Slashdot Mirror

← Back to Stories (view on slashdot.org)

Ask Slashdot: Do-It-Yourself Security Auditing Tools?

Posted by timothy on from the like-soapy-water-for-your-inner-tube dept.

An anonymous reader writes "I'm a 'prosumer' website builder, have a few sites that are mainly hobbies, but I would like to know that they're at least fairly robust. I'm thinking of the equivalent of a 'dental clinic' — where someone interested in the white hat security field might be willing to take on an audit for the experience and to build a resume. Or, tools such as websites that let you put in a password and see how long it takes to crack it. Or sites where you can put in a URL and it gets poked and prodded by a number of different cracker tools and a 'score' is given. Ideally with suggestions on how to improve. Does anything like that exist? I'm not talking FBI/CIA level security, but just common-sense basics. I've tried to use techniques that improve security, but I don't know how well they work. And I've realized that in the ever growing, fast changing field of computers I'm not going to ever get the knowledge I need to do this myself. I know there are software suites that allow you to sniff and test things on your own, but I'm afraid it's overwhelmingly foreign to me and I just feel like I can't reliably do this myself. Any ideas?"

4 of 116 comments (clear)

  1. Whats the point? by Splab · · Score: 4, Informative

    What's the point of "basic" security check?

    But a quick search for metasploit should get you going, perhaps add a Nessus scan and go watch some Def Con presentations on SQL injection and penetration testing http://www.youtube.com/user/ChRiStIaAn008 is a good place to start.

  2. Use standard software and keep it up to date by quinto2000 · · Score: 4, Insightful

    From the way you describe your goal, you are building mostly one-off websites. For small companies and the like? You'll be best off just using popular open source products like Drupal, WordPress, or ModX and keeping up to date with security updates. Many of these will automatically notify you of security updates and you can apply them right away. Don't try to host the websites on your own server either. Get a hosting product from a company that will keep the underlying OS, Apache, and PHP up to date and secure. This will reduce your exposure quite a bit. You still need to make sure to choose good passwords. Nessus or OpenVAS are also an option.

    --
    Ceci n'est pas un post
  3. Kali Linux by Jane+Q.+Public · · Score: 5, Informative

    This suite of tools used to go under the name of "BackTrack", most recently BackTrack 5. It has now been named Kali Linux.

    This is a full-blown Linux distro with all the security tools you are ever likely to need. Metasploit? It's there. Nessus? It's there. The actual list of tools is huge.

    Kali won't teach you everything about using the tools (though there are good instructions available online). But it does offer all you could want in one package.

  4. Re:Security auditing is mostly about documentation by jeffmeden · · Score: 4, Insightful

    Hate to tell you, but security auditing is mostly about documentation. Checking that the right documents are in place and have been updated, verifying office procedures, physical security, etc. Technical tests are mostly about checking for the status and presence of files or configurations, not about probing networks or white hat hacking. There is a vaild business opportunity in pen testing, which is just one component of auditing, and is not even needed for every type of audit.

    This. While it would seem logical to put a round of known vulnerabilities into a scanner (like a Virus Scanner works) in the real world this is extremely tricky. Vulnerabilities that come about from combinations of different packages and different configurations interacting are very hard to systematically detect, and even if you do detect them they are just one piece in the huge puzzle that is information security.

    Case in point, I often get audit reports from "creditable" security professionals that there are a set of vulnerabilities in XYZ product, specific to "somesoft operating system 9.0", when in fact the product in question uses no such operating system (or even one similar to it) so the "audit" was obviously just a set of false-positives from a scanner tool. Scanner tools are just that, a TOOL, they are not even close to a true security solution that would produce a meaningful audit; that can only come (at least in this day and age) from a combination of tools and a *lot* of expertise.