Why spend more money than you should on your information security and compliance efforts? This page is to create links for software and systems to implement information security and compliance on small budget. This list does not mean my endorsement for any of these products, unless specifically mentioned.

Full Disk Encryption and USB Drive Encryption

  1. TrueCrypt (

PKI and Certificate Server

  1. Fedora Linux Dogtag (
  2. OpenSSL (

Email and File Encryption

  1. GnuPG (
  2. GPG4Win (

Secure Instant Messaging

  1. eJabberd (


  1. OpenVPN (


  1. OSSEC – Host Based IDS (
  2. SAMHAIN – Host Based IDS (
  3. Snort – (
  4. Snort Rules – Emerging Threats (

Event Correlation and System Monitoring

  1. Pandora – (
  2. SEC – Simple Event Correlator (
  3. ZENOS – Open Source system monitoring and management (
  4. ZABIX – Open source monitoring (
  5. Nagios – System monitoring (


  1. Network
    1. Smoothwall (
    2. Netfilter/iptables ( Included in Linux distributions as well.
    3. IPCop (
  2. Hostbased
    1. Netfilter/iptables ( Included in Linux distributions as well.
  3. Web application firewalls
    1. Mod security (
    2. Microsoft URL Scan (

Free Open Source Intrusion Detection with Snort

  1. Snort IDS (
  2. Also get my book on Snort at

Identity Management

  1. OpenLDAP is open source and free LDAP system available on multiple platforms (

Federated Identity Management System

  1. SourceID supports multiple protocols including SAML, Cardspace, Liverty, WS-Federation etc (
  2. OpenSAML libraries (

Free Antivirus Solutions

  1. For non-commercial home use, Avast is a free software and available at
  2. ClamAV is free and available on multiple platforms (

Log Management

  1. Octopussy – Open Source Log Management (
  2. For small business – free version of Splunk (
  3. For medium to large business, consider using syslog-ng or rsyslog with MySQL backend for reporting and alerting. Most commercial log management systems don’t deliver. You may end up spending large amount of money and support cost with little “real” benefit by going with commercial solutions.

System/Application Vulnerability Assessment and Pen Testing

  1. Nessus (
  2. Nmap (
  3. Metasploit (
  4. Wireshark packet capture and analysis (
  5. Kismet Wireless detection and sniffing (
  6. Backtrack (
  7. Nexpose Community Edition Free Version (
  8. Microsoft Baseline Security Analyzer (MBSA)
  9. Microsoft Security Assessment Tool (MSAT) provides basic security assessment and action items for an organization. This could be a first and basic step for small organizations.
  10. OpenVAS Vulnerability Scanner ( is like Nessus – client/Server
  11. SSL crypto verification and certificate checking – SSLscan, available on Linux. Use yum to download

Education and Awareness

  1. ENISA educational videos and posters (
  2. Web application and database security from Imperva videos (

Security Check Lists and Other Documentation Resources

  1. NIST National Checklist Program Repository (
  2. Cloud Computing Risk Analysis
  3. Multiple checklists available at

Free Information Security and Other Books/Software

  1. Bruce Perens open source series provides free PDFs of open source books. The link is:
  2. Linux resources and software information at

6 Responses to Links

  1. Hey Refeeq – Thanks for the nice mention in the OpenID book! Hope you are doing well and sorry we did not catch up in SF. Maybe Amgad can get us together for some lunch or dinner? later Todd

  2. Rey Bartolomei says:

    Hey Rafeeq, great site. I will be using it quite often.

  3. Pingback: “Less is More” and “Commercial is not equal to Better” « Rafeeq Rehman

  4. Inca Jones says:


    Can you suggest companies that performs intrusion testing at affordable rates?

  5. Pingback: CISO Strategy - Create Security Essentials Metrics

Comments are closed.