About Security Testing- Part ll

This is a two part series:
1.  Significance of Security Testing in an era of illimitable Cyber-Attacks
2. Open Source Security Testing Tools You Should Know About

Open Source Security Testing Tools You Should Know About

In connect with our previous blog, we can begin by simply stating that security testing has become an inevitable part of software development, and a slack approach towards security can prove costly in terms of:

  • Incoherent website performance
  • Loss of customer trust
  • Loss of revenue
  • Possible legal implications

Hence, security testing cannot be taken lightly, and with the dawn of highly connected IoT world, no organization can claim to have a foolproof security system in place.

This clearly directs us to the need for using web security testing tools to proactively detect the application vulnerabilities and to secure the websites.

From an array of Open Source Security Tools available in the market, we have made an attempt to discuss some of the popular ones you should know about:

Wapiti

Wapiti is a command-line application that performs black box scans. It supports both GET and POST HTTP attack methods. For beginners, it may be difficult to use, but for experts, it’s a great tool. Wapiti can detect vulnerabilities like file handling errors, database injection, XSS Injection, LDAP Injection and CRLF Injection.
Source: http://wapiti.sourceforge.net/

Vega

Vega is written in Java, is GUI based and runs on Linux, OSX, and Windows platforms. It can detect web-app vulnerabilities like blind SQL injection, header injection, stored cross-site scripting, shell injection and others. The tool can be extended using a powerful API written in JavaScript.
Source: https://subgraph.com/vega/

W3af

A web-app audit and attack framework which is effective against more than 200 vulnerabilities. W3af is developed using Python and is suitable for both beginners and experts. It identifies vulnerabilities like Cross-Site Scripting, unhandled app-errors, SQL injection, and PHP misconfigurations. It comes with a graphical and console interface.
Source: http://w3af.org/

ZED Attack Proxy (ZAP)

It is an easy to use integrated penetration testing tool for finding vulnerabilities in web apps. It is available for Windows, Unix/Linux and Mac platforms. It is ideal for both beginners and professionals. Besides other features, it also possesses features like port scanner, fuzzing, smart card support, and Anti-CSRF Token Handling. It can detect vulnerabilities like SQL injection, Blind SQL injection, File Handling and command execution.
Source: https://www.owasp.org/index.php/

IronWASP

It is a GUI based vulnerability scanner that checks for over 25 different kinds of well-known web vulnerabilities. It provides false negatives and false positives detection support, and its reports are both in HTML and RTF formats. An advanced user with Python/Ruby scripting expertise is best suited to make full use of the platform but even an amateur user can use a lot of simple features that IronWASP possesses. It can detect vulnerabilities like SQL, Header and XPATH Injection, and Cross Site Scripting.
Source:  https://ironwasp.org/

Conclusion

With cyber threats on the rise- whether you already have changes premeditated for your security stack or not; the use of security tools early in the SDLC will help you in reducing the security assessment workload executed before the deployment of the application, and will augment early detection rates, thus saving costs and increasing the speed to market.

In a nutshell, organizations should make security a business priority, and adopt a well-defined integrated defense approach in this era of illimitable cyber-attacks.