Web Site Monitoring - Performance Monitoring - Free open-source website performance monitoring and uptime notification application in PERL, from AllScoop; sends email notification if site is slow or down.
TestMaker - Free open source utility maintained by PushToTest.com and Frank Cohen, for performance, scalability, and functional testing of Web application. Features test authoring of Web applications, Rich Internet Applications (RIA) using Ajax, Service Oriented Architecture, and Business Process Management environments. Integrates Selenium, soapUI, TestGen4Web, and HTMLUnit to make test development faster/easier. Repurposes tests from these tools into load and performance tests, functional tests, and business service monitors with no coding. Repurposes unit tests written in Java, Jython, JRuby, Groovy, and other dynamic scripting languages. Runs on any platform.
Cactus - A simple open-source test framework for unit testing server-side java code (Servlets, EJBs, Tag Libs, Filters, etc.). Intent is to allow fine-grained continuous testing of all files making up an application: source code but also meta-data files (such as deployment descriptors, etc) through an in-container approach. It uses JUnit and extends it. Typically use within your IDE, or from the command line, using Ant. From Apache Software Foundation.
Webmaster Toolkit - Collection of 35 free tools and utilities useful to webmasters; includes link checker, page analyzer, ping, color tool, FrontPage and DreamWeaver code cleaner, link extractor, etc.
JCrawler - An open-source stress-testing tool for web apps; includes crawling/exploratory features. User can give JCrawler a set of starting URLs and it will begin crawling from that point onwards, going through any URLs it can find on its way and generating load on the web application. Load parameters (hits/sec) are configurable via central XML file; fires up as many threads as needed to keep load constant; includes self-testing unit tests. Handles http redirects and cookies; platform independent.
Curl-Loader - Open-source tool written in 'C', simulating application load and behavior of tens of thousand HTTP/HTTPS and FTP/FTPS clients, each with its own source IP-address. In contrast to other tools curl-loader is using real C-written client protocol stacks, namely, HTTP and FTP stacks of libcurl and TLS/SSL of openssl. Activities of each virtual client are logged and collected statistics include information about: resolving, connection establishment, sending of requests, receiving responses, headers and data received/sent, errors from network, TLS/SSL and application (HTTP, FTP) level events and errors.
The Grinder - A Java-based load-testing framework freely available under a BSD-style open-source license. Orchestrate activities of a test script in many processes across many machines, using a graphical console application. Test scripts make use of client code embodied in Java plug-ins. Most users do not write plug-ins themselves, instead using one of the supplied plug-ins. Comes with a mature plug-in for testing HTTP services, as well as a tool which allows HTTP scripts to be automatically recorded.
HTML-Kit - Free, full-featured editor from Chami.com designed to help HTML, XHTML and XML authors to edit, format, lookup help, validate, preview and publish web pages. Uses a highly customizable and extensible integrated development environment while maintaining full control over multiple file types including HTML, XHTML, XML, CSS, XSL, JavaScript, Perl, Python, Ruby, Java, and much more. Finds errors and provides suggestions on how to create standards compliant pages. Includes internal, external, server-side and live preview modes; FTP Workspace for uploading, downloading and online editing of files; and the ability to use hundreds of optional free add-ins through its open plugins interface. GUI support of W3C's HTML Tidy; seamless integration with the CSE HTML Validator. Validate XML documents using its DTD and/or check for well-formedness. Over 400 free plugins available for extending and customizing HTML-Kit. Pro plugins available to paid registered users.
Web Testing Plugin collection - Large collection of links to and short descriptions of open source utilities and tools for web testing, unit testing, assertions, mocks, fixture utilities, reporting, validators, code coverage, etc. Mostly for Ruby, maintained by Benjamin Curtis
Venkman Javascript Debugger - Firefox extension; open source JavaScript debugging environment for Mozilla based browsers
FlexMonkey - A testing framework for Flex apps. Capabilities include capture, replay and verification of Flex UI functionality. Can generate ActionScript-based testing scripts that can easily be included within a continuous integration process. Uses the Flex Automation API and was created by extending Adobe's sample automation adapter, AutoQuick. Donated to the Flex community by Gorilla Logic. Site also lists info and links to three other open source Flex test tools/frameworks: FlexUnit, Selenium-Flex, and FunFx.
YSlow - Free open source tool analyzes web pages and explains why they're slow based on rules for high performance web sites. A Firefox add-on integrated with the Firebug web development tool. Includes a Performance report card, HTTP/HTML summary, list of components in page and related info, tools including JSLint. Generates a grade for each rule and an overall grade, lists suggested specific changes to improve performance, calculates total size of page for empty and primed cache scenarios, cookie info. Can also view HTTP response headers for any component
TPTest - An open source software suite for testing network throughput and Internet services. It consists of a software library with test functions that can be implemented in test client and server applications. Reference client/server apps are also included.
