Security Tools

Below are specialized tools that Security Innovation Engineers developed to facilitate the discovery of vulnerabilities. 

AuthMatrix

Developers: Mick Ayzenberg, Security Innovation

AuthMatrix is an extension to Burp Suite that provides a simple way to test authorization in web applications and web services. With AuthMatrix, testers focus on thoroughly defining tables of users, roles, and requests for their specific target application upfront. These tables are displayed through the UI in a similar format to that of an access control matrix commonly built in various threat modeling methodologies.

Download from: GitHub | BApp Store

AntiSQL Injection Library

Developers: Joe Basirico, Security Innovation & Kevin Lam, IronBox

Security Innovation and Ironbox co-created an AntiSQL Injection Library (AntiSQLi) developers can easily implement to prevent SQL Injection vulnerabilities. AntiSQLi allows developers to write parameterized queries in a single line using the String.format paradigm common form in programming. It is easy to implement, highly extensible and includes pre-written .NET classes for Microsoft SQL Server. It can be easily extended to support other database platforms. 

Download from: GitHub

Firesheep

Developers: Eric Butler (Primary Developer), Ian Gallagher (Co-Developer, Security Innovation)

Firesheep is an extension for the Firefox web browser that uses a packet sniffer to intercept unencrypted requests from websites such as Facebook and Twitter. This is useful in determining if websites are protecting session cookies and properly using SSL/TLS, which is particularly important when using public WiFi networks.

Download from: GitHub

WhatTheFuzz

Developers: Joe Basirico, Security Innovation

A basic fuzzer to replicate the "sniper" functionality in Burp. WhatTheFuzz needs a source of invalid values. You can create one by adding a bunch of test cases to a text file (one per line) or we recommend using FuzzDB.

Download from: GitHub

YASAT

Developers: Joe Basirico, Security Innovation

YASAT (Yet Another Static Analysis Tool) is a basic static analysis tool that uses regular expression-based rules on a code base to quickly find potential security vulnerabilities

Download from: GitHub

BlackMamba

Developers: Marcus Hodges, Security Innovation

BlackMamba is a new concurrent networking library for Python. BlackMamba was built from the ground up leveraging the power of epoll and coroutines. Not only does the library provide a very fast asynchronous engine, it also makes concurrent programming a straightforward, easy to write and read process.

Download from: GitHub

Holodeck

Developers: Joe Basirico, Security Innovation

Holodeck is a unique test tool that uses fault injection to simulate real-world application and system errors for Windows applications and services - allowing testers to work in a controlled, repeatable environment to analyze and debug error-handling code. Holodeck is the first commercial fault-simulation tool and was developed by leading researchers in the application quality field. It is used by organizations like Microsoft, Adobe, EMC and McAfee.

Download from: GitHub