Web application attacks get a lot of media coverage and there’s no end of experts and analysts underscoring the importance of testing applications. But it can be hard to know where to start. Should you buy a tool? Take a course? Just starting testing random web sites you find online? In this post we’ll provide a short outline on top resources to help you get started and educated on application security testing in two steps.

1. Learn About Application Security Testing

Dynamic testing of web application is only a part of a comprehensive secure software development lifecycle. Secure software starts during the requirements phase when security requirements are defined and fed into the design and architecture phases. We’re not trying to give short shrift to the importance of developing a complete, end-to-end secure development lifecycle, however, for the sake of brevity; this post is focusing only on dynamic testing of web applications.

Dynamic testing of a web application means attempting to find vulnerabilities and exploits within the running application. In other words, it’s like being the attacker – you attempt to attack an application to determine whether or not a real attacker could attack it. Attacks can be done manually or with the help of a scanning tool. (More on tools in step two.)

Best resources to help get you started:

2. Try Out Some Tools

Now that you know a little of what web application testing is about, it’s time to try out some testing!

Many commercial vendors offer trial versions of their tools and there are a number of freeware tools available. The Web Application Security Consortium maintains a full list of both here.  IBM has a detailed post on how to use Open Source tools to test web application for vulnerabilities.

If you’re not sure what to test and don’t want to risk getting fired for learning how to test by scanning your company’s live production servers, OWASP has a list of testing grounds CDs and sites here.

The IBM Security AppScan download is a fully functional, unlimited version of the IBM Security AppScan Standard product. The only restriction is that scanning is limited to one site, Altoro Mutual at http://demo.testfire.net. We provided this site to testers so that you can explore the testing process without fear of bringing down a production site.

If you haven’t tried IBM Security AppScan before here are a few of the features and benefits:

  • Broad coverage to scan and test for a wide range of application security vulnerabilities
  • Scan complex web applications, including those that utilize Adobe Flash, JavaScript, Ajax and Simple Object Access Protocol (SOAP) web services
  • Accurate scanning and advanced testing that delivers high levels of accuracy
  • Quick remediation with prioritized results and fix recommendations
  • Enhanced insight and compliance that helps manage compliance and provides awareness of key issues
  • Combine the advanced dynamic and innovative hybrid analysis of glass-box testing (runtime analysis) with static taint analysis
  • Full coverage of the OWASP Top 10 for 2013
  • Support for industry standard Transport Layer Security (TLS) protocol 1.2
  • Compliance with National Institute of Standards and Technology (NIST) Special Publication (SP) 800-131a

We have a demo to help you get started along with a QuickStart Guide and an AppScan Forum.

Why Wait? Get Started Today

Whether you’re just curious about how application security testing works or are thinking about making it your next career move, you can get started today – for free with the resources and tools listed above.

more from Application Security

Controlling the Source: Abusing Source Code Management Systems

For full details on this research, see the X-Force Red whitepaper “Controlling the Source: Abusing Source Code Management Systems”. This material is also being presented at Black Hat USA 2022. Source Code Management (SCM) systems play a vital role within organizations and have been an afterthought in terms of defenses compared to other critical enterprise systems such as Active Directory.…

Black Hat 2022 Sneak Peek: How to Build a Threat Hunting Program

You may recall my previous blog post about how our X-Force veteran threat hunter Neil Wyler (a.k.a “Grifter”) discovered nation-state attackers exfiltrating unencrypted, personally identifiable information (PII) from a company’s network, unbeknownst to the security team. The post highlighted why threat hunting should be a baseline activity in any environment. Before you can embark on a threat hunting exercise, however,…