11/30/2009 12:32:05 PM
Begin a search of “security freeware” and you’ll find everything from scanners, LAN analyzers, network mapping and network forensic tools to firewalls, vulnerability assessment software, IDS, and log analysis tools. The price is right and everyone needs more security. What’s the catch?
Is the Software Truly Secure and Free?
I download, install, evaluate, and critique security freeware fairly often. I recommend and use a number of these, routinely, and I’m amazed at how complete, well maintained and stable some of the applications are. The phrase security freeware, however, is too often misused, and like the entire freeware space, is in danger of becoming an oxymoron. Security software should be secure software. Folks who write it should be familiar with and practice secure coding. They should be accessible and accountable for the product they provide: in security-speak, they should be readily identifiable, non-repudiable origins. Folks who make security software available should have competent, security-savvy staff to support and maintain it. And the term “free” should be used without encumbrance. Trial-ware is not the same as free-ware, Adware should never be advertised as security freeware. Spyware advertised as security software is evil incarnate.
If these controls were scrupulously applied, Google searches would return considerably fewer than two million results. Such controls are absent, so if you are considering security freeware, remember the five Ws.
What to Ask Before You Use Security Freeware
Who wrote the software? Can you identify and trust the developer? Has the software undergone sufficient testing to determine it is both functional and stable? Is the work original (or has the author ignored copyrights and incorporated open source into his work? Can you trust the download site? Does the download site have the right to (re)distribute the freeware? Open source or freeware may have been copied onto other sites without permission or license to distribute.
Open source and community projects do a commendable job here. The names and contact information for SourceForge project administrators and developers are publicly available. The same is true for the many contributors to Ethereal (Wireshark), a brilliant LAN analyzer, and the enormously popular Nmap and Nessus scanners, and the Snort intrusion detection system. A signature file often accompanies source and executables, to confirm that the version is authentic. With commercial security software, we typically consider the company’s reputation and public record with regard to vulnerabilities reported, accountability, willingness and timeliness to provide hot fixes and patches. With freeware, you should consider the reputation and pedigree of the authors, the commitment of the authors and community to test, maintain and improve freeware. The organizations I mentioned above all score well here.
What does the software do? Do some homework. Identify the security function or service you need. Hunt down candidates and compare. Is the software what it claims to be? What else do does the software really do? Does the software do all that it claims to do? Is it really freeware? Is it “free” of advertising and tracking technology? Is it fully functional or trial ware disguised as freeware for the sake of increasing popularity on search engines? A final and important consideration for commercial organizations is whether the software is free for non-commercial use only.
Where do you intend to use security freeware? One of the most practical ways to apply security freeware is to perform auditing and forensics. A wealth of freeware is available for these purposes. Many of these evolved from attacker tools. Some are absolutely dreadful hacks, while others have been scrubbed, polished and hammered into highly useful tools. Look again to legitimate sources, including security companies like @stake, Foundstone and others, who offer free versions of software they have developed and acquired over time in the course of building their portfolio of managed and consulting security services. Some security freeware – file system integrity checkers, IDS/IPS, log and network analysis – can also serve growing organizations. In general, the security freeware I’ve found most useful are “for individual use”: auditing tools, manual or easily scripted analysis tools, and monitoring tools where “eyeballing” can be factored into an operational practice.
Set Expectations High
When you download calendar, screensaver, calculator, or HTML editing freeware, you’re wise to set your expectations low, and be pleasantly surprised if they are exceeded. With security freeware, you must set your expectations high. Be careful how and what you compromise when choosing security freeware. You’ll get more than you paid for, and hopefully will avoid getting more than you bargained for.
Originally published October 2004 in Security Pipeline, reprinted courtesy of CMP Technology and Dark Reading.