Penetration testing tools
maharaliel
Member Posts: 119
in CISM
Hello all,
I am an IT auditor and I would like to select to best tools to be used for penetration testing on web application and Network. On many websites they are recommending metasploit, wireshark, W3af but I am afraid of using these open source in our production environment. I would like to request you whether to use these open source software in security testing is secure or whether doesn't carry any other security risk to business environment. Anyone who has ever used them can advise me.
I am an IT auditor and I would like to select to best tools to be used for penetration testing on web application and Network. On many websites they are recommending metasploit, wireshark, W3af but I am afraid of using these open source in our production environment. I would like to request you whether to use these open source software in security testing is secure or whether doesn't carry any other security risk to business environment. Anyone who has ever used them can advise me.
Comments
-
TechGuru80 Member Posts: 1,539 ■■■■■■□□□□It doesn’t sound like YOU should be using them on a production network.
Many of the tools if not used with caution, sometimes even with caution, can cause systems to crash or have issues. Make sure somebody that knows what they are doing is the only person using the tools...with written permission.
As far as the tools, those are some...also Burp, ZAP...there are tons of tools out there depending on what is being tested. -
soccarplayer29 Member Posts: 230 ■■■□□□□□□□100% agree and second what TechGuru said.
I'm less concerned with the open source tools than I am with operating the penetration testing tools correctly...tread lightlyCerts: CISSP, CISA, PMP -
TeKniques Member Posts: 1,262 ■■■■□□□□□□I agree with the others. You should hire a qualified consultant to assist with the audit(s) to perform penetration testing that's within the scope. Selecting the tool to use is one thing; knowing how to use the tool is something completely different, especially in a production environment.
-
scasc Member Posts: 465 ■■■■■■■□□□Back in the day (about 15 years ago) audit used to be mandated to actually test out the security posture of whatever they were auditing through the use of pen test tools (e.g. password cracking, wireless sniffing etc). From what I see I don't see them doing this anymore - anyone please correct me if I am wrong?
Though speaking, pen test tools would be helpful with conducting audits - I very much doubt based on what I have seen this will shift back - quite unfortunate as all the fun has been taken away .AWS, Azure, GCP, ISC2, GIAC, ISACA, TOGAF, SABSA, EC-Council, Comptia... -
TechGuru80 Member Posts: 1,539 ■■■■■■□□□□Audit and pentesting are two different functions now. Auditing generally focuses on policies, processes, and procedures now...think CISSP/CISA...and pentests are very specific in scope to evaluate the security posture...think OSCP/CEH etc. Generally, you won’t see people doing both, they usually specialize in one.
-
scasc Member Posts: 465 ■■■■■■■□□□Interesting, thanks for letting me know. One of the reasons why I moved away from auditing was because it took away that "technical" element and was more a policy based exercise.AWS, Azure, GCP, ISC2, GIAC, ISACA, TOGAF, SABSA, EC-Council, Comptia...