4 Free Online Cyber Security Testing Tools For 2021

Dec 1, 2020

Set of must-have online security tools that we believe may
make a real difference to your cybersecurity program and improve
your 2021 budget planning.

In September, Gartner published a list ^[1]
of “Top 9 Security and Risk Trends for 2020” putting a bold
emphasis on the growing complexity and size of the modern threat
landscape.

Incomplete visibility of external Attack surfaces led to the
dramatic increase in disastrous breaches and data leaks during
2020, compromising PII and other sensitive data of millions of
victims. These incidents stemmed from sophisticated intrusions by
malicious nation-state actors and APT hacking groups, human error,
and widespread misconfigurations exposing unprotected cloud storage
or databases with confidential data to the Internet.

Gartner’s security analysts recommend automating laborious
security tasks and processes, amid the ongoing shortage of
cybersecurity skills, and promptly addressing emerging cloud and
containers security risks.

Gartner also recommends paying special attention to privacy and
regulatory requirements to avoid harsh fines and other sanctions
and commencing implementation of a zero-trust model within your
organization regardless of its size.

While the spiraling pandemic has brought a devastating impact on
many organizations and enterprises around the globe, most companies
chaotically attempted or moved their business processes to the
unaffected digital space. Most cybersecurity budgets were, however,
also battered as a collateral effect of the overall economic
downturn. The shrinking budgets unsurprisingly exacerbated
stressful digital transformation by gross disregard of security and
privacy ingredients of the subtle process.

Cybersecurity spending is nonetheless projected to rebound and
spike again in 2021, providing relief for jaded CISOs, and their
exhausted IT Security teams. In the meantime, we would like to
acquaint you with an awesome set of free security tools that we
believe may make a palpable difference for your cybersecurity
program and 2021 budget planning.

Last week, application security company ImmuniWeb announced a
major update ^[2]
of its freely available Community Edition. It provides 4 free
security tests that amply cover many security and privacy
priorities mentioned by Gartner and also deliver some strong
capabilities to monitor security incidents and external cyber
threats targeting your company.

We have already written about ImmuniWeb among the most innovative ^[3]
cybersecurity vendors just after RSA 2020 Conference. Since then,
the company seems to have made impressive progress in many
directions and information security areas that we monitor. We
decided to test ImmuniWeb Community Edition and recommend trying it
now if you are unfamiliar with it:

Website Security and Compliance Test

For some specific use cases, this website security
test ^[4] may well replace a
commercial web vulnerability scanner. Remarkably, the free test is
non-intrusive and production safe – you won’t accidentally crash
your old web server or legacy web app while sending an RCE or
buffer overflow exploitation payload.

ImmuniWeb says it Software Composition Analysis (SCA) module has
an extensive database of diversified web software, spanning from
open-sourced WordPress and Drupal to proprietary and commercial web
products by Microsoft and Oracle. The SCA module reportedly
includes over 300 CMS and web frameworks, 160,000 of their plugins
and extensions, and 8,900 JavaScript libraries. While its embedded
vulnerability database covers more than 12,000 CVE
vulnerabilities:

On top of web application vulnerabilities and missing software
updates, the free test further checks whether your website
configuration conforms with the specific requirements of GDPR and
PCI DSS:

In one test, you simultaneously get an inclusive picture on how
to harden your website security, improve web server resilience, and
enhance applicable privacy and compliance requirements.

Dark Web Exposure and Phishing Detection
Test

It seems to be an invaluable free tool ^[5] for Threat Analysts and
Blue Teams looking to augment the visibility of the ongoing
security incidents, including Dark Web discussions and sales offers
of stolen data implicating their organization or your key
suppliers.

For legal and privacy reasons, the free test won’t disclose full
details of the incidents, such as stolen plaintext passwords or
full copies of the compromised databases. But a sufficiently
detailed and measurable overview is readily available to support
and enhance your decision-making process prior to investing into
Dark Web monitoring solutions:

As well as the comprehensive Dark Web snapshot, you get a fairly
good overview of Pastebin leaks, ongoing phishing campaigns, domain
squatting (cyber- and typo-squatting), and even fake accounts in
social networks usurping your identity:

We would certainly recommend using this handy free tool for your
Third-Party Risk Management (TPRM) program in order to score your
external vendors and suppliers who have privileged access to your
confidential data.

Mobile App Security and Privacy Test

This free mobile security test ^[6] now allows downloading
of mobile apps directly from different public App Stores on top of
Google Play, and even includes Cydia, so jailbroken users of iOS
devices may also test their mobile apps for privacy and security
concerns:

The mobile test performs both dynamic (DAST) and static (SAST)
mobile app scanning, shedding light on a broad spectrum of mobile
vulnerabilities and weaknesses. The scan covers the OWASP Mobile
Top 10 Risks and also some specific security issues mentioned in
the OWASP Mobile Security Testing Guide (MSTG) project:

Special attention is given to mobile app privacy: you will see
an inclusive list of permissions requested by the tested
application and external web hosts and servers where the mobile app
sends your data. Its built-in Software Composition Analysis (SCA)
module illuminates third-party and native libraries used in the
mobile app.

Importantly, due to its non-intrusive nature, the free mobile
scanner does not cover mobile endpoints testing such as APIs or web
services, which should always be included in your mobile security
testing program.

SSL Security and Compliance Test

Unlike many competitive services, this free SSL security
test ^[7] allows to testing not
just the omnipresent HTTPS but any implementation of TLS
encryption, including email servers and SSL VPN:

For email servers, the test also checks for properly configured
SPF, DMARC, and DKIM that are de facto the most common best
practices for email security today.

