Tmin is a simple utility meant to make it easy to narrow down complex test cases produced through fuzzing. It is closely related to another tool of this type, delta, but meant specifically for unknown, underspecified, or hard to parse data formats (without the need to tokenize and re-serialize data), and for easy integration with external UI automation harnesses.
Give this fuzzer a go and let us know what you think! Included in the article is a sample "hello world" script to fuzz "hello world" code, if that makes any sense. Why not check out the article to see what I mean?
Most of todays tools for fingerprinting are focusing on server-side services. Well-known and widely-accepted implementations of such utilities are available for http web services, smtp mail server, ftp servers and even telnet daemons. Of course, many attack scenarios are focusing on server-side attacks.
This implementation of client-side fingerprinting utilizes PHP to identify browsers by http requests. See how this application fares against other fingerprinting utilities that analyze header lines and values.
Sqlninja is a tool to exploit SQL Injection vulnerabilities on a web application that uses Microsoft SQL Server as its back-end. Its main goal is to provide a remote shell on the vulnerable DB server, even in a very hostile environment. It should be used by penetration testers to help and automate the process of taking over a DB Server when a SQL Injection vulnerability has been discovered.
With features such as evasion techniques, a more sophisticated upload module, and automatic URL-encoding, why not take a look at Sqlninja and see if your DB is secure today?
The Web Security Gateway is a security-centric distribution of the Apache web server, bundled with additional security modules, and configured as a front-end (reverse) HTTP proxy. The goal is to mirror most of the features of commercial web application “firewalls”, with free and Open-Source software.
Leveraging features currently present in Apache, it is possible to create a front-end proxy to Apache which will provide an extra layer of security. This extra layer can integrate functionality such as traffic reporting, authentication, SSL, and even load balancing! Read the article for more info!
We are pleased to announce a new project called oCERT, the Open Source
Computer Emergency Response Team.
The oCERT project is a public effort providing security handling support to
Open Source projects affected by security incidents or vulnerabilities, just
like national CERTs offer services for their respective countries.
If you are a small project lacking security handling resources we can aid you
in tracking down the extent and nature of potential compromises and security
vulnerabilities and co-ordinate with all affected parties (like projects that
ship your code).
If you are a big project and/or Open Source vendor we can promptly communicate
with you reports and vulnerabilities that might affect your codebase and
infrastructure and help you out with your security requirements.
Just because a project is open source does not ensure that it is totally secure. Check out the oCERT project for an attempt to help make open source security even better!
Webshag is a multi-threaded, multi-platform web server audit tool. Written in Python, it gathers commonly useful functionalities for web server auditing like website crawling, URL scanning or file fuzzing.
Fuzzing is always a lot of fun - throw as much pasta against the wall and something is bound to stick (at least that's what my mom would say). This tool provides interesting capabilities such as "retrieving the list of domain names hosted on a target machine and file fuzzing using dynamically generated filenames". Why not check the article out, download the tool, and start throwing some pasta today?
Palamida, an open-source risk management company, believes in open source. But at the same time, its corporate code audits of more than 500 million lines of code has found time and again "specific open-source projects inside mission critical systems that had not been patched" with most recent updates.
Read on for an interesting account of what happens when you don't keep up with the times. A great point Palamida gets across is the fact that even though you are using a great open source tool does not substitute not keeping it up to date.
Source: Network World - Posted by Eckie Silapaswang
VMware plans to open its hypervisor to security vendors with a set of APIs that make it easier to protect virtual machines from threats including viruses, Trojans and keyloggers. Without these APIs, security vendors building antivirus and firewall tools for virtual servers are removed from the hypervisor by several layers and therefore cannot see everything that happens within the virtual environment, according to Yankee Group Analyst Phil Hochmuth.
So what do you do when critical vulnerabilities are found in your virtual machines? Open-source to the rescue - read on for an interesting account of VMsafe, a set of APIs which should allow for better security through more isolation of virtual machines. Do you see any real improvements in security with VMsafe?
The old adage, you get what you pay for, doesn’t have to apply. In fact, for a small business the high price tag of “threat management” software can often mean a company will just go without to its detriment. Here’s some high quality free and open source software to help, at a price any CFO will love.
This is a great article. What are the 5 best FOSS security applications for businesses?? The strength and weaknesses? Well he goes over the value of Snort, ClamAV, SpamAssassin, L7 Filter and Open VPN, and discusses the value issues for businesses.
What, exactly, is AppArmor? What does it seek to do? If you are looking for clarification, Crispin Cowan gives a nice overview. However:
This document is intended to specify the security goal that AppArmor is
intended to achieve, so that users can evaluate whether AppArmor will
meet their needs, and kernel developers can evaluate whether AppArmor is
living up to its claims. This document is *not* a general purpose
explanation of how AppArmor works, nor is it an explanation for why one
might want to use AppArmor rather than some other system.
