Companies should not use free security testing tools exclusively

Some businesses are using free security tools as part of their testing processes, but few, if any, are relying solely on open market software, according to industry watchers.

The use of such free tools in an enterprise environment may be a good sign since most that do would otherwise not have conducted any form of security checks, Graham Titterington, principal analyst at Ovum, said in an e-mail. He noted that testing is still not a common practice in software development.

Gerry Chng, Far East information security leader at Ernst & Young, reported that the use of free security testing software is "quite prevalent", with most organizations deploying a suite of free tools to complement licensed software.

Singapore-based logistics company YCH Group is one organization that is not averse to using free security testing tools. CIO James Loo told ZDNet Asia in an e-mail that most multinational corporations are tapping supported open source tools to save costs.

Describing this trend as "not a bad thing", Loo said: "For Y3 Technologies (YCH's technology arm), we are always watchful of the open source arena and will evaluate free tools based on business requirements."

Y3 is currently setting up its new Stress Test Centre and evaluating open source security testing tools on top of licensed options, he added. "Among the software we are evaluating are Snort and Auditor; we don't rule out any products for our R&D (research and development) and the continuous improvement of the Stress Test Centre environment," he said.

He noted that using free tools to complement the company's security testing portfolio would not in any way affect its corporate reputation. In fact, companies and individuals familiar with Y3 are likely to brand the company a "smart user", he added.

However, he said YCH would not rely solely on free tools to ensure its programs are free from vulnerabilities.

Security limitations
As with the good, there are downsides to using open source tools, Loo explained, pointing to limited features and need for customization.

Companies that adopt open source elements in their environment need to have "some degree of technical competency" in their in-house team, or purchase open source-based customized products from vendors and work with them on requirements including support, he said.

Clients of Indian IT services provider, Mahindra Satyam, generally do not insist on a particular type of testing tool but still choose licensed options over free ones, according to the company's Asia-Pacific senior vice president, Rohit Gandhi. "Even with cost constraints, clients prefer to go with commercial tools," he pointed out in an e-mail.

Gandhi noted that businesses cannot rely totally on free tools as these do not necessarily provide good coverage and strong technical support.

"A combination of free tools can do a bit better but relying totally on the results of free tools would be a risk to businesses," he said. However, he noted that some enterprises would be more willing to take the risk if the vendor offering the free tool is prominent in the market.

"The reliability of the tool is more important than anything else," he added.

When Google released its skipfish last month, it said the Web security scanning tool was "not a silver bullet" and does not address the majority of requirements outlined in the Wasc (Web Application Security Consortium) Web Application Security Scanner Evaluation Criteria.

At the end of the day, Ernst & Young's Chng said, it is "not a question of free versus licensed software" but how the organization uses different security testing tools to achieve its testing objectives.

"It is more important for organizations to establish a software-testing methodology and provide the necessary training for their staff," he noted, adding that tools that fit their testing methodologies and suit employees' technical competencies should be adopted.

"Any tool is only as good as the wielder and hence, organizations should not be lulled into a false sense of security by amassing an arsenal of expensive security testing software without first establishing the basics, leaving staff ill-equipped to leverage the tools," he noted.