Application Security Related Tools
- Application Security/Monitoring Tools
- Application Development
- Application Vulnerabilities and Test
- Windows System/Appication Test Software
- Security Awareness
- Security Assessment Methodology
- Digital Forensic Investigation Tools
- Standard Development and Productivity Tools
- Automation Tools
There are some other related posts in this blog:
- My Top Network Security Tools
- My Top Internet / Network Tools
- My Top IT Tools
- Website and Tools for Blogger
Application Security/Monitoring Tools
- https://www.hardenize.com/ - Check your site's security situation.
- Static and Dynamic Analysis Tools: Fortify, AppScan
- Penetration Testing Tools: Burp Suite
- Fuzz Tools: OWASP Fuzz tool
- D盾_Web查杀 : 『D盾_防火墙』专为IIS设计的一个主动防御的保护软件,以内外保护的方式 防止网站和服务器给入侵,在正常运行各类网站的情 况下,越少的功能,服务器越安全的理念而设计! 限制了常见的入侵方法,让服务器更安全!
- 听云 (TingYun.com) - TingYun is 专业的应用性能监控平台. Alexa排名前100家企业有82家正在使用听云.
Application Development
- SDLC : SDLC is Software Development Life Cycle. It is the process by which Information Systems or Software are developed and designed. Like every other process, SDLCs have various methods to complete the steps.
- One of the oldest ways to go about is the Waterfall method. The first known usage of Waterfall was in 1956 by Herbert D. Benington at Symposium on advanced programming methods for digital computers. One of the major competitions that Waterfall method faces is the Agile Method. The waterfall method goes through the phases of Conception, Initiation, Analysis, Design, Construction, Testing, Production/Implementation, and Maintenance one after the other like the motion of a waterfall. The team cannot move on to a phase till the previous phase is complete. The positive thing about this method, even though it is time consuming, is that if the bugs are found early on it saves a lot of time and money later. For instance if a bug is found in the conception or initiation phase then it can be corrected before going to the design phase rather than it being discovered while the software is getting designed and then has to be scrapped completely. This method requires intensive documentation in each phase and in that way the process is not dependent on any individual on the team. If a component of the team needs to be replaced, the new person can understand where the project is currently, easily.
- The Agile method on the other hand is an iterative and incremental approach to software development. In this form of SDLC small modules of the final products are released for the users to review and then are changed accordingly. As per the name, this environment is flexible and can be changed according to the circumstances. Here different developers work on their own task simultaneously and then combine their work in the end. The focus is on delivering a working software rather than documentation. Since it’s iterative, that means it works in cycles. New things are discovered during each iteration and then can be improved upon or fixed before the next cycle begins. Communication, rather than documentation, is used and as such it is faster to work in an Agile environment. Agile methods seem best for developmental and non-sequential projects; as such they are ineffectual in some types of projects and is not taken seriously by a lot of companies.
