Application Security Tools

• Application Development
• Application Vulnerabilities and Test
• Windows System/Appication Test Software
• Security Awareness 
• Security Assessment Methodology
• Digital Forensic Investigation Tools

There are some other related posts in this blog:

• My Top Network Security Tools
• My Top Internet / Network Tools
• My Top IT Tools
• Website and Tools for Blogger

Application Development

• SDLC : SDLC is Software Development Life Cycle. It is the process by which Information Systems or Software are developed and designed. Like every other process, SDLCs have various methods to complete the steps. 

• One of the oldest ways to go about is the Waterfall method. The first known usage of Waterfall was in 1956 by Herbert D. Benington at Symposium on advanced programming methods for digital computers. One of the major competitions that Waterfall method faces is the Agile Method. The waterfall method goes through the phases of Conception, Initiation, Analysis, Design, Construction, Testing, Production/Implementation, and Maintenance one after the other like the motion of a waterfall. The team cannot move on to a phase till the previous phase is complete. The positive thing about this method, even though it is time consuming, is that if the bugs are found early on it saves a lot of time and money later. For instance if a bug is found in the conception or initiation phase then it can be corrected before going to the design phase rather than it being discovered while the software is getting designed and then has to be scrapped completely. This method requires intensive documentation in each phase and in that way the process is not dependent on any individual on the team. If a component of the team needs to be replaced, the new person can understand where the project is currently, easily.
• The Agile method on the other hand is an iterative and incremental approach to software development. In this form of SDLC small modules of the final products are released for
  
  the users to review and then are changed accordingly. As per the name, this environment is flexible and can be changed according to the circumstances. Here different developers work on their own task simultaneously and then combine their work in the end. The focus is on delivering a working software rather than documentation. Since it’s iterative, that means it works in cycles. New things are discovered during each iteration and then can be improved upon or fixed before the next cycle begins. Communication, rather than documentation, is used and as such it is faster to work in an Agile environment. Agile methods seem best for developmental and non-sequential projects; as such they are ineffectual in some types of projects and is not taken seriously by a lot of companies.

SDLC    Model	Advantage	Disadvantage
WaterFall	Simple and easy to understand and use Easy to manage due to the rigidity of the model. Each phase has specific deliverables and a review process. Phases are processed and completed one at a time. Works well for smaller projects where requirements are very well understood. Clearly defined stages. Well understood milestones. Easy to arrange tasks. Process and results are well documented.	No working software is produced until late during the life cycle. High amounts of risk and uncertainty. Not a good model for complex and object-oriented projects. Poor model for long and ongoing projects. Not suitable for the projects where requirements are at a moderate to high risk of changing. So, risk and uncertainty is high with this process model. It is difficult to measure progress within stages. Cannot accommodate changing requirements. Adjusting scope during the life cycle can end a project. Integration is done as a "big-bang. at the very end, which doesn't allow identifying any technological or business bottleneck or challenges early.
Agile	Is a very realistic approach to software development. Promotes teamwork and cross training. Functionality can be developed rapidly and demonstrated. Resource requirements are minimum. Suitable for fixed or changing requirements Delivers early partial working solutions. Good model for environments that change steadily. Minimal rules, documentation easily employed. Enables concurrent development and delivery within an overall planned context. Little or no planning required. Easy to manage. Gives flexibility to developers.	Not suitable for handling complex dependencies. More risk of sustainability, maintainability and extensibility. An overall plan, an agile leader and agile PM practice is a must without which it will not work. Strict delivery management dictates the scope, functionality to be delivered, and adjustments to meet the deadlines. Depends heavily on customer interaction, so if customer is not clear, team can be driven in the wrong direction. There is a very high individual dependency, since there is minimum documentation generated. Transfer of technology to new team members may be quite challenging due to lack of documentation.

• REST based Services/Architecture VS RESTFUL Services/Architecture

To differentiate or compare these 2, you should know what is REST. REST (REpresentational State Transfer) is basically an architectural style of development having some principles...

• It should be stateless
• It should access all the resources from the server using only URI
• It does not have inbuilt encryption
• It does not have session
• It uses one and only one protocol that is HTTP
• For performing CRUD operations, it should use HTTP verbs such as get, post, put and delete
• It should return the result only in the form of JSON or XML, atom, OData etc. (lightweight data )

REST based services follow some of the above principles and not all, whereas RESTFUL means it follows all the above principles.

