转载：2016 Top Security Tools as Voted by ToolsWatch.org Readers

2016年十大安全工具排行榜（来自于ToolsWatch.org读者投票）

原文地址： http://www.toolswatch.org/2017/02/2016-top-security-tools-as-voted-by-toolswatch-org-readers/

Results by Year：

01 – Objective-See tools (NEW)
02 – OWASP ZAP – Zed Attack Proxy Project (-1↓)
03 – OWASP VBScan (NEW)
04 – WarBerry PI (NEW)
05 – Mobile Security Framework (MobSF) (NEW)
06 – OWASP ZSC  (NEW)
07 – Burp Suite (-1↓)
08 – Halcyon IDE (NEW)
09 – DataSploit (NEW)
10 – Lynis (-8↓)
10 – Faraday (-6↓)
10 – Sparta (NEW)

01- Objective-See OS X Security Tools

    Introduced during Black Hat Arsenal 2015 and returned in 2016, Objective-See Security Tools were widely and grealtly appreciated by the audience.

Tools such KnockKnock, RansomWhere, BlockBlock and OverSight were massively voted during this campaign. Check the URL to learn how Patrick Wardle’s

tools can help you incredibly improve security of your Macs!

URL: https://objective-see.com/products.html

02- OWASP ZAP – Zed Attack Proxy Project

    The OWASP Zed Attack Proxy (ZAP) is an easy to use integrated penetration testing tool for finding vulnerabilities in web applications.

It is designed to be used by people with a wide range of security experience and as such is ideal for developers and functional testers who are new to penetration testing.

    ZAP provides automated scanners as well as a set of tools that allow you to find security vulnerabilities manually.

URL: https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project

03- OWASP VBScan

    OWASP VBScan (short for [VB]ulletin Vulnerability [Scan]ner) is an opensource project in perl programming language to detect VBulletin CMS 

vulnerabilities and analyses them.

URL: https://www.owasp.org/index.php/OWASP_VBScan_Project

04- WarBerry PI

    The WarBerry PI is a customized RaspBerryPi hacking dropbox which is used in Red Teaming engagements with the sole purpose of

performing reconnaissance and mapping of an internal network and providing access to the remote hacking team while remaining covert and 

bypassing security mechanisms.

    The outcome of these red teaming exercises is the demonstration that if a low cost microcomputer loaded with python code can bypass security

access controls and enumerate and gather such a significant amount of information about the infrastructure network which is located at.

URL: https://github.com/secgroundzero/warberry

05- Mobile Security Framework (MobSF)

    Mobile Security Framework (MobSF) is an intelligent, all-in-one open source mobile application (Android/iOS) automated pen-testing framework capable of performing static and dynamic analysis. It can be used for effective and fast security analysis of Android and iOS Applications and supports both binaries (APK & IPA) and zipped source code.

    MobSF can also perform Web API Security testing with it’s API Fuzzer that can do Information Gathering, analyze Security Headers, identify 

Mobile API specific vulnerabilities like XXE, SSRF, Path Traversal, IDOR, and other logical issues related to Session and API Rate Limiting.

URL: https://github.com/ajinabraham/Mobile-Security-Framework-MobSF

06- OWASP ZSC

    OWASP ZSC is an open source software in python language which lets you generate customized shellcodes and convert scripts to an obfuscated

script. This software can be run on Windows/Linux/OSX under python. According to other shellcode generators same as metasploit tools and etc,

OWASP ZSC using new encodes and methods which antiviruses won’t detect.

    OWASP ZSC encoderes are able to generate shell codes with random encodes and that allows you to generate thousands of new dynamic 

shellcodes with same job in just a second,that means, you will not get a same code if you use random encodes with same commands

URL: https://www.owasp.org/index.php/OWASP_ZSC_Tool_Project

07- Burp Suite

    Burp Suite is an integrated platform for performing security testing of web applications. Its various tools work seamlessly together to support the entire testing process, 

from initial mapping and analysis of an application’s attack surface, through to finding and exploiting security vulnerabilities.

    Burp gives you full control, letting you combine advanced manual techniques with state-of-the-art automation, to make your work faster, more effective, and more fun.

URL: https://portswigger.net/burp/

08- Halcyon IDE

    Halcyon is the first IDE specifically focused on Nmap Script (NSE) Development. This research idea was originated while writing custom Nmap Scripts for

Enterprise Penetration Testing Scenarios. The existing challenge in developing Nmap Scripts (NSE) was the lack of a development environment that gives

easiness in building custom scripts for real world scanning, at the same time fast enough to develop such custom scripts.

    Halcyon is free to use, java based application that comes with code intelligence, code builder, auto-completion, debugging and error correction options and

also a bunch of other features like other development IDE(s) has. This research was started to give better development interface/environment to researchers

and thus enhance the number of NSE writers in the information security community.

URL: http://halcyon-ide.org/

09- DataSploit

    DataSploit utilizes various Open Source Intelligence (OSINT) tools and effective techniques and brings them all into one place, correlates the raw data 

captured and gives the user, all the relevant information about the domain / email / phone number / person, etc. DataSploit allows you to collect relevant 

information about a target which can expand your attack/defence surface very quickly.

URL:  https://github.com/upgoingstar/datasploit

10- Lynis

    Lynis is an open source security auditing tool. Used by system administrators, security professionals, and auditors, to evaluate the security defenses of

their Linux/Unix-based systems. It runs on the host itself, so it performs more extensive security scans than vulnerability scanners.

URL: https://cisofy.com/lynis/

10- Faraday

    Faraday introduces a new concept (IPE) Integrated Penetration-Test Environment a multiuser Penetration test IDE. Designed for distribution, indexation and

analysis of the generated data during the process of a security audit. The main purpose of Faraday is to re-use the available tools in the community to take

advantage of them in a multiuser way.

URL: https://www.faradaysec.com

10- Sparta

    SPARTA is a python GUI application which simplifies network infrastructure penetration testing by aiding the penetration tester in the scanning and

enumeration phase. It allows the tester to save time by having point-and-click access to his toolkit and by displaying all tool output in a convenient way. If little

time is spent setting up commands and tools, more time can be spent focusing on analysing results. Despite the automation capabilities, the commands and

tools used are fully customisable as each tester has his own methods, habits and preferences.

URL: http://sparta.secforce.com/

Besides the Top 10, voters have mentioned the following tools (not sorted) and some made very decent scores

OWASP Dependency
OWASP JoomScan
ModSecurity
Android Tamer
BeeF
PEStudio
BloodHound
WPscan
WSSAT
Shelter AV Invasion
Responder
Needle

注：