BEST IT Security and Auditing Software 2007

Since we have started IT security auditing and assessment, we have tested and used tons of tools, utilities and softwares. A lot of them were discontinuted, closed their code or just bought by vendors. But (hopefully), the best are still alive.

Now, by the end of the year 2007, i become slightly melancholic and decide to release a survey of the most efficient IT Security Softwares for auditors, security administrators and pentesters.

However, I deeply think that every little script or utility wrote by individual developer or hacker is a gem. Just take a look at sourceforge project repositories to be amazed. They will continue to serve us for years to come.

— Happy New Year.

Scoring criteria

This survey was based upon specific criteria, so the classification reflects only our opinion at the moment of writing this article.

Criteria Comment
Audience TargetIT Auditors, pentesters, IT technical staff, IT Management staff
Software featuresBuilt-in features , capabilities and options.
Updates and maintenanceFrequency of updates (database, signature, plugins and addons). Maintenance ( bug fixes, bug reporters, support...). Future releases and roadmap.
Use of standards and metricsUse of security metrics and standards (CVE, CVSS, XCCDF, OVAL, CPE, SANS TOP20, OWASP..)
ReportingDashboards, charting and graphing, types of report export (HTML, XML, PDF..)
Security-Database Track PopularityAverage of visits and downloads. Based on our internal stats during the year 2007.


Penetration Tests

Open source and Free Softwares

Category Best Recommended/Excellent
Information GatheringMaltego GUI and Web basedex aequo : SEAT (Search Engine Assessment Tool)) & RevHosts
Protocol mappersNMapTHC-Amap
Vulnerability scannersTenable NessusSaint Scanner Basic release
Application scannersW3AF : Web Application Attack Audit Frameworkex aequo: Paros Proxy & Nikto
ExploitersMetasploit 3.xex aequo: Inguma & Milw0rm WebSite
Wireless hackingex aequo: AirCrack-NG & AirCrack PTWAiroScript
LiveCDsBackTrack 2.x and 3.xex aequo: NST (Network Security Toolkit) & OSWA (Organizational Systems Wireless Auditor)


Document Best Recommended/Excellent
Network and System testingOSSTMMNIST SP 800-115
Application testingOWASP GuidesWebAppSec papers
Testing FrameworkPTF Penetration tests FrameworkN/A
Testing FrameworkWTF Wireless Testing FrameworkN/A


Security Assessment

Open source and Free Softwares

Category Best Recommended/Excellent
Windows auditingOVAL Interpreterex aequo : Belarc Advisor & WinAudit & SysInternals
Unix auditingex aequo : CIS Scoring Tools & Tiger Security Toolex aequo : Babel Enterprise & OVAL Unix interpreters (Sussen, Debian, Fedora, OpenSuse)
Filtering devicesNipperNCat
Password CrackingCain and AbelOphCrack Suite
Code auditingFindBugsPixy
Wireless testingOSWARussix
Database auditingTHC-OracleSQL Power Injector
Application auditingOWASP LabRatOWASP Cal9000
VoIP auditingSiVusCain and Abel


Document Best Recommended/Excellent
PublicationsNIST CSRC documents
Security ChecklistsDISA STIGsex aequo: CIS Checklists & AuditNet Resources


Commercial Softwares - Best OFF

Category Best Recommended/Excellent
Penetration TestsCore ImpactSaint Suite (Saint scanner and SaintExploit)
Application testsAcunetix Web Vulnerability ScannerWebInspect
Compliance ScannersLAnGuard NSSTenable Security Center


Links and references

Open source and free softwares

Name Link
Nessus & Tenable products
Saint Scanner and SaintExploit
Paros Proxy
Milw0rm Resources
AirCrack-PTWCDC informatik darmstadt
OSWA Assistant
OVAL Interpreters
Belarc Advisor
Sussen OVAL
CIS Scoring Tools and Checklists
Tiger Security Suite
Babel Enterprise
Nipper Network Infrastructure Parser
Cain And Abel
PixyPixyBox WebSite
THC Utilities
SQL Power Injector


Commercial softwares

Name Link
Core Impact
LanGuard NSS

Methodologies and references

Name Link
OWASP Software and Methodology
PTF Penetration tests Framework
WTF Wireless Testing Framework
WebAppSec documents
NIST Releases
AuditNet Resources

Survey realised with Security-Database Tools Watch Service Statistics.

Copyright © 2008