Cyber vulnerabilities are outgrowing enterprises. The high pace of innovation and the need to continuously implement new processes demand unprecedented agility, inevitably creating new security vulnerabilities.
The best open source vulnerability scanners
With the advent of hyper-agile application development (keyword DevOps/DevSecOps), new cloud-native software architectures and infrastructure as code, attack vectors against enterprise IT are multiplying at every level of a deployment’s stack. A vulnerability scanner is mandatory – even when it may cost nothing.
WireShark is arguably the best-known open-source packet analysis tool for troubleshooting connectivity and developing software and communications protocols. This tool can be used to capture network traffic in real-time, decompress run from gzip, decrypt if necessary, and examine in depth.
It reads and writes log data in many different file formats, from tcpdump (libpcap), to Pcap NG, Catapult DCT2000, Cisco Secure IDS iplog, Microsoft Network Monitor, Network General Sniffer (both compressed and uncompressed), Sniffer Pro and NetXray, Network Instruments Observer, NetScreen snoop, Novell LANalyzer, RADCOM WAN/LAN Analyzer, Shomiti/Finisar Surveyor, Tektronix K12xx, Visual Networks Visual UpTime, WildPackets EtherPeek/TokenPeek/AiroPeek, and many others.
It can capture data via Ethernet, IEEE 802.11, PPP/HDLC, Bluetooth, USB, Token Ring, Frame Relay, FDDI and other sources, cracking IPsec, ISAKMP, Kerberos, SNMPv3, SSL/TLS, WEP and WPA/WPA2, among others.
WireShark belongs to the arsenal of so-called ethical hackers as one of the most important tools for network security.
With OpenVAS (full name: Open Vulnerability Assessment Scanner), Greenbone Networks GmbH from Osnabrück, Germany, offers an open-source “full-featured” vulnerability scanner. Together with other open source modules, the scanner forms the Greenbone Vulnerability Management within Greenbone’s commercial vulnerability management product family.
“999 out of 1,000 successfully exploited vulnerabilities have been known for more than a year,” the company argues on its website. Companies can reduce the attack surface of their IT infrastructure “quickly and easily” with appropriate tools, it says.
The first step is to identify the relevant vulnerabilities and assess the risk potential – for example, using the vendor’s tools. Next, Greenbone can recommend measures to remedy the problem. In this way, attacks can be prevented through targeted precautionary measures.
The capabilities of the free edition include authenticated and non-authenticated testing, penetration testing across various high-level and low-level Internet and industry protocols, and performance tuning for large-scale testing. The scanner uses its own programming language internally, which is intended to fine-tune vulnerability testing.
Nuclei, from GitHub sponsor ProjectDiscovery in the U.S. state of Oregon, can perform targeted, user-configurable vulnerability scans by sending automated queries to hosts via the network. Nuclei does this by making use of YAML templates from a repository said to be based on contributions from more than 200 security researchers and engineers.
The tool trumps with a high execution speed and considerable extensibility. Supported protocols include TCP, DNS and HTTP.
ProjectDiscovery’s motto is “security through intelligent automation,” and it has other tools for penetration testing and bug bounties up its sleeve, including a domain discovery tool for penetration testing with the catchy name Subfinder, the HTTP toolkit httpx, which makes use of the retryablehttp library, the DNS toolkit dnsx (a real all-rounder) and the lightning-fast port scanner naabu, which can be used to detect potential attack surfaces.
When cyberattacks exploded at the onset of last year’s pandemic, Google exposed the source code of its in-house vulnerability scanner, Tsunami, on GitHub. Unlike most other tools of its kind, Tsunami was created to “fish” for vulnerabilities in truly massive networks.
Tsunami consists of two main components: the scanning engine and an analysis tool. The scanning engine has the task of searching an organization’s network for open ports and testing each such port. This so-called port fingerprinting is based on the proven network mapping engine Nmap, but also uses Google’s own code.
The second component uses the results of the fingerprinting module’s scan to test devices for a list of vulnerabilities with known exploits.
The modular architecture allows Tsunami developers to implement new features by simply adding new plugins.
Tsunami currently trumps with two particularly powerful features: It can detect openly accessible sensitive user interfaces and expose weak credentials in SSH, FTP, RDP, and MySQL, among others.