• SonarQube
• VeraCode
• Fortify SCA and Fortify WebInspect
• IBM AppScan

DevOps

From: https://www.youtube.com/watch?v=7LcFZNuZaVY

From: https://www.youtube.com/watch?v=7LcFZNuZaVY

Application Test Methodologies with Tools

Application Testing	Types of Testing
Web Application Testing	Functional and Performance Testing
	Cross-browser Testing
	Load and stress Testing
	Regression and Compliance Testing
	User Acceptance Testing
	Beta Testing
	Exploratory and Smoke Testing
	Multilanguage support and compatibility Testing
Desktop Application Testing	UI Testing
	Usability Testing
	Performance Testing
	Compatibility Testing (Software/ Hardware)
	Functional Testing
	Security Testing
Mobile Application Testing	UI Testing
	Rule based Testing
	Regression Testing
	Functional Testing
	Security Testing

• Black Box Testing:  Black Box Testing technique is used commonly for testing Functional testing, Non-functional testing, and Regression Testing. In black box testing, the strategy used are
• Equivalence Class Testing
• Boundary Value Testing
• Decision Table Testing
• State Transition Tables

• White Box Testing: White box testing is typically used for testing the software code to check Internal security holes, broken or poorly structured paths, functionality of conditional loops, etc. In white box testing, the strategy used are
• Code Coverage analysis
• Path Coverage

• Gray Box Testing: This testing technique is a combination of both Black Box Testing as well as White box testing. It is carried out in accordance to find Defect based on improper structure or application use.

• Static Application Security Testing (SAST) – Big software organizations worldwide are gravitating towards CICD, Agile and DevOps setups. SAST solutions have all the characteristics to blend into these Software Life Cycle’s. Code can be scanned fast, vulnerabilities are located accurately and untouched code doesn’t have to be re-scanned.
• Dynamic Application Security Testing (DAST) – While DAST tools provide risk analysis and assist in the remediation efforts, developers don’t really know where exactly the vulnerabilities are located, not do they always now what countermeasures to implement. DAST methodology reporting is less than satisfactory in numerous instances.

Tools

• Selenium
• IBM Rational Robot
• RFT (Rational Functional Tester)
• Load Runner ( HP Performance Tester)
• Apache Jmeter

Example:

One Good Practice from Security Compass:

Web Server Scans

- Full TCP /UDP Port Scans

- Web Server Scans

• Nikto (www.cirt.net)
• Spike Web Proxy (www.immunitiysec.com)
• Stealth Scanner (www.nstalker.com) Free/Commercial

- SSL Version (40/56/128 Bit)

- Administrator Port

- Internal IP

- Internal Port

- Internal Server Name

- Load Balancer

Web Application: Background Information on the site

- Identify Technologies used and application architecture

- Mirror site

- Sift through client side code (review comments and client side code)

- Authenticate to the site and browse the site

- Document all the links and pages on the site

Web Applications: Threat Analysis

Web Application: Begin Testing of the Web Application

- Configuration Management (Web Server)

- Backup Files (.bak / .inc/ .gz / .zip)

- Autehntication (ACLS on Files / ACLs on Data / Cookies)

- Session / Cookie Management

- Input Validation (XSS/SQL Injection / Field Overflows / Field Underflow)

- Hiddent Tags / Hidden Cookie variables / Hidden Pages

- File Upload ( File Type / Location of upload)

- Buffer Overflows (ISAPI/Modules)

- Cryptography

- Sensitive Data

Web Application: Search Engine Hacking

- groups.google.com

- yahoo.com

- archive.org

Authentication

Authorization

Session Management

User Management

Cryptography, PII, Critical Data

Data Validation

Data Handling

Error & Exception

Event Logging

Application Vulnerabilities

• OWASP Top 10
• A1:2017-Injection
• A2:2017-Broken Authentication
• A3:2017-Sensitive Data Exposure
• A4:2017-XML External Entities (XXE)
• A5:2017-Broken Access Control
• A6:2017-Security Misconfiguration
• A7:2017-Cross-Site Scripting (XSS)
• A8:2017-Insecure Deserialization
• A9:2017-Using Components with Known Vulnerabilities
• A10:2017-Insufficient Logging&Monitoring
• WASC TCv2 (WASC Threat Classification v2.0) Web Application Security Consortium Threat Classification

