The online community for software testing & quality assurance professionals
 
 
Calendar   Today's Topics
Sponsors:




Lost Password?

Home
BetaSoft
Blogs
Jobs
Training
News
Links
Downloads



Software Testing >> Security Testing

Pages: 1
poonammirani123
Newbie


Reged: 02/01/12
Posts: 11
how to select security testing tool?
      #699614 - 02/27/12 02:24 AM

https://www.owasp.org/index.php/Category:Penetration_Testing_Tools contains list of several tools, can anyone let me know, which tool is the best for begineers of security testing?

Post Extras: Print Post   Remind Me!   Notify Moderator  
dlai
Junior Member


Reged: 05/02/06
Posts: 1041
Loc: CA, USA
Re: how to select security testing tool? [Re: poonammirani123]
      #699805 - 02/28/12 07:48 AM

Most of those tools on the page are purpose built tools that do a specific thing.

For a beginner, you probably want to initially use utilities that'll scan for a broad range of common vulnerabilities like IBM's App Scann or Web Inspect. Then drill down deeper with other tools based on warnings you see coming from those tools.

Those tools may not point out the exact bug, but they'll recognize based on responses what potential vulnerabilities might be possible. For example.. if the tool fills out some quoted string and the rest of the page from the form field doesn't display, it might warn you have a possible XSS attack. Or say it injects a SQL statement and was able to detect a table name in the source it might give you a warning an SQL injection is possible. Keep in mind that the tool is not a hacker. It'll just scan using common attack signatures and has no actual knowledge of the internal workings of your application. So say you have a backdoor that needs a specific parameter to be set, a simple app scan will not find that.

In reality, I wouldn't recommend anyone without a security background to do specific penetration testing. Unless you have been formally educated in computer security, and regularly attend security conferences to keep up to date of the latest techniques, it's best to just do routine basic scans and leave the specific penetration testing to a specialist to avoid a false sense of security.

--------------------
David Lai
Sr. QA / Test Lead
LinkedIn profile

Edited by dlai (02/28/12 07:51 AM)


Post Extras: Print Post   Remind Me!   Notify Moderator  
poonammirani123
Newbie


Reged: 02/01/12
Posts: 11
Re: how to select security testing tool? [Re: dlai]
      #699874 - 02/28/12 08:49 PM

Thanks a lot David, for guiding me and showing the right path to proceed further.

Actually the reason why I asked for tool selection is, my manager has given me task for comparing 3-4 security tools.

My problem is I am new to it, so it would be great if I can get help in comparing tools. What things/key points needs to be taken care while comparing tools?


Post Extras: Print Post   Remind Me!   Notify Moderator  
MilesToGoBeforeISleep
Super Member


Reged: 09/15/10
Posts: 1887
Re: how to select security testing tool? [Re: poonammirani123]
      #702477 - 03/25/12 05:40 AM

Poonam,

First of all what type of security testing are you looking for?.

There are a number of tools that provide you complete scan over the pages, trying to discover the vulnerabilities hidden in the underlying application.

Selection of tool is based on couple of factors
1. Cost of Tool
2. Learning Curve involved/ Easy of Usage
3. Configurable options available.

You can google your way for the tool comparison!!

--------------------
Thanks,
Ganns!!!
<< Why are you so obsessed at finding bugs >>


Post Extras: Print Post   Remind Me!   Notify Moderator  
Pages: 1



Extra information
0 registered and 5 anonymous users are browsing this forum.

Moderator:  icruiser, AJ, Walen 

Print Topic

Forum Permissions
      You cannot start new topics
      You cannot reply to topics
      HTML is disabled
      UBBCode is enabled

Rating:
Topic views: 3402

Rate this topic

Jump to

Contact Us | Privacy statement SQAForums

Powered by UBB.threads™ 6.5.5