Web application attacks get a lot of media coverage and there’s no end of experts and analysts underscoring the importance of testing applications. But it can be hard to know where to start. Should you buy a tool? Take a course? Just starting testing random web sites you find online? In this post we’ll provide a short outline on top resources to help you get started and educated on application security testing in two steps.

1. Learn About Application Security Testing

Dynamic testing of web application is only a part of a comprehensive secure software development lifecycle. Secure software starts during the requirements phase when security requirements are defined and fed into the design and architecture phases. We’re not trying to give short shrift to the importance of developing a complete, end-to-end secure development lifecycle, however, for the sake of brevity; this post is focusing only on dynamic testing of web applications.

Dynamic testing of a web application means attempting to find vulnerabilities and exploits within the running application. In other words, it’s like being the attacker – you attempt to attack an application to determine whether or not a real attacker could attack it. Attacks can be done manually or with the help of a scanning tool. (More on tools in step two.)

Best resources to help get you started:

2. Try Out Some Tools

Now that you know a little of what web application testing is about, it’s time to try out some testing!

Many commercial vendors offer trial versions of their tools and there are a number of freeware tools available. The Web Application Security Consortium maintains a full list of both here.  IBM has a detailed post on how to use Open Source tools to test web application for vulnerabilities.

If you’re not sure what to test and don’t want to risk getting fired for learning how to test by scanning your company’s live production servers, OWASP has a list of testing grounds CDs and sites here.

The IBM Security AppScan download is a fully functional, unlimited version of the IBM Security AppScan Standard product. The only restriction is that scanning is limited to one site, Altoro Mutual at http://demo.testfire.net. We provided this site to testers so that you can explore the testing process without fear of bringing down a production site.

If you haven’t tried IBM Security AppScan before here are a few of the features and benefits:

  • Broad coverage to scan and test for a wide range of application security vulnerabilities
  • Scan complex web applications, including those that utilize Adobe Flash, JavaScript, Ajax and Simple Object Access Protocol (SOAP) web services
  • Accurate scanning and advanced testing that delivers high levels of accuracy
  • Quick remediation with prioritized results and fix recommendations
  • Enhanced insight and compliance that helps manage compliance and provides awareness of key issues
  • Combine the advanced dynamic and innovative hybrid analysis of glass-box testing (runtime analysis) with static taint analysis
  • Full coverage of the OWASP Top 10 for 2013
  • Support for industry standard Transport Layer Security (TLS) protocol 1.2
  • Compliance with National Institute of Standards and Technology (NIST) Special Publication (SP) 800-131a

We have a demo to help you get started along with a QuickStart Guide and an AppScan Forum.

Why Wait? Get Started Today

Whether you’re just curious about how application security testing works or are thinking about making it your next career move, you can get started today – for free with the resources and tools listed above.

More from Software Vulnerabilities

X-Force releases detection & response framework for managed file transfer software

5 min read - How AI can help defenders scale detection guidance for enterprise software tools If we look back at mass exploitation events that shook the security industry like Log4j, Atlassian, and Microsoft Exchange when these solutions were actively being exploited by attackers, the exploits may have been associated with a different CVE, but the detection and response guidance being released by the various security vendors had many similarities (e.g., Log4shell vs. Log4j2 vs. MOVEit vs. Spring4Shell vs. Microsoft Exchange vs. ProxyShell vs.…

MSMQ QueueJumper (RCE Vulnerability): An in-depth technical analysis

13 min read - The security updates released by Microsoft on April 11, 2023, addressed over 90 individual vulnerabilities. Of particular note was CVE-2023-21554, dubbed QueueJumper, a remote code execution vulnerability affecting the Microsoft Message Queueing (MSMQ) service. MSMQ is an optional Windows component that enables applications to exchange messages via message queues that are reachable both locally and remotely. This analysis was performed in collaboration with the Randori and X-Force Adversary Services teams, by Valentina Palmiotti, Fabius Watson, and Aaron Portnoy. Research motivations…

X-Force prevents zero day from going anywhere

8 min read - This blog was made possible through contributions from Fred Chidsey and Joseph Lozowski. The 2023 X-Force Threat Intelligence Index shows that vulnerability discovery has rapidly increased year-over-year and according to X-Force’s cumulative vulnerability and exploit database, only 3% of vulnerabilities are associated with a zero day. X-Force often observes zero-day exploitation on Internet-facing systems as a vector for initial access however, X-Force has also observed zero-day attacks leveraged by attackers to accomplish their goals and objectives after initial access was…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today