Web application attacks get a lot of media coverage and there’s no end of experts and analysts underscoring the importance of testing applications. But it can be hard to know where to start. Should you buy a tool? Take a course? Just starting testing random web sites you find online? In this post we’ll provide a short outline on top resources to help you get started and educated on application security testing in two steps.

1. Learn About Application Security Testing

Dynamic testing of web application is only a part of a comprehensive secure software development lifecycle. Secure software starts during the requirements phase when security requirements are defined and fed into the design and architecture phases. We’re not trying to give short shrift to the importance of developing a complete, end-to-end secure development lifecycle, however, for the sake of brevity; this post is focusing only on dynamic testing of web applications.

Dynamic testing of a web application means attempting to find vulnerabilities and exploits within the running application. In other words, it’s like being the attacker – you attempt to attack an application to determine whether or not a real attacker could attack it. Attacks can be done manually or with the help of a scanning tool. (More on tools in step two.)

Best resources to help get you started:

2. Try Out Some Tools

Now that you know a little of what web application testing is about, it’s time to try out some testing!

Many commercial vendors offer trial versions of their tools and there are a number of freeware tools available. The Web Application Security Consortium maintains a full list of both here.  IBM has a detailed post on how to use Open Source tools to test web application for vulnerabilities.

If you’re not sure what to test and don’t want to risk getting fired for learning how to test by scanning your company’s live production servers, OWASP has a list of testing grounds CDs and sites here.

The IBM Security AppScan download is a fully functional, unlimited version of the IBM Security AppScan Standard product. The only restriction is that scanning is limited to one site, Altoro Mutual at http://demo.testfire.net. We provided this site to testers so that you can explore the testing process without fear of bringing down a production site.

If you haven’t tried IBM Security AppScan before here are a few of the features and benefits:

  • Broad coverage to scan and test for a wide range of application security vulnerabilities
  • Scan complex web applications, including those that utilize Adobe Flash, JavaScript, Ajax and Simple Object Access Protocol (SOAP) web services
  • Accurate scanning and advanced testing that delivers high levels of accuracy
  • Quick remediation with prioritized results and fix recommendations
  • Enhanced insight and compliance that helps manage compliance and provides awareness of key issues
  • Combine the advanced dynamic and innovative hybrid analysis of glass-box testing (runtime analysis) with static taint analysis
  • Full coverage of the OWASP Top 10 for 2013
  • Support for industry standard Transport Layer Security (TLS) protocol 1.2
  • Compliance with National Institute of Standards and Technology (NIST) Special Publication (SP) 800-131a

We have a demo to help you get started along with a QuickStart Guide and an AppScan Forum.

Why Wait? Get Started Today

Whether you’re just curious about how application security testing works or are thinking about making it your next career move, you can get started today – for free with the resources and tools listed above.

More from Software Vulnerabilities

FYSA – Critical RCE Flaw in GNU-Linux Systems

2 min read - Summary The first of a series of blog posts has been published detailing a vulnerability in the Common Unix Printing System (CUPS), which purportedly allows attackers to gain remote access to UNIX-based systems. The vulnerability, which affects various UNIX-based operating systems, can be exploited by sending a specially crafted HTTP request to the CUPS service. Threat Topography Threat Type: Remote code execution vulnerability in CUPS service Industries Impacted: UNIX-based systems across various industries, including but not limited to, finance, healthcare,…

X-Force discovers new vulnerabilities in smart treadmill

7 min read - This research was made possible thanks to contributions from Joshua Merrill. Smart gym equipment is seeing rapid growth in the fitness industry, enabling users to follow customized workouts, stream entertainment on the built-in display, and conveniently track their progress. With the multitude of features available on these internet-connected machines, a group of researchers at IBM X-Force Red considered whether user data was secure and, more importantly, whether there was any risk to the physical safety of users. One of the most…

X-Force releases detection & response framework for managed file transfer software

5 min read - How AI can help defenders scale detection guidance for enterprise software tools If we look back at mass exploitation events that shook the security industry like Log4j, Atlassian, and Microsoft Exchange when these solutions were actively being exploited by attackers, the exploits may have been associated with a different CVE, but the detection and response guidance being released by the various security vendors had many similarities (e.g., Log4shell vs. Log4j2 vs. MOVEit vs. Spring4Shell vs. Microsoft Exchange vs. ProxyShell vs.…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today