Web application attacks get a lot of media coverage and there’s no end of experts and analysts underscoring the importance of testing applications. But it can be hard to know where to start. Should you buy a tool? Take a course? Just starting testing random web sites you find online? In this post we’ll provide a short outline on top resources to help you get started and educated on application security testing in two steps.

1. Learn About Application Security Testing

Dynamic testing of web application is only a part of a comprehensive secure software development lifecycle. Secure software starts during the requirements phase when security requirements are defined and fed into the design and architecture phases. We’re not trying to give short shrift to the importance of developing a complete, end-to-end secure development lifecycle, however, for the sake of brevity; this post is focusing only on dynamic testing of web applications.

Dynamic testing of a web application means attempting to find vulnerabilities and exploits within the running application. In other words, it’s like being the attacker – you attempt to attack an application to determine whether or not a real attacker could attack it. Attacks can be done manually or with the help of a scanning tool. (More on tools in step two.)

Best resources to help get you started:

2. Try Out Some Tools

Now that you know a little of what web application testing is about, it’s time to try out some testing!

Many commercial vendors offer trial versions of their tools and there are a number of freeware tools available. The Web Application Security Consortium maintains a full list of both here.  IBM has a detailed post on how to use Open Source tools to test web application for vulnerabilities.

If you’re not sure what to test and don’t want to risk getting fired for learning how to test by scanning your company’s live production servers, OWASP has a list of testing grounds CDs and sites here.

The IBM Security AppScan download is a fully functional, unlimited version of the IBM Security AppScan Standard product. The only restriction is that scanning is limited to one site, Altoro Mutual at http://demo.testfire.net. We provided this site to testers so that you can explore the testing process without fear of bringing down a production site.

If you haven’t tried IBM Security AppScan before here are a few of the features and benefits:

  • Broad coverage to scan and test for a wide range of application security vulnerabilities
  • Scan complex web applications, including those that utilize Adobe Flash, JavaScript, Ajax and Simple Object Access Protocol (SOAP) web services
  • Accurate scanning and advanced testing that delivers high levels of accuracy
  • Quick remediation with prioritized results and fix recommendations
  • Enhanced insight and compliance that helps manage compliance and provides awareness of key issues
  • Combine the advanced dynamic and innovative hybrid analysis of glass-box testing (runtime analysis) with static taint analysis
  • Full coverage of the OWASP Top 10 for 2013
  • Support for industry standard Transport Layer Security (TLS) protocol 1.2
  • Compliance with National Institute of Standards and Technology (NIST) Special Publication (SP) 800-131a

We have a demo to help you get started along with a QuickStart Guide and an AppScan Forum.

Why Wait? Get Started Today

Whether you’re just curious about how application security testing works or are thinking about making it your next career move, you can get started today – for free with the resources and tools listed above.

More from Software Vulnerabilities

Containers, Security, and Risks within Containerized Environments

Applications have historically been deployed and created in a manner reminiscent of classic shopping malls. First, a developer builds the mall, then creates the various stores inside. The stores conform to the dimensions of the mall and operate within its floor plan. In older approaches to application development, a developer would have a targeted system or set of systems for which they intend to create an application. This targeted system would be the mall. Then, when building the application, they would…

Analysis of a Remote Code Execution (RCE) Vulnerability in Cobalt Strike 4.7.1

Command & Control (C2) frameworks are a very sensitive component of Red Team operations. Often, a Red Team will be in a highly privileged position on a target’s network, and a compromise of the C2 framework could lead to a compromise of both the red team operator’s system and control over beacons established on a target’s systems. As such, vulnerabilities in C2 frameworks are high priority targets for threat actors and Counterintelligence (CI) operations. On September 20, 2022, HelpSystems published…

Controlling the Source: Abusing Source Code Management Systems

For full details on this research, see the X-Force Red whitepaper “Controlling the Source: Abusing Source Code Management Systems”. This material is also being presented at Black Hat USA 2022. Source Code Management (SCM) systems play a vital role within organizations and have been an afterthought in terms of defenses compared to other critical enterprise systems such as Active Directory. SCM systems are used in the majority of organizations to manage source code and integrate with other systems within the…

X-Force Research Update: Top 10 Cybersecurity Vulnerabilities of 2021

From 2020 to 2021, there was a 33% increase in the number of reported incidents caused by vulnerability exploitation, according to the 2022 X-Force Threat Intelligence Index. A large percentage of these exploited vulnerabilities were newly discovered; in fact, four out of the top five vulnerabilities in 2021 were newer vulnerabilities. Vulnerability exploitation was the second most common initial infection vector observed by IBM Security X-Force in 2021, falling closely behind phishing. Cybercriminals are finding new ways of bypassing security…