• Attacks	Weaknesses
  Abuse of Functionality Brute Force Buffer Overflow Content Spoofing Credential/Session Prediction Cross-Site Scripting Cross-Site Request Forgery Denial of Service Fingerprinting Format String HTTP Response Smuggling HTTP Response Splitting HTTP Request Smuggling HTTP Request Splitting Integer Overflows LDAP Injection Mail Command Injection Null Byte Injection OS Commanding Path Traversal Predictable Resource Location Remote File Inclusion (RFI) Routing Detour Session Fixation SOAP Array Abuse SSI Injection SQL Injection URL Redirector Abuse  XPath Injection XML Attribute Blowup XML External Entities XML Entity Expansion  XML Injection XQuery Injection	Application Misconfiguration Directory Indexing Improper Filesystem Permissions Improper Input Handling Improper Output Handling Information Leakage Insecure Indexing Insufficient Anti-automation Insufficient Authentication Insufficient Authorization Insufficient Password Recovery Insufficient Process Validation Insufficient Session Expiration Insufficient Transport Layer Protection Server Misconfiguration

  
  
  
  
  
  
• CWE 25
• CWE™ (Common Weakness Enumeration) is a community-developed list of common software security weaknesses. It serves as a common language, a measuring stick for software security tools, and as a baseline for weakness identification, mitigation, and prevention efforts.a

Windows System/Appication Test Software

• Sandboxie, which lets you run programs independent of the rest of your system. That way they can't infect, access, or otherwise interfere with your Windows installation. It supports 64bits and Win8. 
• PowerShadow works both pro-actively and protectively to shield you from anything that threatens the life of your computer system. Installation of PowerShadow is like planting an amazing protection mechanism called the Shadow Mode. It is designed to defend you against millions of viruses, spyware and Trojan horse that would love to invade your system.

Security Awareness

• Security Education Platform - Wombat, Leader in the Magic Quadrant for Security Awareness Computer-Based Training (CBT).

Security Assessment Methodology

• B.A.S.E - SANS.org 
• Baseline,
• Audit & Assess
• Secure the environment
• Evaluate & Education
• NIST 800-37 Risk Management Framework (RMF) - Six Main Steps + One Preparatory Step
• Prepare 
• Categorize
• Select
• Implement
• Assess
• Authorize
• Monitor

Digital Forensic Investigation Tools

• SANS SIFT
• Paladin suite

Standard Development and Productivity Tools 

• Integrated Development Environments (IDEs) : Eclipse
• Version Control Systems: Git
• Defect/Issue Tracking Systems: Jira

Application Security Tools 

• Static and Dynamic Analysis Tools:  Fortify, AppScan
• Penetration Testing Tools: Burp Suite
• Fuzz Tools: OWASP Fuzz tool
• D盾_Web查杀 : 『D盾_防火墙』专为IIS设计的一个主动防御的保护软件,以内外保护的方式 防止网站和服务器给入侵,在正常运行各类网站的情 况下，越少的功能，服务器越安全的理念而设计！ 限制了常见的入侵方法，让服务器更安全!

Automation Tools

• Jenkins, an automation server that may be utilized either as simple CI servers, or turned into CD hubs for projects, with plugins that support integration with various tools in the CI/CD toolchain.
• Docker, a software container technology platform that enables its users to create, deploy, run, and manage applications within the containers. Docker containers run within the kernel of the host machine and they don’t require additional hypervisor load, so they are lightweight.
• Kubernetes is an open-source system for automating deployment, scaling, and management of containerized applications.
• Chef, a configuration management tool that delivers fast, scalable, and flexible automation of Web-scale IT. Chef automation tool uses ‘recipes’ for web-server configuration, databases and load balancers.
• Puppet, a flexible, cross-platform and open source DevOps configuration management tool that automates the delivery and operation of a software during its entire lifecycle.
• Ansible, a server and configuration management tool that makes IT automation simple as it ends repetitive tasks and enables faster application deployments. It automates configuration management, orchestration, application deployment, cloud provisioning, and a number of other IT requirements.
• Other tools/frameworks for adding security to the DevOps pipeline include Gauntlt and OWASP Zed Attack Proxy (ZAP). These tools may be used during deployment, allowing for automated security tests. Gauntlt provides hooks to a variety of organizational tools that are used for security testing such as nmap, curl, sqlmap, and others. There are also tools such as Splunk that should be mentioned here, primarily for continuous monitoring of the production environment for detection of cybersecurity threats.