on the go. This category includes Wireshark to capture packets, Burp Suite to scan for web vulnerabilities, nmap to discover networks, and SIEMs (Security Information and Event Management) such as OSSIM to collect network traffic from different sources to detect malicious activity.
Get started with secure coding training today
Reach out to our team and find out how we can help your company scale secure coding training efficiently.
Copyright © 2022 Avatao