Security Tools

At Security Innovation, our goal is to make the use of software safer – whether it is Commercial Off-The-Shelf (COTS), Open Source, or developed internally. We also believe that the open source community and the software it produces are critical to large and small organizations worldwide. This makes it all the more important for security professionals to continue to scrutinize open source software.
We care about the Open Source Community

  • We understand the power of software – and how insecure software can backfire against end-users
  • Every platform has unique threats and vulnerabilities (mobile, open source, closed source, IoT, cloud, etc).
  • We dedicate time and effort for development and research
  • We develop free tools and software
  • We perform security assessments on open source software to help identify and mitigate vulnerabilities that put users at risk

We believe in giving back!

As part of our commitment to the community, Security Innovation engineers have developed specialized tools to automate manually intensive tasks, which allows more time to focus on proactive testing.

Facilitate the discovery of software vulnerabilities with these specialized testing tools developed by Security Innovation engineers.

Blockchain

Developers: Mick Ayzenberg, Security Innovation

At Security Innovation, we are fascinated by this technology and remain firmly on the pulse of cutting edge research in this field. Whether it be in the topics of Smart Contracts, Decentralized Apps (DApps), Directed Acyclic Graphs (DAGs), On-chain and Off-chain scaling solutions, or novel privacy techniques, our expert engineers are constantly learning and contributing to these fields of innovative research.

Blockchain

Did you know?

  • We have been an active member of OWASP for over a decade
  • We helped with the re-launch of the OWASP OpenSAMM project, an open source community program for measuring the application security maturity of an organization and/or development team
  • We are a lead author and contributor of the free, open source OWASP Top 10 Threats & Mitigations course and TEAM Mentor repository of secure coding knowledge base
  • We created and contributed all of the questions and answers to the OWASP Exams project.
  • We published the Industry’s first public Methodology for Software Security Testing, How to Break Software Security (HTBSS)
  • Our experts hold over 100 industry certifications and accreditations in Software Security, Network Security & Information Security
  • Our technical experts have published 18 books
  • We created Microsoft Security Development Lifecycle training modules
  • We conducted assessments (threat model, architecture review, pen test, and code review) on Apache OpenMeetings and PFSense
    • Result: Total vulnerabilities found - 24
    • We submitted CVEs!
    • If the issues discovered were not sufficiently remediated, an attacker could gain complete control of the OpenMeetings application and steal private information belonging to users

AuthMatrix

Developers: Mick Ayzenberg, Security Innovation

AuthMatrix is an extension to Burp Suite that provides a simple way to test authorization in web applications and web services. With AuthMatrix, testers focus on thoroughly defining tables of users, roles, and requests for their specific target application upfront. These tables are displayed through the UI in a similar format to that of an access control matrix commonly built in various threat modeling methodologies.

Download from: GitHub | BApp Store

AntiSQL Injection Library

Developers: Joe Basirico, Security Innovation & Kevin Lam, IronBox

Security Innovation and Ironbox co-created an AntiSQL Injection Library (AntiSQLi) developers can easily implement to prevent SQL Injection vulnerabilities. AntiSQLi allows developers to write parameterized queries in a single line using the String.format paradigm common form in programming. It is easy to implement, highly extensible and includes pre-written .NET classes for Microsoft SQL Server. It can be easily extended to support other database platforms. 

Download from: GitHub

Firesheep

Developers: Eric Butler (Primary Developer), Ian Gallagher (Co-Developer, Security Innovation)

Firesheep is an extension for the Firefox web browser that uses a packet sniffer to intercept unencrypted requests from websites such as Facebook and Twitter. This is useful in determining if websites are protecting session cookies and properly using SSL/TLS, which is particularly important when using public WiFi networks.

Download from: GitHub

WhatTheFuzz

Developers: Joe Basirico, Security Innovation

A basic fuzzer to replicate the "sniper" functionality in Burp. WhatTheFuzz needs a source of invalid values. You can create one by adding a bunch of test cases to a text file (one per line) or we recommend using FuzzDB.

Download from: GitHub

YASAT

Developers: Joe Basirico, Security Innovation

YASAT (Yet Another Static Analysis Tool) is a basic static application analysis tool (SAST) that uses regular expression-based rules on a code base to quickly find potential security vulnerabilities

Download from: GitHub

BlackMamba

Developers: Marcus Hodges, Security Innovation

BlackMamba is a new concurrent networking library for Python. BlackMamba was built from the ground up leveraging the power of epoll and coroutines. Not only does the library provide a very fast asynchronous engine, it also makes concurrent programming a straightforward, easy to write and read process.

Download from: GitHub

Holodeck

Developers: Joe Basirico, Security Innovation

Holodeck is a unique test tool that uses fault injection to simulate real-world application and system errors for Windows applications and services - allowing testers to work in a controlled, repeatable environment to analyze and debug error-handling code. Holodeck is the first commercial fault-simulation tool and was developed by leading researchers in the application quality field. It is used by organizations like Microsoft, Adobe, EMC and McAfee.

Download from: GitHub