On top of this, the test will automatically perform a quick
auto-discovery of subdomains timely, reminding everyone that not
just the main “www” website requires attention.

The test meticulously goes through all currently known SSL/TLS
implementation or cryptographic vulnerabilities, including
Heartbleed, ROBOT, BEAST, POODLE, and a dozen other flaws that may
enable interception or decryption of your data in transit.

Another significant benefit is mapping your TLS configuration to
the specific requirements of PCI DSS, NIST, and HIPAA, so you can
verify whether your encryption strength properly meets regulatory
requirements to avoid penalties for non-compliance:

All tests can be refreshed and, if you create a free account,
downloaded as a PDF document so you may share it internally or with
your customers proving that you care about their data security.

Properly hardened HTTPS and a secured website are a persuasive
competitive advantage for the e-commerce business, especially after
spooky hacking stories about Black Friday mass-hacking campaigns
emptying wallets of unwitting online shoppers.

While testing ImmuniWeb Community Edition, we particularly
appreciated the responsiveness of their tech support: we had
spotted a couple of minor bugs in one of the tests that were fixed
as soon as the next morning.

In the email sent to us, ImmuniWeb said it listened carefully to
its growing audience and is keen to continuously improve the
Community Edition based on received feedback and suggestions. You
can just drop them a message directly by using a web interface,
becoming a part of the amazing community that now runs over 100,000
daily tests.

ImmuniWeb Community Edition ^[8]
free tests can be accessed by API or via the web interface.

For organizations looking to run a large number of tests per day
or for cybersecurity vendors looking to leverage the ImmuniWeb
Community Edition technical capacities for commercial purposes,
there is also a premium API available for online purchase.

We think that the ImmuniWeb team is doing pretty cool and
awesome things that we like. We look forward to seeing their growth
and development in 2021: it’s poised to be promising.

References

^{^}
list
(www.gartner.com)
^{^}
major
update (www.immuniweb.com)
^{^}
most
innovative (thehackernews.com)
^{^}
website security test
(www.immuniweb.com)
^{^}
free tool
(www.immuniweb.com)
^{^}
free mobile security test
(www.immuniweb.com)
^{^}
free SSL security test
(www.immuniweb.com)
^{^}
Community Edition
(www.immuniweb.com)

The Hacker News Headlines

New Apple iOS 16 Exploit Enables Stealthy Cellular Access Under Fake Airplane Mode

Aug 18, 2023

The Hacker News Headlines

China-Linked Bronze Starlight Group Targeting Gambling Sector with Cobalt Strike Beacons

Aug 18, 2023

The Hacker News Headlines

NoFilter Attack: Sneaky Privilege Escalation Method Bypasses Windows Security

Aug 18, 2023

OWASP TOP !0

Injection. Injection flaws, such as SQL, NoSQL, OS, and LDAP injection, occur when untrusted data is sent to an interpreter as part of a command or query. The attacker’s hostile data can trick the interpreter into executing unintended commands or accessing data without proper authorization. Broken Authentication. Application functions related to authentication and session management are often implemented incorrectly, allowing attackers to compromise passwords, keys, or session tokens, or to exploit other implementation flaws to assume other users’ identities temporarily or permanently. Sensitive Data Exposure. Many web applications and APIs do not properly protect sensitive data, such as financial, healthcare, and PII. Attackers may steal or modify such weakly protected data to conduct credit card fraud, identity theft, or other crimes. Sensitive data may be compromised without extra protection, such as encryption at rest or in transit, and requires special precautions when exchanged with the browser. XML External Entities (XXE). Many older or poorly configured XML processors evaluate external entity references within XML documents. External entities can be used to disclose internal files using the file URI handler, internal file shares, internal port scanning, remote code execution, and denial of service attacks. Broken Access Control. Restrictions on what authenticated users are allowed to do are often not properly enforced. Attackers can exploit these flaws to access unauthorized functionality and/or data, such as access other users’ accounts, view sensitive files, modify other users’ data, change access rights, etc. Security Misconfiguration. Security misconfiguration is the most commonly seen issue. This is commonly a result of insecure default configurations, incomplete or ad hoc configurations, open cloud storage, misconfigured HTTP headers, and verbose error messages containing sensitive information. Not only must all operating systems, frameworks, libraries, and applications be securely configured, but they must be patched/upgraded in a timely fashion. Cross-Site Scripting XSS. XSS flaws occur whenever an application includes untrusted data in a new web page without proper validation or escaping, or updates an existing web page with user-supplied data using a browser API that can create HTML or JavaScript. XSS allows attackers to execute scripts in the victim’s browser which can hijack user sessions, deface web sites, or redirect the user to malicious sites. Insecure Deserialization. Insecure deserialization often leads to remote code execution. Even if deserialization flaws do not result in remote code execution, they can be used to perform attacks, including replay attacks, injection attacks, and privilege escalation attacks. Using Components with Known Vulnerabilities. Components, such as libraries, frameworks, and other software modules, run with the same privileges as the application. If a vulnerable component is exploited, such an attack can facilitate serious data loss or server takeover. Applications and APIs using components with known vulnerabilities may undermine application defenses and enable various attacks and impacts. Insufficient Logging & Monitoring. Insufficient logging and monitoring, coupled with missing or ineffective integration with incident response, allows attackers to further attack systems, maintain persistence, pivot to more systems, and tamper, extract, or destroy data. Most breach studies show time to detect a breach is over 200 days, typically detected by external parties rather than internal processes or monitoring.