TestGen - Free open-source web test data generation program that allows developers to quickly generate test data for their web-services before publicly or internally releasing the web service for production.
Sunday, November 29, 2009
Web Site Security Test Tools
OWASP Security Testing Tools - Variety of free and open source web security testing tools via the OWASP (Open Web Application Security Project) site. SQLiX is an SQL injection vulnerability test tool that uses multiple techniques - conditional errors injection; blind injection based on integers, strings or statements, MS-SQL verbose error messages ("taggy" method); can identify database version and gather info for MS-Access, MS-SQL, MySQL, Oracle and PostgreSQL. Other security testing tools available include WebScarab, Tiger, LAPSE, Pantera, etc.
Wikto - Web server security assessment tool for windows servers, open source, from SensePost. It's three main sections are its Back-End miner, Nikto-like functionality, and Googler to obtain additional directories for use by the other two. Includes ability to export results to CSV file.
NMap Network Mapper - Free open source utility for network exploration or security auditing; designed to rapidly scan large networks or single hosts. Uses raw IP packets in novel ways to determine what hosts are available on the network, what services (ports) they are offering, what operating system (and OS version) they are running, what type of packet filters/firewalls are in use, and many other characteristics. Runs on most flavors of UNIX as well as Windows.
Wikto - Web server security assessment tool for windows servers, open source, from SensePost. It's three main sections are its Back-End miner, Nikto-like functionality, and Googler to obtain additional directories for use by the other two. Includes ability to export results to CSV file.
NMap Network Mapper - Free open source utility for network exploration or security auditing; designed to rapidly scan large networks or single hosts. Uses raw IP packets in novel ways to determine what hosts are available on the network, what services (ports) they are offering, what operating system (and OS version) they are running, what type of packet filters/firewalls are in use, and many other characteristics. Runs on most flavors of UNIX as well as Windows.
Tuesday, October 27, 2009
Open source security solutions
There are lot of open source community for network scanner and IPS, anti-virus and anti-spam gateways, network and app firewalls, SSL VPN, and security testing framework. Here is some of the recognized ones
Nessus is found in the toolbox of well-funded and cash-strapped security organizations alike. Nessus tests all aspects of a target including the operating system, ports, services, and applications. Available via open source or commercial subscription, the difference is frequency of vulnerability updates -- up-to-the-minute or seven days.
The de facto standard for intrusion detection and prevention systems, Snort is at the top of the hill in community support. Snort performs real-time traffic analysis and packet logging, and now even has content monitoring under its belt. A wealth of add-on projects bring graphical front ends to the Pig and central management to multiple Pig boxes.
Recently acquired by Sourcefire, the owner of Snort, ClamAV stands alone in open source anti-virus. Designed for e-mail gateways, ClamAV's detection engine is fast and signature updates are frequent. ClamAV works well with Spamassassin within the MIMEDefang filtering framework for e-mail servers.
Powerful, extensible, and effective, Spamassassin uses a trainable neural network engine to identify spam and minimize false positives, in addition to the classic techniques of blacklisting and Bayesian filtering. It's also well supported, and well documented, with many books, guides, and add-ons available.
IPCop is a complete Linux distribution whose sole purpose is network protection. IPCop turns any old PC into a high-functioning firewall appliance, with stateful inspection, IPSec VPN, and even the Snort IPS. The refined Web management interface of IPCop gives it our nod over close runner-up SmoothWall.
A product of the National Security Agency, and well supported by the security community, SELinux implements a mandatory access control architecture for the Linux kernel and major subsystems that keeps every process in check, ensuring that the action of one process cannot flow into another. Even the superuser is placed in isolation.
Secure connectivity is a problem best solved using Open VPN , an SSL VPN that simply outshines the open source competition. OpenVPN can be used to secure site-to-site links, remote access connections, and Wi-Fi networks, providing load balancing and failover. And it supports all ciphers and key sizes supported by OpenSSL.
The OSSTMM project provides an entire testing framework for multiple security areas of the enterprise, including physical security, information security, and even controls for preventing fraud and social engineering attacks. It offers testing templates, intense community support, and a first rate architect in Pete Herzog.
Network vulnerability scanner: Nessus
Nessus is found in the toolbox of well-funded and cash-strapped security organizations alike. Nessus tests all aspects of a target including the operating system, ports, services, and applications. Available via open source or commercial subscription, the difference is frequency of vulnerability updates -- up-to-the-minute or seven days.
Network intrusion prevention: Snort
The de facto standard for intrusion detection and prevention systems, Snort is at the top of the hill in community support. Snort performs real-time traffic analysis and packet logging, and now even has content monitoring under its belt. A wealth of add-on projects bring graphical front ends to the Pig and central management to multiple Pig boxes.
