Web application attacks get a lot of media coverage and there’s no end of experts and analysts underscoring the importance of testing applications. But it can be hard to know where to start. Should you buy a tool? Take a course? Just starting testing random web sites you find online? In this post we’ll provide a short outline on top resources to help you get started and educated on application security testing in two steps.
1. Learn About Application Security Testing
Dynamic testing of web application is only a part of a comprehensive secure software development lifecycle. Secure software starts during the requirements phase when security requirements are defined and fed into the design and architecture phases. We’re not trying to give short shrift to the importance of developing a complete, end-to-end secure development lifecycle, however, for the sake of brevity; this post is focusing only on dynamic testing of web applications.
Dynamic testing of a web application means attempting to find vulnerabilities and exploits within the running application. In other words, it’s like being the attacker – you attempt to attack an application to determine whether or not a real attacker could attack it. Attacks can be done manually or with the help of a scanning tool. (More on tools in step two.)
Best resources to help get you started:
- OWASP Testing Guide – Web Application Penetration Testing
- OWASP Web Application Security Testing Cheat Sheet
- Web Application Security Checklist
- Risk-Based and Functional Security Testing
- Ethical Hacker – How to Break Web Software
2. Try Out Some Tools
Now that you know a little of what web application testing is about, it’s time to try out some testing!
Many commercial vendors offer trial versions of their tools and there are a number of freeware tools available. The Web Application Security Consortium maintains a full list of both here. IBM has a detailed post on how to use Open Source tools to test web application for vulnerabilities.
If you’re not sure what to test and don’t want to risk getting fired for learning how to test by scanning your company’s live production servers, OWASP has a list of testing grounds CDs and sites here.
The IBM Security AppScan download is a fully functional, unlimited version of the IBM Security AppScan Standard product. The only restriction is that scanning is limited to one site, Altoro Mutual at http://demo.testfire.net. We provided this site to testers so that you can explore the testing process without fear of bringing down a production site.
If you haven’t tried IBM Security AppScan before here are a few of the features and benefits:
- Broad coverage to scan and test for a wide range of application security vulnerabilities
- Accurate scanning and advanced testing that delivers high levels of accuracy
- Quick remediation with prioritized results and fix recommendations
- Enhanced insight and compliance that helps manage compliance and provides awareness of key issues
- Combine the advanced dynamic and innovative hybrid analysis of glass-box testing (runtime analysis) with static taint analysis
- Full coverage of the OWASP Top 10 for 2013
- Support for industry standard Transport Layer Security (TLS) protocol 1.2
- Compliance with National Institute of Standards and Technology (NIST) Special Publication (SP) 800-131a
Why Wait? Get Started Today
Whether you’re just curious about how application security testing works or are thinking about making it your next career move, you can get started today – for free with the resources and tools listed above.