Automated Security Test Orchestration with Golismero

I was recently asked to speak at a large industry event on automated security testing so decided to focus on orchestrating multiple tools. This is an area of interest of mine where multiGolismero Logople tests work together to validate their results. For example, what if after your dynamic web scanner completed all of the unconfirmed SQL injection results were automatically passed to SQLMap and then SQLMap attempted to exploit them, automatically moving any exploited inputs to a “confirmed” state and removing any unexploitable findings?

Because typically the most expensive part of an automated security test program is the cost of vetting the results (think expensive security analysts reviewing reports for false positives) there is significant cost savings potential in test orchestration. It also would encourage groups to venture beyond their one or two core tools.

There is an open source tool called Golismero that is attempting to do this. The tool is still fairly immature but shows promise. The way it works is really remarkable- the end user enters a fairly simple command line statement and Golismero then manages the execution and reporting of 23 automated security tools:

  1. Nikto
  2. Nmap
  3. Openvas
  4. Spiderfoot
  5. Sslscan
  6. Sqlmap
  7. Xsser
  8. Dns_Malware
  9. Geoip
  10. Punkspider
  11. Shodan
  12. Plecost
  13. Default Error Page
  14. Directory Listing
  15. Exploit-DB
  16. Fingerprint Web
  17. Brute Directories
  18. Brute Dns
  19. Brute Extensions
  20. Brute Permutations
  21. Brute Predictables
  22. Brute Prefixes
  23. Brute Suffixes

To demonstrate the power of this type of testing, I spun up the OWASP Broken Web App VM and crafted a simple command line instruction on a Kali Linux instance:

golismero scan <OWASP BWA IP> -db owaspbwa -pu root -pp owaspbwa

 This simple command launched the 23 different tools and created a report with 181 findings. You can view the report here if you are interested. To read more about Golismero reporting see the reporting page.

Golismero is a tool that is a trend setter. However, it still has a ways to go. Besides the bugs that can be expected in any project like this, the big limitation in Golismero that I see right now is the lack of a high end web scanner. Theoretically, any scanner with an API can be integrated using Golismero’s plug-in framework.

Golismero can run on most flavors on Linux and can also be run on Windows with some effort and limitations.

A major shout-out to the Golismero development team for their strategic vision and hard work:

Mario Vilas: Core developer RaúlRequero: Front end developer Daniel García: Back end developer

Golismero Banner