| SDLC Model |
Advantage
|
Disadvantage
|
| WaterFall |
Simple and easy to understand and use Easy to manage due to the rigidity of the model. Each phase has specific deliverables and a review process. Phases are processed and completed one at a time. Works well for smaller projects where requirements are very well understood. Clearly defined stages. Well understood milestones. Easy to arrange tasks. Process and results are well documented. |
No working software is produced until late during the life cycle. High amounts of risk and uncertainty. Not a good model for complex and object-oriented projects. Poor model for long and ongoing projects. Not suitable for the projects where requirements are at a moderate to high risk of changing. So, risk and uncertainty is high with this process model. It is difficult to measure progress within stages. Cannot accommodate changing requirements. Adjusting scope during the life cycle can end a project. Integration is done as a "big-bang. at the very end, which doesn't allow identifying any technological or business bottleneck or challenges early. |
| Agile | Is a very realistic approach to software development. Promotes teamwork and cross training. Functionality can be developed rapidly and demonstrated. Resource requirements are minimum. Suitable for fixed or changing requirements Delivers early partial working solutions. Good model for environments that change steadily. Minimal rules, documentation easily employed. Enables concurrent development and delivery within an overall planned context. Little or no planning required. Easy to manage. Gives flexibility to developers. |
Not suitable for handling complex dependencies. More risk of sustainability, maintainability and extensibility. An overall plan, an agile leader and agile PM practice is a must without which it will not work. Strict delivery management dictates the scope, functionality to be delivered, and adjustments to meet the deadlines. Depends heavily on customer interaction, so if customer is not clear, team can be driven in the wrong direction. There is a very high individual dependency, since there is minimum documentation generated. Transfer of technology to new team members may be quite challenging due to lack of documentation. |
- REST based Services/Architecture VS RESTFUL Services/Architecture
- It should be stateless
- It should access all the resources from the server using only URI
- It does not have inbuilt encryption
- It does not have session
- It uses one and only one protocol that is HTTP
- For performing CRUD operations, it should use HTTP verbs such as get, post, put and delete
- It should return the result only in the form of JSON or XML, atom, OData etc. (lightweight data )
- SonarQube
- VeraCode
- Fortify SCA and Fortify WebInspect
- IBM AppScan
DevOps
 |
| From: https://www.youtube.com/watch?v=7LcFZNuZaVY |
 |
| From: https://www.youtube.com/watch?v=7LcFZNuZaVY |
Application Test Methodologies with Tools
Application Testing | Types of Testing |
| Web Application Testing | Functional and Performance Testing |
| Cross-browser Testing | |
| Load and stress Testing | |
| Regression and Compliance Testing | |
| User Acceptance Testing | |
| Beta Testing | |
| Exploratory and Smoke Testing | |
| Multilanguage support and compatibility Testing | |
| Desktop Application Testing | UI Testing |
| Usability Testing | |
| Performance Testing | |
| Compatibility Testing (Software/ Hardware) | |
| Functional Testing | |
| Security Testing | |
| Mobile Application Testing | UI Testing |
| Rule based Testing | |
| Regression Testing | |
| Functional Testing | |
| Security Testing | |
- Black Box Testing: Black Box Testing technique is used commonly for testing Functional testing, Non-functional testing, and Regression Testing. In black box testing, the strategy used are
- Equivalence Class Testing
- Boundary Value Testing
- Decision Table Testing
- State Transition Tables
- White Box Testing: White box testing is typically used for testing the software code to check Internal security holes, broken or poorly structured paths, functionality of conditional loops, etc. In white box testing, the strategy used are
- Code Coverage analysis
- Path Coverage
- Gray Box Testing: This testing technique is a combination of both Black Box Testing as well as White box testing. It is carried out in accordance to find Defect based on improper structure or application use.
- Static Application Security Testing (SAST) – Big software organizations worldwide are gravitating towards CICD, Agile and DevOps setups. SAST solutions have all the characteristics to blend into these Software Life Cycle’s. Code can be scanned fast, vulnerabilities are located accurately and untouched code doesn’t have to be re-scanned.
- Dynamic Application Security Testing (DAST) – While DAST tools provide risk analysis and assist in the remediation efforts, developers don’t really know where exactly the vulnerabilities are located, not do they always now what countermeasures to implement. DAST methodology reporting is less than satisfactory in numerous instances.