Anti-firus gateway: ClamAV
Recently acquired by Sourcefire, the owner of Snort, ClamAV stands alone in open source anti-virus. Designed for e-mail gateways, ClamAV's detection engine is fast and signature updates are frequent. ClamAV works well with Spamassassin within the MIMEDefang filtering framework for e-mail servers.
Anti-spam gateway: Spamassassin
Powerful, extensible, and effective, Spamassassin uses a trainable neural network engine to identify spam and minimize false positives, in addition to the classic techniques of blacklisting and Bayesian filtering. It's also well supported, and well documented, with many books, guides, and add-ons available.
Firewall: IPCop
IPCop is a complete Linux distribution whose sole purpose is network protection. IPCop turns any old PC into a high-functioning firewall appliance, with stateful inspection, IPSec VPN, and even the Snort IPS. The refined Web management interface of IPCop gives it our nod over close runner-up SmoothWall.
Application firewall: SELinux
A product of the National Security Agency, and well supported by the security community, SELinux implements a mandatory access control architecture for the Linux kernel and major subsystems that keeps every process in check, ensuring that the action of one process cannot flow into another. Even the superuser is placed in isolation.
VPN: Open VPN
Secure connectivity is a problem best solved using Open VPN , an SSL VPN that simply outshines the open source competition. OpenVPN can be used to secure site-to-site links, remote access connections, and Wi-Fi networks, providing load balancing and failover. And it supports all ciphers and key sizes supported by OpenSSL.
Security testing best practices: Open Source Security Testing Methodology Manual
The OSSTMM project provides an entire testing framework for multiple security areas of the enterprise, including physical security, information security, and even controls for preventing fraud and social engineering attacks. It offers testing templates, intense community support, and a first rate architect in Pete Herzog.
Open Source Application servers
A number of free, or nearly free, application servers are available from open source groups.
To find out whether an open source product fits the needs of your organization, start by checking out a few of these better-known open source application servers:
To find out whether an open source product fits the needs of your organization, start by checking out a few of these better-known open source application servers:
- Enhydra, from Enhydra.org. Originally developed by Lutris Technologies, Open Source Enhydra is a Java/XML application server. It supports Sun Microsystems' J2EE standards for Java servlets and JavaServer Pages (JSP) and includes useful features such as an XML engine, object-to-relational mapping and database connection pooling.
- jBoss Group's jBoss server. jBoss is a J2EE Web application server that jBoss Group claims competes directly with BEA Systems' WebLogic and IBM's WebSphere. According to the jBoss Web site, 50,000 copies of the application server are downloaded each month. JBoss includes the JBossServer, which is the basic EJB container and JMX (Java Management eXtension) infrastructure; JBossMQ for JMS messaging; JBossMX for mail; JBossTX for JTA/JTS (Java Transaction API and Java Transaction Service) transactions; JBossSX for security; JBossCX for JCA (Java Connector Architecture) connectivity; and JBossCMP for container managed persistence.
- JOnAS, from ObjectWeb and Evidian. JOnAS is an implementation of the EJB specification. It's one of the projects of the ObjectWeb open source initiative (www.objectWeb.org), although tech support is available from Evidian (formerly BullSoft). JOnAS includes such features as JMX management, support for the JCA specification, a transaction manager, a database manager and an embedded implementation of JMS.
- PHP, from the Apache Software Foundation. PHP was developed by Zend Technologies and is now a project of the Apache folks. While not technically an application server, PHP acts much like one. It's a scripting language and environment that generates dynamic pages. Unlike an application server, notes Jean-Christophe Cimetiere, CEO of TechMetrix Research, a PHP server isn't an always-on process but is only activated when a request for a dynamic page is made.
- Resin, from Caucho. Resin is a servlet and JSP engine that has load-balancing capability and includes an HTTP/1.1 Web server. It's available under the Caucho Developer Source Licens
- Tomcat, from the Apache Software Foundation. Tomcat is the servlet container used in the official reference implementation for Sun's Java servlet and JSP technologies. Tomcat is released under the Apache Software License.
Open source replication software solutions
Open source replication solutions
- SymmetricDS
- SymmetricDS is a web based, database independent, data synchronization system. Beyond replicating tables between relational databases the software incorporates functionality to handle a large number of databases, manage low-bandwidth connections and work within periods of network outage. The system supports two way replication, guaranteed delivery and multiple active schemas.
- Daffodil Replicator
- drS
- Pollux - Pollux provides a framework for synchronizing data sources which share the same data format. The Record inferface of Pollux provides an abstractions for most kinds of data records, these may include PIM, database records or file/directories.
- Bhavaya - Bhavaya is library that supports real-time synchronized up-to-date access to continually changing data. The Bhavaya persistence layer is different from other implementations such as Hibernate and Castor in that the properties of Bhavaya's objects always reflect the current value of the data in the database.
- GCalDaemon
- Funambol Mobile Application server
Subscribe to:
Posts (Atom)