Application Security Tools



  • Application Development
  • Application Vulnerabilities and Test
  • Windows System/Appication Test Software
  • Security Awareness 
  • Security Assessment Methodology
  • Digital Forensic Investigation Tools






There are some other related posts in this blog:


Application Development


  • SDLC : SDLC is Software Development Life Cycle. It is the process by which Information Systems or Software are developed and designed. Like every other process, SDLCs have various methods to complete the steps. 
    • One of the oldest ways to go about is the Waterfall method. The first known usage of Waterfall was in 1956 by Herbert D. Benington at Symposium on advanced programming methods for digital computers. One of the major competitions that Waterfall method faces is the Agile Method. The waterfall method goes through the phases of Conception, Initiation, Analysis, Design, Construction, Testing, Production/Implementation, and Maintenance one after the other like the motion of a waterfall. The team cannot move on to a phase till the previous phase is complete. The positive thing about this method, even though it is time consuming, is that if the bugs are found early on it saves a lot of time and money later. For instance if a bug is found in the conception or initiation phase then it can be corrected before going to the design phase rather than it being discovered while the software is getting designed and then has to be scrapped completely. This method requires intensive documentation in each phase and in that way the process is not dependent on any individual on the team. If a component of the team needs to be replaced, the new person can understand where the project is currently, easily.
    • The Agile method on the other hand is an iterative and incremental approach to software development. In this form of SDLC small modules of the final products are released for
      the users to review and then are changed accordingly. As per the name, this environment is flexible and can be changed according to the circumstances. Here different developers work on their own task simultaneously and then combine their work in the end. The focus is on delivering a working software rather than documentation. Since it’s iterative, that means it works in cycles. New things are discovered during each iteration and then can be improved upon or fixed before the next cycle begins. Communication, rather than documentation, is used and as such it is faster to work in an Agile environment. Agile methods seem best for developmental and non-sequential projects; as such they are ineffectual in some types of projects and is not taken seriously by a lot of companies.



SDLC    Model
Advantage
Disadvantage
WaterFall

Simple and easy to understand and use
Easy to manage due to the rigidity of the model. Each phase has specific deliverables and a review process.
Phases are processed and completed one at a time.
Works well for smaller projects where requirements are very well understood.
Clearly defined stages.
Well understood milestones.
Easy to arrange tasks.
Process and results are well documented.

No working software is produced until late during the life cycle.
High amounts of risk and uncertainty.
Not a good model for complex and object-oriented projects.
Poor model for long and ongoing projects.
Not suitable for the projects where requirements are at a moderate to high risk of changing. So, risk and uncertainty is high with this process model.
It is difficult to measure progress within stages.
Cannot accommodate changing requirements.
Adjusting scope during the life cycle can end a project.
Integration is done as a "big-bang. at the very end, which doesn't allow identifying any technological or business bottleneck or challenges early.




Agile Is a very realistic approach to software development.
Promotes teamwork and cross training.
Functionality can be developed rapidly and demonstrated.
Resource requirements are minimum.
Suitable for fixed or changing requirements
Delivers early partial working solutions.
Good model for environments that change steadily.
Minimal rules, documentation easily employed.
Enables concurrent development and delivery within an overall planned context.
Little or no planning required.
Easy to manage.
Gives flexibility to developers.

Not suitable for handling complex dependencies.
More risk of sustainability, maintainability and extensibility.
An overall plan, an agile leader and agile PM practice is a must without which it will not work.
Strict delivery management dictates the scope, functionality to be delivered, and adjustments to meet the deadlines.
Depends heavily on customer interaction, so if customer is not clear, team can be driven in the wrong direction.
There is a very high individual dependency, since there is minimum documentation generated.
Transfer of technology to new team members may be quite challenging due to lack of documentation.

