19 ene 2015

Mejores herramientas de Seguridad 2014

Como todos los años, Tools Watch ha publicado la lista de las mejores herramientas de seguridad de 2014, resultado de la elección realizada entre sus lectores.

Es bueno ver en la lista nuevas herramientas y sobre todo la elegida como la mejor, Unhide, producto del trabajo de Yago Jesus, uno de los editores del blog Security by Default.

El top 10 es:
  1. Unhide (new): herramienta forense para buscar procesos y puertos TCP/UDP utilizados por rootkits/LKMs a través de distintos métodos. Funciona en Unix/Linux y Windows.
  2. OWASP ZAP – Zed Attack Proxy Project (-1↓): popular proxy web y herramienta que permite encontrar vulnerabilidades en aplicaciones web.
  3. Lynis (+3↑): herramienta de auditoria para obtener información en sistemas basados en Unix. Realiza búsquedas localmente, en la red y en los paquetes instalados.
  4. BeEF – The Browser Exploitation Framework (-2↓): es un Browser Exploitation Framework para realizar penetration test focalizado en el navegador.
  5. OWASP Xenotix XSS Exploit Framework (0→): es un framework avanzado de Cross Site Scripting (XSS) que son ejecutados en el navegador y con una tasa nula de falsos positivos.
  6. PeStudio (-2↓): es la única herramienta para ejecutar análisis estático de archivos ejecutables en 32-bit y 64-bit. PEStudio es libre para uso no comercial.
  7. OWASP Offensive (Web) Testing Framework (new): OWTF fue pensada para automatiza el trabajo manual de los pentest y parsear los resultados focalizados en OWASP Testing Guide (v3 y v4).
  8. Brakeman (new): es un scanner para realizar análisis de código de aplicaciones Ruby on Rails (White-Box).
  9. WPScan (0→): scanner de vulnerabilidades para WordPress.
  10. Nmap (new): es EL scanner para auditoria y análisis de red.
Otras herramientas votadas han sido:
  • Arachni: Arachni is an Open Source, feature-full, modular, high-performance Ruby framework aimed towards helping penetration testers and administrators evaluate the security of web applications.
  • ArchAssault: The ArchAssault Project is an Arch Linux derivative for penetration testers, security professionals and all-around Linux enthusiasts.
  • Bellator: Security Audit Program for Microsoft Windows System.
  • Burp Suite Professional: Integrated platform for performing security testing of web applications.
  • FBHT: Facebook Hacking Tool is an open-source tool written in Python that exploits multiple vulnerabilities on the Facebook platform.
  • GoLismero: Free software framework for security testing. It’s currently geared towards web security, but it can easily be expanded to other kinds of scans
  • Iron OWASP: IronWASP (Iron Web application Advanced Security testing Platform) is an open source system for web application vulnerability testing. It is designed to be customizable to the extent where users can create their own custom security scanners using it.
  • Kautilya: Toolkit which provides various payloads for a Human Interface Device which may help in breaking in a computer during penetration tests.
  • Metasploit: It is the de-facto standard for penetration testing with more than one million unique downloads per year and the world’s largest, public database of quality assured exploits.
  • OWASP O-Saft: Tool to show informations about SSL certificate and tests the SSL connection according given list of ciphers and various SSL configurations.
  • Pipal: Tool to generate statistics from a password file, stats go from number of 6 character passwords to hashcat masks.
  • ThreadFix: Software vulnerability aggregation and management system that helps organizations aggregate vulnerability data, generate virtual patches, and interact with software defect tracking systems. [http://www.denimgroup.com/resources-threadfix]
  • Veil Framework: Tool to generate payload executables that bypass common antivirus solutions.
  • Volatility: The Volatility Framework is a completely open collection of tools, implemented in Python under the GNU General Public License, for the extraction of digital artifacts from volatile memory (RAM) samples.
  • w3af: Web Application Attack and Audit Framework. The project’s goal is to create a framework to help you secure your web applications by finding and exploiting all web application vulnerabilities.
  • YASAT (Yet Another Stupid Audit Tool): is a simple stupid audit tool. Its goal is to be as simple as possible with minimum binary dependencies (only sed, grep and cut). Second goal is to document each test with maximum information and links to official documentation.
Fuente: ToolsWatch

Suscríbete a nuestro Boletín

0 Comments:

Publicar un comentario

Gracias por dejar un comentario en Segu-Info.

Gracias por comentar!