Over the course of my information security career, I’ve used just about every tool you can think of, and I’ve had to write a few myself. Some of the best conversations – and worst arguments – I’ve had with my colleagues have been about which tools to use, and which tools to avoid. There’s no question that the availability of open source and other free software is a great thing on many levels. The sharing of ideas and collaboration enabled by open source have been critical to driving innovation in our industry, and I personally found open source resources very valuable at the beginning of my career. I spent a crazy amount of time installing, configuring, and learning to use those tools, but working with open source components helped me hone my skills, and… well… did I mention it’s free? Back in the day, when I knew next to nothing and my hours had little value to me, the time investment didn’t seem like a big deal.
My situation (thankfully) changed significantly as I advanced through my career, and as a professional, the time consumption associated with building these tools became increasingly costly. You can certainly perform a vulnerability assessment or a penetration test using nothing but open source tools. You can spend dozens, or more likely hundreds of hours reviewing and selecting individual tools, reviewing their documentation, and learning to use each. You can automate by tying those tools together through custom written scripting… that breaks every time one of the component tools is updated. But that’s not how I like to spend my time when I’m getting paid to test security.
The reality is that putting together a collection of open source or free tools is only cheaper if your time, and your team’s time, has little value. When you use a solution like Core Impact Pro, which allows you to leverage the same tool from vulnerability discovery through exploitation and reporting (for diverse classes of exploitation like network attacks, wireless, local, and client-side attacks) you get a tightly integrated workflow that’s exceptionally effective, battle-tested, and easy to learn. Is it worth it? Well, it means that you and your team can focus your time on fixing or mitigating security vulnerabilities rather than tool wrangling. It also means that your team gets up to speed more quickly with the short learning curve. Even better, because Core Impact Pro is so easy to learn, you can safely task less senior team members with configuring and running the tool.
That can translate into a better utilization of scarce human resources, and the opportunity to leverage more junior team members. The person running the tool is the most expensive part of the solution, and in most cases, I would argue that leveraging a tool like Impact more than pays for itself, since you no longer require a $150,000/year skillset to run it. To be clear, this isn’t a rant against open source. Core Security strongly supports and promotes open source and you can find lots of our open source projects at https://github.com/CoreSecurity. Core Impact Pro wouldn’t exist without open source – it’s built on top of many open source projects (e.g. Python, openSSL, Impacket). This is merely an exploration into when open source is right for the job, and when you need a purpose-built, integrated tool. And this is just one example – I want to hear others! Give me your success and horror stories. Where has open source proved enough to get the job done, and where has it ended up costing you?