About Security Testing- Part ll

This is a two part series:
1.  Significance of Security Testing in an era of illimitable Cyber-Attacks
2. Open Source Security Testing Tools You Should Know About

Open Source Security Testing Tools You Should Know About

In connect with our previous blog, we can begin by simply stating that security testing has become an inevitable part of software development, and a slack approach towards security can prove costly in terms of:

  • Incoherent website performance
  • Loss of customer trust
  • Loss of revenue
  • Possible legal implications

Hence, security testing cannot be taken lightly, and with the dawn of highly connected IoT world, no organization can claim to have a foolproof security system in place.

This clearly directs us to the need for using web security testing tools to proactively detect the application vulnerabilities and to secure the websites.

From an array of Open Source Security Tools available in the market, we have made an attempt to discuss some of the popular ones you should know about:

Wapiti

Wapiti is a command-line application that performs black box scans. It supports both GET and POST HTTP attack methods. For beginners, it may be difficult to use, but for experts, it’s a great tool. Wapiti can detect vulnerabilities like file handling errors, database injection, XSS Injection, LDAP Injection and CRLF Injection.
Source: http://wapiti.sourceforge.net/

Vega

Vega is written in Java, is GUI based and runs on Linux, OSX, and Windows platforms. It can detect web-app vulnerabilities like blind SQL injection, header injection, stored cross-site scripting, shell injection and others. The tool can be extended using a powerful API written in JavaScript.
Source: https://subgraph.com/vega/

W3af

A web-app audit and attack framework which is effective against more than 200 vulnerabilities. W3af is developed using Python and is suitable for both beginners and experts. It identifies vulnerabilities like Cross-Site Scripting, unhandled app-errors, SQL injection, and PHP misconfigurations. It comes with a graphical and console interface.
Source: http://w3af.org/

ZED Attack Proxy (ZAP)

It is an easy to use integrated penetration testing tool for finding vulnerabilities in web apps. It is available for Windows, Unix/Linux and Mac platforms. It is ideal for both beginners and professionals. Besides other features, it also possesses features like port scanner, fuzzing, smart card support, and Anti-CSRF Token Handling. It can detect vulnerabilities like SQL injection, Blind SQL injection, File Handling and command execution.
Source: https://www.owasp.org/index.php/

IronWASP

It is a GUI based vulnerability scanner that checks for over 25 different kinds of well-known web vulnerabilities. It provides false negatives and false positives detection support, and its reports are both in HTML and RTF formats. An advanced user with Python/Ruby scripting expertise is best suited to make full use of the platform but even an amateur user can use a lot of simple features that IronWASP possesses. It can detect vulnerabilities like SQL, Header and XPATH Injection, and Cross Site Scripting.
Source:  https://ironwasp.org/

Conclusion

With cyber threats on the rise- whether you already have changes premeditated for your security stack or not; the use of security tools early in the SDLC will help you in reducing the security assessment workload executed before the deployment of the application, and will augment early detection rates, thus saving costs and increasing the speed to market.

In a nutshell, organizations should make security a business priority, and adopt a well-defined integrated defense approach in this era of illimitable cyber-attacks.

About Security Testing – Part I

This is a two part series:
1. Significance of Security Testing in an era of illimitable Cyber-Attacks
2. Open Source Security Testing Tools You Should Know About

Significance of Security Testing in an era of illimitable Cyber-Attacks

Considering the number of breaches and security threats that currently exist, security testing has become a critical part of the Software Development Life Cycle(SDLC)

Even the most secure platforms have been invaded by hackers-be it Apple’s iCloud, NASA’s computers, or Sony’s email server- let alone the vulnerable ones. The staggering cyber-attack statistics by Hackmegeddon stands as a testimony to the fact that these threats are on the rise, and there appears to be no foolproof plan to safeguard against these threats.

Hackmegeddon

Source: HACKMEGEDDON

The figures are appalling, and so are the repercussions of security loopholes. As per Cisco 2017 Annual Cybersecurity Report, 22% of breached organizations lost customers, and 40% of them lost more than 20% of their customer base.

The consequences are obvious-data loss, loss of revenue, lawsuits, fines and other disruptive business implications.

But how does this happen?

As per the findings of the World Quality Report, 80% of these security breaches occur at the application layer and 86% have issues associated with authentication and access control. So, high-quality rigorous security testing is definitely required especially at these weak spots.

And security testing is also essential to ensure safety against some of the most commonly executed cyber-attacks- like Malware, SQL Injection, Phishing Attacks, Cross-Site Scripting (XSS), Denial-of-Service, and Session Hijacking Attacks.

You will be surprised to know that as per a study conducted by Aberdeen Group involving more than 150 organizations, the average cost of remediating a single app security incident comes around approx. US$300,000.

No doubt, it’s a very costly affair, and with IoT being the face of the future, security testing will become paramount as hyper-connectivity may cause a single loophole to result in huge data loss-the impact of which can be devastating.

All this points towards the need for highly reliable security testing services that can timely uncover vulnerabilities and ensure app risk minimization further implying that security has to be embedded right from the beginning in the SDLC, rather than an afterthought.

Being an expensive endeavor, not all software development companies can afford in-house testing, and hence outsourcing can be a good option- both in terms of cost and time.

Dedicated testing services companies can be relied upon to have the requisite resources and expertise to employ the critical testing techniques like:

Vulnerability Scanning : Normally done using an automated software to scan the basic known vulnerability.

Penetration Testing: Penetration testing is the black box approach to test your applications for security loopholes.It simulates the attack from a malicious hacker to determine vulnerabilities that an attacker could exploit.

Ethical Hacking: The system is attacked from within to expose and fix the security flaws and loopholes.

Security ScanningIn addition to automated software scanning, manual assessment is performed to check log files, error messages, error codes and so on.

Risk Assessment: A technique to analyze and segregate risks into high, medium and low categories. This assessment further assists in strategizing to resolve these risks.

Security ReviewThis involves reviews of architecture diagrams, code reviews, and document reviews along with performing the gap analysis to ensure standards are adhered to, and implemented aptly.

These techniques will definitely aid to combat the probable security threats, however, the significance of technical expertise and knowledge of the tester will remain an irreplaceable asset.

Being an expensive endeavor, it will again be feasible to outsource security services to experts in testing companies who possess requisite ISO/IEEE certifications, in addition to years of valuable experience, especially in this era of cyber warfare, newfangled cybercrimes and vicious cyber attacks.

NASSCOM claims that the current share of cyber-security is likely to rise to US $35 billion from the current US $1.5 billion by the year 2025, and nearly 1000 startups will emerge in the security domain over the next 10 years.

Hence, digital landscape is going to be the future war zone, and security testing will be a big and sophisticated discipline.

Conclusion

Security testing is highly relevant-both in the current and future scenario, and organizations should be either prepared with end-to-end security testing solutions that can be embedded into the SDLC right from the initial stage involving both manual and automated testing processes or should outsource the solutions.

Overall, a good testing services company with a skilled and experienced team of testers specialized in emerging technologies will be the one to survive the impending cybersecurity onslaught. Also, there are many open source security tools available in the market that testing companies can use- and we will discuss them in our next blog.

Astegic, a pure-play QA & Testing services company, with years of experience and learning, is adept at safely leveraging the convergence of cloud, mobility, social computing and web applications through security testing across multiple platforms and networks. And is constantly adopting latest tools and techniques to become the future market leader.

To know more about our security testing services, visit our page or contact our experts.

And don’t forget to read our next blog to find out about some popular open source security tools available in the market- Open Source Security Testing Tools You Should Know About