Penetration testing tools

maharalielmaharaliel Posts: 119Member
Hello all,

I am an IT auditor and I would like to select to best tools to be used for penetration testing on web application and Network. On many websites they are recommending metasploit, wireshark, W3af but I am afraid of using these open source in our production environment. I would like to request you whether to use these open source software in security testing is secure or whether doesn't carry any other security risk to business environment. Anyone who has ever used them can advise me.

Comments

  • TechGuru80TechGuru80 Posts: 1,539Member ■■■■■□□□□□
    It doesn’t sound like YOU should be using them on a production network.

    Many of the tools if not used with caution, sometimes even with caution, can cause systems to crash or have issues. Make sure somebody that knows what they are doing is the only person using the tools...with written permission.

    As far as the tools, those are some...also Burp, ZAP...there are tons of tools out there depending on what is being tested.
  • soccarplayer29soccarplayer29 CISSP, CISA, PMP Posts: 229Member ■■■□□□□□□□
    100% agree and second what TechGuru said.

    I'm less concerned with the open source tools than I am with operating the penetration testing tools correctly...tread lightly
    Certs: CISSP, CISA, PMP
  • TeKniquesTeKniques OSCE, OSCP, CISSP, CISA, SSCP, MCSE (03), Security+, Network+, A+, Project+ Posts: 1,262Member ■■■■□□□□□□
    I agree with the others. You should hire a qualified consultant to assist with the audit(s) to perform penetration testing that's within the scope. Selecting the tool to use is one thing; knowing how to use the tool is something completely different, especially in a production environment.
  • maharalielmaharaliel Posts: 119Member
    Thank you all for the advice
  • scascscasc Posts: 183Member ■■■□□□□□□□
    Back in the day (about 15 years ago) audit used to be mandated to actually test out the security posture of whatever they were auditing through the use of pen test tools (e.g. password cracking, wireless sniffing etc). From what I see I don't see them doing this anymore - anyone please correct me if I am wrong?

    Though speaking, pen test tools would be helpful with conducting audits - I very much doubt based on what I have seen this will shift back - quite unfortunate as all the fun has been taken away :).
    MSc, BSc (Hons), AWS CSA, C-CISO, CISSP, CCSP, CCSK, CISM, CISA, CRISC, GSNA, GSTRT, CEH, CHFI, TOGAF, CISMP
  • TechGuru80TechGuru80 Posts: 1,539Member ■■■■■□□□□□
    Audit and pentesting are two different functions now. Auditing generally focuses on policies, processes, and procedures now...think CISSP/CISA...and pentests are very specific in scope to evaluate the security posture...think OSCP/CEH etc. Generally, you won’t see people doing both, they usually specialize in one.
  • scascscasc Posts: 183Member ■■■□□□□□□□
    Interesting, thanks for letting me know. One of the reasons why I moved away from auditing was because it took away that "technical" element and was more a policy based exercise.
    MSc, BSc (Hons), AWS CSA, C-CISO, CISSP, CCSP, CCSK, CISM, CISA, CRISC, GSNA, GSTRT, CEH, CHFI, TOGAF, CISMP
Sign In or Register to comment.