viernes, 1 de febrero de 2008

Mejores herramientas de auditoría y seguridad del 2007

El portal "Security Database" publico a fines del 2007 un análisis de cuales fueron las mejores herramientas según su parecer que se utilizan para auditoría y seguridad.

Criterios de puntuación utilizado:
- Audience Target: IT Auditors, pentesters, IT technical staff, IT Management staff
- Software features: Built-in features , capabilities and options.
- Updates and maintenance: Frequency of updates (database, signature, plugins and addons). Maintenance ( bug fixes, bug reporters, support...). Future releases and roadmap.
- Use of standards and metrics: Use of security metrics and standards (CVE, CVSS, XCCDF, OVAL, CPE, SANS TOP20, OWASP..)
- Reporting: Dashboards, charting and graphing, types of report export (HTML, XML, PDF..)
- Security-Database Track Popularity: Average of visits and downloads. Based on our internal stats during the year 2007.

Penetration Tests
Open source and Free Softwares:

Category
Best
Recommended/Excellent
Information Gathering Maltego GUI and Web based ex aequo : SEAT (Search Engine Assessment Tool)) & RevHosts
Protocol mappers NMap THC-Amap
Vulnerability scanners Tenable Nessus Saint Scanner Basic release
Application scanners W3AF : Web Application Attack Audit Framework ex aequo: Paros Proxy & Nikto
Exploiters Metasploit 3.x ex aequo: Inguma & Milw0rm WebSite
Wireless hacking ex aequo: AirCrack-NG & AirCrack PTW AiroScript
LiveCDs BackTrack 2.x and 3.x ex aequo: NST (Network Security Toolkit) & OSWA (Organizational Systems Wireless Auditor)


Methodologies:
Document
Best
 Recommended/Excellent
Network and System testing OSSTMM NIST SP 800-115
Application testing OWASP Guides WebAppSec papers
Testing Framework PTF Penetration tests Framework N/A
Testing Framework WTF Wireless Testing Framework N/A



Security Assessment

Open source and Free Softwares:

Category
Best
Recommended/Excellent
Windows auditing OVAL Interpreter ex aequo : Belarc Advisor & WinAudit & SysInternals
Unix auditing ex aequo : CIS Scoring Tools & Tiger Security Tool ex aequo : Babel Enterprise & OVAL Unix interpreters (Sussen, Debian, Fedora, OpenSuse)
Filtering devices Nipper NCat
Password Cracking Cain and Abel OphCrack Suite
Code auditing FindBugs Pixy
Wireless testing OSWA Russix
Database auditing THC-Oracle SQL Power Injector
Application auditing OWASP LabRat OWASP Cal9000
VoIP auditing SiVus Cain and Abel


Methodologie:

Document
Best
Recommended/Excellent
Publications NIST CSRC documents
Security Checklists DISA STIGs ex aequo: CIS Checklists & AuditNet Resources



Commercial Softwares - Best OFF:

Category
Best
Recommended/Excellent
Penetration Tests Core Impact Saint Suite (Saint scanner and SaintExploit)
Application tests Acunetix Web Vulnerability Scanner WebInspect
Compliance Scanners LAnGuard NSS Tenable Security Center



Links and references:
Open source and free softwares:
Maltego - www.paterva.com/
SEAT - http://midnightresearch.com/
RevHosts - www.revhosts.org/
NMap - www.nmap.org/
Nessus & Tenable products - www.tenablesecurity.com/
Saint Scanner and SaintExploit - www.saintcorporation.com/
W3AF - http://w3af.sourceforge.net/
Nikto - www.cirt.net/code/nikto.shtml
Paros Proxy - www.parosproxy.org/index.shtml
Metasploit - www.metasploit.com/
Inguma - http://seguridad-informacion.blogspot.com/2007/10/inguma-penetration-testing-toolkit.html
Milw0rm Resources - www.milw0rm.com/
AirCrack-NG - www.aircrack-ng.org/
AirCrack-PTW - CDC informatik darmstadt
AiroScript - http://airoscript.aircrack-ng.org/
BackTrack - www.remote-exploit.org/
NST - http://networksecuritytoolkit.org/
OSWA Assistant - securitystartshere.org
OVAL Interpreters - http://oval.mitre.org/
Belarc Advisor - http://www.belarc.com/
Sussen OVAL - dev.mmgsecurity.com/projects/sussen/
WinAudit - www.pxserver.com/WinAudit.htm
SysInternals - www.sysinternals.com/
CIS Scoring Tools and Checklists - www.cisecurity.org/
Tiger Security Suite - www.nongnu.org/tiger
Babel Enterprise - http://babel.sourceforge.net/
Nipper Network Infrastructure Parser - sourceforge.net/projects/nipper
NCat - http://ncat.sourceforge.net/
Cain And Abel - www.oxid.it/
OphCrack - http://ophcrack.sourceforge.net/
FindBugs - http://findbugs.sourceforge.net/
Pixy - PixyBox WebSite
Russix - www.russix.com/
THC Utilities - http://freeworld.thc.org/
SQL Power Injector - www.sqlpowerinjector.com/
SiVus - www.vopsecurity.org/

Commercial softwares:
Core Impact - www.coresecurity.com/
LanGuard NSS - www.gfi.com/
Acunetix WVS - www.acunetix.com/
WebInspect - www.spidynamics.com/

Methodologies and references:
OSSTMM - www.isecom.org/
OWASP Software and Methodology - www.owasp.org/
PTF Penetration tests Framework - www.vulnerabilityassessment.co.uk/
WTF Wireless Testing Framework - www.wirelessdefence.org/
WebAppSec documents - www.webappsec.org/
NIST Releases - csrc.nist.gov/publications/
DISA STIGs - iase.disa.mil/stigs
AuditNet Resources - www.auditnet.org/

Fuente: Survey realised with Security-Database Tools Watch Service Statistics.
Security-Database.com

Publicado por el
Etiquetas: , , ,

No hay comentarios:

Publicar un comentario

Suscribirse a: Enviar comentarios (Atom)