What are Security Testing Tools?
In the software world, security testing involves testing a software application to identify vulnerabilities and misconfiguration that could be exploited by an attacker. These could be as simple as a default admin password, or as complex as an injection vulnerability deep in the application code.
The objective of security testing is not only to discover vulnerabilities but also to provide clear, actionable information on how to remediate them and prevent future attacks. Ideally, security testing should happen early in the development lifecycle—this can prevent security issues from ever reaching a production environment, and also makes these issues simpler and less expensive to fix. This pattern is known as shifting security left.
There are many types of security testing—we’ll introduce powerful security tools from each of these categories:
- Web application security scanning
- Dynamic application security scanning (DAST)
- Static application security testing (SAST)
- API security testing
In this article, we cover the following security testing tools:
1. Bright Security
2. OWASP ZAP
3. Wapiti Scanner
4. Arachni
5. Vega Scanner
6. BeEF (Browser Exploitation Framework)
7. Wfuzz
8. Nogotofail
1. Bright Security
Deployment model: on-premise and cloud
Learn more: Bright Security DAST
Bright Security is a security testing platform that can scan web applications, APIs (REST/SOAP/GraphQL) to help enhance DevSecOps and achieve regulatory compliance. The platform provides real-time, actionable reports of vulnerabilities, with zero false positives. In addition, its ML-based DAST solution provides an automated solution to identify business logic vulnerabilities.
Bright Security empowers developers to incorporate DAST into their unit testing process so they can resolve security concerns as part of an agile development process. The Bright DAST platform integrates into the SDLC fully and seamlessly:
- Test results are provided to the CISO and the security team, providing complete visibility into vulnerabilities found and remediated
- Tickets are automatically opened for developers in their bug tracking system so they can be fixed quickly
Start testing with Bright Security today – get a free account
2. OWASP ZAP
Deployment model: on-premise
GitHub: https://github.com/zaproxy/zaproxy
OWASP ZAP (short for Zed Attack Proxy) is an open source web application security scanner. It was named a “flagship project” in the Open Web Application Security Project (OWASP). It is intended both for users who are new to application security and professional penetration testers.
ZAP can be used as a proxy server, allowing users to manipulate traffic flowing through the tool, including HTTPS traffic. It can also run in daemon mode, controlled via the REST API.
Key features include:
- GUI control panel
- Traditional and AJAX web crawlers
- Automatic active and passive scanning
- Forced browsing
- Fuzzing
- WebSocket scanning support
- Support for multiple scripting languages
- Support for Plug-n-Hack via its plugin-based architecture
- Online free marketplace where the community can add features
3. Wapiti Scanner
Deployment model: on-premise
GitHub: https://github.com/wapiti-scanner/wapiti
Wapiti is a command-line application that crawls web pages and searches for scripts or forms that enable user inputs and could be vulnerable to attack.
It is a black box vulnerability scanner that scans pages of a deployed web application from an attacker’s perspective, extracts links and forms, and attempts to access them in randomized ways using a fuzzer. It delivers malicious payloads and looks for error messages, special strings, or unusual behavior that can be exploited by attackers.
Key features include:
- Vulnerability reports in HTML, XML, JSON, TXT, and CSV formats
- Ability to pause and resume a scan or attack (based on sqlite3 sessions)
- Color coding in terminal outputs to highlight vulnerabilities
- Multiple levels of verbosity in reporting
- Easy enabling or disabling of attack modules
- Easily adding payloads by appending a line to a text file
- Configurable level of concurrency for HTTP requests
Learn more in our detailed guide to mobile security.
4. Arachni
Deployment model: on-premise
GitHub: https://github.com/Arachni/arachni
Arachni is a web application security scanning tool written in Ruby. It enables auditing and inspection of client-side code through an integrated browser environment, and supports complex web applications that make use of technologies like HTML5, JavaScript, AJAX, HTML5, and DOM manipulation.
While scanning, Arachni monitors and learns various factors about how your web application behaves, assesses the reliability of results, and intelligently identifies false results. Unlike other scanners, it takes into account the dynamic nature of a web application and can detect and adapt accordingly to changes in the path web application’s execution paths. This allows for detection of attack and input vectors that typically only humans can detect.
Arachni covers a wide variety of use cases, including:
- Simple command-line scanner utilities
- High-performance scanner grids
- Scripted auditing
- Multi-user multi-scan collaboration
5. Vega Scanner
Deployment model: on-premise
GitHub: https://github.com/subgraph/Vega
Vega is an open source security scanner and security testing platform for web applications, written in Java. It includes an automated scanner for quick testing, and an intercepting proxy for tactical inspection. It provides a GUI interface and runs on Linux, OS X/MacOS, and Windows. It can be extended using a JavaScript-based API.
Vega helps find and verify vulnerabilities such as:
- SQL injection
- Reflected and stored cross-site scripting (XSS)
- Unintentional disclosure of secrets
- Remote file inclusion (RFI)
- Shell injection
- Weaknesses in SSL/TLS security settings
6. BeEF (Browser Exploitation Framework)
Deployment model: on-premise
GitHub: https://github.com/beefproject/beef
BeEF stands for Browser Exploitation Framework. It is a penetration testing tool focused on web browsers. BeEF enables expert penetration testers to use client-side attack vectors to evaluate the security mechanisms of a protected environment.
Unlike other security frameworks, BeEF looks for potential exploits in the context of a common attack vector: the web browser. It connects to one or more web browsers and uses them to execute command modules and attempt attacks against the network perimeter and client systems.
Related content: Read our guide to websocket security.
7. Wfuzz
Deployment model: on-premise
GitHub: https://github.com/xmendez/wfuzz
Wfuzz makes it possible to evaluate web applications in a flexible way by injecting payloads (arbitrary inputs which can come from any data source) into any field of an HTTP request. This allows sophisticated attacks against various web application components such as URL parameters, authentication, forms, directories, files, and HTTP headers.
Key features include:
- Application vulnerability scanner and ability to exploit vulnerabilities in web applications.
- Modular plugin framework that makes it easy for Python developers to contribute new plugins.
- Simple language interface to previous HTTP requests or responses, whether performed by Wfuzz or other tools like Burp Suite. This enables both manual and semi-automated testing, with full control over every step of the testing process, and without reliance on the underlying web application scanner.
8. Nogotofail
Deployment model: on-premise
GitHub: https://github.com/google/nogotofail
Nogotofail is a tool that secures applications against known SSL/TLS vulnerabilities and misconfigurations. It can be used to test network security issues on any device that relays or processes network traffic.
Nogotofail runs on Android, iOS, Linux, Windows, Chrome OS, OS X/MacOS, and almost any device with Internet connectivity. It provides a client that lets you configure settings and receive notifications on both Android and Linux. The attack engine itself can be deployed as a router, VPN server or proxy.
Its primary use cases are:
- Finding bugs and vulnerabilities in networks
- Verifying fixes and identifying regressions in a network environment
- Mapping out network data flows and understanding which applications and devices are generating traffic
Conclusion
Security testing should be a critical part of any organization’s cybersecurity strategy. While in the past security testing was a one-time, annual, or quarterly activity, usually conducted as a formal penetration test, organizations are increasingly adding security testing into their day-to-day routine.
In a DevSecOps organization, security tests do not happen once per quarter – they happen many times a day. Ideally, every code change by a developer should undergo security testing, even before it is committed to a code repository. Every build created by a continuous integration (CI) server should undergo automated security testing as part of its initial sanity check.
Learn how Bright Security is helping make this vision possible