Tools
- Selenium
- IBM Rational Robot
- RFT (Rational Functional Tester)
- Load Runner ( HP Performance Tester)
- Apache Jmeter
Example:
One Good Practice from Security Compass:
Web Server Scans
- Full TCP /UDP Port Scans
- Web Server Scans
- Nikto (www.cirt.net)
- Spike Web Proxy (www.immunitiysec.com)
- Stealth Scanner (www.nstalker.com) Free/Commercial
- SSL Version (40/56/128 Bit)
- Administrator Port
- Internal IP
- Internal Port
- Internal Server Name
- Load Balancer
Web Application: Background Information on the site
- Identify Technologies used and application architecture
- Mirror site
- Sift through client side code (review comments and client side code)
- Authenticate to the site and browse the site
- Document all the links and pages on the site
Web Applications: Threat Analysis
Web Application: Begin Testing of the Web Application
- Configuration Management (Web Server)
- Backup Files (.bak / .inc/ .gz / .zip)
- Autehntication (ACLS on Files / ACLs on Data / Cookies)
- Session / Cookie Management
- Input Validation (XSS/SQL Injection / Field Overflows / Field Underflow)
- Hiddent Tags / Hidden Cookie variables / Hidden Pages
- File Upload ( File Type / Location of upload)
- Buffer Overflows (ISAPI/Modules)
- Cryptography
- Sensitive Data
Web Application: Search Engine Hacking
- groups.google.com
- yahoo.com
- archive.org
Authentication
Authorization
Session Management
User Management
Cryptography, PII, Critical Data
Data Validation
Data Handling
Error & Exception
Event Logging
- OWASP Top 10
- A1:2017-Injection
- A2:2017-Broken Authentication
- A3:2017-Sensitive Data Exposure
- A4:2017-XML External Entities (XXE)
- A5:2017-Broken Access Control
- A6:2017-Security Misconfiguration
- A7:2017-Cross-Site Scripting (XSS)
- A8:2017-Insecure Deserialization
- A9:2017-Using Components with Known Vulnerabilities
- A10:2017-Insufficient Logging&Monitoring
- WASC TCv2 (WASC Threat Classification v2.0) Web Application Security Consortium Threat Classification
- CWE 25
- CWE™ (Common Weakness Enumeration) is a community-developed list of common software security weaknesses. It serves as a common language, a measuring stick for software security tools, and as a baseline for weakness identification, mitigation, and prevention efforts.a
Windows System/Appication Test Software
- Sandboxie, which lets you run programs independent of the rest of your system. That way they can't infect, access, or otherwise interfere with your Windows installation. It supports 64bits and Win8.
- PowerShadow works both pro-actively and protectively to shield you from anything that threatens the life of your computer system. Installation of PowerShadow is like planting an amazing protection mechanism called the Shadow Mode. It is designed to defend you against millions of viruses, spyware and Trojan horse that would love to invade your system.
Security Awareness
- Security Education Platform - Wombat, Leader in the Magic Quadrant for Security Awareness Computer-Based Training (CBT).
Security Assessment Methodology
- B.A.S.E - SANS.org
- Baseline,
- Audit & Assess
- Secure the environment
- Evaluate & Education
- NIST 800-37 Risk Management Framework (RMF) - Six Main Steps + One Preparatory Step
- Prepare
- Categorize
- Select
- Implement
- Assess
- Authorize
- Monitor
Digital Forensic Investigation Tools
Standard Development and Productivity Tools
- Integrated Development Environments (IDEs) : Eclipse
- Version Control Systems: Git
- Defect/Issue Tracking Systems: Jira
Automation Tools
- Jenkins, an automation server that may be utilized either as simple CI servers, or turned into CD hubs for projects, with plugins that support integration with various tools in the CI/CD toolchain.
- Docker, a software container technology platform that enables its users to create, deploy, run, and manage applications within the containers. Docker containers run within the kernel of the host machine and they don’t require additional hypervisor load, so they are lightweight.
- Kubernetes is an open-source system for automating deployment, scaling, and management of containerized applications.
- Chef, a configuration management tool that delivers fast, scalable, and flexible automation of Web-scale IT. Chef automation tool uses ‘recipes’ for web-server configuration, databases and load balancers.
- Puppet, a flexible, cross-platform and open source DevOps configuration management tool that automates the delivery and operation of a software during its entire lifecycle.
- Ansible, a server and configuration management tool that makes IT automation simple as it ends repetitive tasks and enables faster application deployments. It automates configuration management, orchestration, application deployment, cloud provisioning, and a number of other IT requirements.
- Other tools/frameworks for adding security to the DevOps pipeline include Gauntlt and OWASP Zed Attack Proxy (ZAP). These tools may be used during deployment, allowing for automated security tests. Gauntlt provides hooks to a variety of organizational tools that are used for security testing such as nmap, curl, sqlmap, and others. There are also tools such as Splunk that should be mentioned here, primarily for continuous monitoring of the production environment for detection of cybersecurity threats.
No comments