There are a handful of Open Source security tools that always deserve a mention with CI/CD pipelines. One such tool is the sophisticated Nikto (cirt.net/Nikto2), which is a web server scanner that can hunt for a staggering 6,700+ specific files and programs that may cause security issues. It also has a historical function that can test for 1,250 out-of-date servers and can highlight version-specific issues on 270 different servers. In other words, to say that Nikto is comprehensive is an understatement. It can be used with the latter parts of your CI/CD pipeline tests, once your hosts are configured and live, to offer an invaluable insight into potential issues with your hosts.

In this chapter, we will look through the installation and configuration of the excellent Nikto.

Things to Consider

It should be noted that Nikto flies through its tests at a rate of knots. It is not going to sit quietly in stealth mode and suddenly appear with a coup d’état; instead, it will fill your servers’ logs up dramatically and cause a flurry of activity in every corner of your host's intrusion detection system (IDS).

Also, because it is so powerful, you need to be sure only to run Nikto on hosts that you own or have explicitly received permission to scan. You have been suitably warned!

One final thing to note is that issues Nikto identifies are not always security problems but can be used for informational purposes to improve operational functionality ...