Manual & Automated Security Testing
I am new to security testing side, and as always looking to get educated by this forum.
What I am looking is answers to below
- What tools are available that assist in executing manual security testing? (for .NET and Java platforms)
- What tools are available that assist in developing automated security testing suite? And can be integrated into standard CI Agile model. I mean the work gets on-boarded onto a standard build pipeline e.g. Jenkins, Gopipeline(for .NET and Java platforms)
- What are the programmatic approach (not tools), but developing automation capabilities to execute security testing. (.NET & Java platforms)
- Can anyone share applying cucumber style testing approach to execute security testing.
I did see mention of Fiddler, Charles and other like tools, but wanted to know if they are truly for manual execution or if they do automation. Just like we have Selenium, Junit etc to automate UI & other non UI functional type tests.
Originally Posted by san27geet
Before I answer your question, I want to differentiate what I define as Security Scanning vs. Security Testing, these are my definitions, not an industry standard definitions. Then I will mention a few tools you can use to help with Security Scanning.
I define Security Scanning as the act of performing testing against known signatures, against common known problems. There are two activities that go into this, 1.) Static analysis - finding bad code patterns, and 2) Penetration Testing - the act of attacking a running system.
I define Security Testing, as an all encompassing term that would involve additionally a full threat assessment, threat modeling, vulnerability analysis, etc... For example, something like evaluating whether or not the magnetic resonance given off by the server rack could leak data to a neighboring server rack. Air-gapped computers are no longer secure - TechRepublic
Ok, now on to some useful tools.. For the sake of keeping this short, I'm going to focus on Application Level Web Security Scanning.
* Static Code Analysis Tool will get you the most bang for your time spent. https://www.owasp.org/index.php/Sour...Analysis_Tools Select one that fits the language your developers are using. (I would use 1 open source and 1 commercial tool, with the more expensive commercial tool to run less often against release candidates)
* Zed Attack Proxy - Takes a lot of training to learn how to use, but a great open source tool for scanning against many OWASP identified problems. https://www.owasp.org/index.php/OWAS..._Proxy_Project
* Various plugins for google chrome for XSS attack scanning - 19 Extensions to Turn Google Chrome into Penetration Testing tool - InfoSec Resources (from that list, I'd focus more on the XSS tools, it's hard to detect other types of security problems using a browser alone.
* Tamper Data Firefox Plugin - I use this tool when I want to intercept requests mid-flight and try to alter the ajax payloads. https://addons.mozilla.org/en-US/fir...n/tamper-data/
* Wireshark - This is an interceptor proxy with a lot of power to do low level packet inspection. https://www.wireshark.org/ (Like fiddler, but lets you see much lower level traffic)
* Skipfish - Detect threats similar to Zed Attack Proxy, I think it's harder to use, but you can easily repeat scans to a CI system. - https://www.owasp.org/index.php/Auto...using_SKIPFISH
(my recommendation is to use Zed to augment manual testing, and put Skipfish into your CI builds)
Before going into security testing, I would recommend going through all the WebGoat related lessons, https://github.com/WebGoat/WebGoat To be a security testing professional, I'd probably recommend graduate level courses on application and network security.
Last edited by dlai; 05-16-2016 at 09:14 AM.
Tags for this Thread