Applications such as Jenkins, Jupyter, and Hadoop Yarn provide users with interfaces that allow them to pre-schedule the execution of workloads in a specific order or to trigger system commands. If these systems accept calls without user authentication, attackers can exploit the application’s functionality for malicious activity. To detect weak passwords, Tsunami takes advantage of various other open-source tools such as Ncrack.
Trivy is an open-source vulnerability scanner for container images. Since the project began about two years ago, the tool has gained a wide following among members of the open-source community on GitHub.
Unlike other open-source scanners, Trivy covers both operating system packages and language-specific dependencies and can be easily integrated into software development pipelines.
Tools for automated monitoring
Beyond conventional network vulnerability scanners, solutions for continuous monitoring of IT infrastructure and application code in software projects for the emergence of new vulnerabilities are also increasingly proving their worth in the enterprise environment. Tools such as Nagios and toolkits such as Snyk with Prometheus and Grafana fall into this category.
Nagios is among the oldest open-source monitoring tools. It allows monitoring of system and hardware metrics, network protocols, applications, servers, and other physical elements of the infrastructure, including with external tools. Monitoring the various endpoints requires the manual setup of automation scripts.
Prometheus is an open source solution for monitoring metrics and time series data in cloud-native environments. It was penned by Berlin-based startup SoundCloud. It was inspired by Google’s Borgmon monitoring system. SoundCloud had transferred the project code to the Cloud Native Computing Foundation (CNCF), which also hosts Kubernetes and OpenTracing, among others. Today, Prometheus is one of the most successful open source projects in the enterprise environment.
Prometheus trumps with advanced data visualization capabilities. It is extensible, integrates smoothly with Kubernetes, and can be fed from almost any data source, from raw system-level metrics to Docker, HAProxy, StatsD, and JMX metrics. It is written in Go/Golang and is subject to the Apache 2 license.
International web host Hostinger uses Prometheus to monitor the physical servers and VMs of its tens of millions of users. The company had originally used the NCG stack (Nagios/Cacti/Ganglia) and when this was no longer sufficient, the team took the TICK stack for a test drive (Telegraf / InfluxDB / Chronograf / Kapacitor). The deciding factor for using Prometheus was its powerful infrastructure-to-code automation capabilities. Prometheus users also include SuSE, Red Hat, Presslabs, DigitalOcean, Uber, and Microsoft.
Playing with open cards?
Using open source software saves companies as much as $60 billion a year, Flexera wrote in a report three years ago. Since then, enterprise use of open source has increased and, along the way, has led to new vulnerabilities, confirms a recent 2021 study by Flexera’s Revenera division. But the key benefits of open source solutions are hard to quantify so concretely in pennies and nickels.
That’s because open source has at least two key advantages that are highly valued in many organizations: It builds trust through the unrestricted auditability of the code, and it maximizes the adaptability of the solutions deployed.
The conformance of open source solutions to open standards improves interoperability and expands the possibilities for integration into the existing IT environment.
Not having a price tag does not automatically mean a loss of quality, quite the opposite. Open source projects attract world-class developers; inferior contributions are quickly weeded out in the light of publicity.
Open source code also fosters the emergence of a large community of interest; its members drive development in their own self-interest. The open nature of open source encourages the emergence of abundant repositories of documentation, smoothing the entry of new users and flattening the steep learning curve. An engaged user community encourages the open sharing of experiences and reduces the need for commercial support.
Nevertheless, the use of open source solutions in cybersecurity also comes with certain operational risks that are a cause of concern for many users, especially in the enterprise environment.
The interlocking of open source solutions is often very deep and tricky. Users of open source solutions have no claim on the vendor for a defined service. The common saying and ironic promise, “you get what you pay for” (“you get what you pay for”) may well, unfortunately, prove true with open source solutions, but it need not.
For solution providers like the small startup ProjectDiscovery, open source is proving to be a confidence builder. The “open-sourcing” of code generates an almost cost-neutral method for these providers to increase their own installed base, get attention and generate new ideas. An open-source code base simplifies interoperability with other solutions and collaboration with other software vendors, lowers development costs, and speeds up bug fixes.
Open source vulnerability scanners can help identify and address cyber risks in a distributed IT environment. There are real gems of these in the open-source community, beating their commercial alternatives hands down – in the right hands, mind you.