  • REST based Services/Architecture VS RESTFUL Services/Architecture
To differentiate or compare these 2, you should know what is REST. REST (REpresentational State Transfer) is basically an architectural style of development having some principles...
  • It should be stateless
  • It should access all the resources from the server using only URI
  • It does not have inbuilt encryption
  • It does not have session
  • It uses one and only one protocol that is HTTP
  • For performing CRUD operations, it should use HTTP verbs such as get, post, put and delete
  • It should return the result only in the form of JSON or XML, atom, OData etc. (lightweight data )
REST based services follow some of the above principles and not all, whereas RESTFUL means it follows all the above principles.
  • SonarQube
  • VeraCode
  • Fortify SCA and Fortify WebInspect
  • IBM AppScan



Application Test Methodologies with Tools




Application Testing

Types of Testing

Web Application TestingFunctional and Performance Testing
Cross-browser Testing
Load and stress Testing
Regression and Compliance Testing
User Acceptance Testing
Beta Testing
Exploratory and Smoke Testing
Multilanguage support and compatibility Testing
Desktop Application TestingUI Testing
Usability Testing
Performance Testing
Compatibility Testing (Software/ Hardware)
Functional Testing
Security Testing
Mobile Application TestingUI Testing
Rule based Testing
Regression Testing
Functional Testing
Security Testing



  • Black Box Testing:  Black Box Testing technique is used commonly for testing Functional testing, Non-functional testing, and Regression Testing. In black box testing, the strategy used are
    • Equivalence Class Testing
    • Boundary Value Testing
    • Decision Table Testing
    • State Transition Tables
  • White Box Testing: White box testing is typically used for testing the software code to check Internal security holes, broken or poorly structured paths, functionality of conditional loops, etc. In white box testing, the strategy used are
    • Code Coverage analysis
    • Path Coverage
  • Gray Box Testing: This testing technique is a combination of both Black Box Testing as well as White box testing. It is carried out in accordance to find Defect based on improper structure or application use.
  • Static Application Security Testing (SAST) – Big software organizations worldwide are gravitating towards CICD, Agile and DevOps setups. SAST solutions have all the characteristics to blend into these Software Life Cycle’s. Code can be scanned fast, vulnerabilities are located accurately and untouched code doesn’t have to be re-scanned.
  • Dynamic Application Security Testing (DAST) – While DAST tools provide risk analysis and assist in the remediation efforts, developers don’t really know where exactly the vulnerabilities are located, not do they always now what countermeasures to implement. DAST methodology reporting is less than satisfactory in numerous instances.
Tools
  • Selenium
  • IBM Rational Robot
  • RFT (Rational Functional Tester)
  • Load Runner ( HP Performance Tester)
  • Apache Jmeter
Example:
One Good Practice from Security Compass:

Web Server Scans
- Full TCP /UDP Port Scans
- Web Server Scans
  • Nikto (www.cirt.net)
  • Spike Web Proxy (www.immunitiysec.com)
  • Stealth Scanner (www.nstalker.com) Free/Commercial
- SSL Version (40/56/128 Bit)
- Administrator Port
- Internal IP
- Internal Port
- Internal Server Name
- Load Balancer

Web Application: Background Information on the site
- Identify Technologies used and application architecture
- Mirror site
- Sift through client side code (review comments and client side code)
- Authenticate to the site and browse the site
- Document all the links and pages on the site

Web Applications: Threat Analysis
Web Application: Begin Testing of the Web Application
- Configuration Management (Web Server)
- Backup Files (.bak / .inc/ .gz / .zip)
- Autehntication (ACLS on Files / ACLs on Data / Cookies)
- Session / Cookie Management
- Input Validation (XSS/SQL Injection / Field Overflows / Field Underflow)
- Hiddent Tags / Hidden Cookie variables / Hidden Pages
- File Upload ( File Type / Location of upload)
- Buffer Overflows (ISAPI/Modules)
- Cryptography
- Sensitive Data

Web Application: Search Engine Hacking
- groups.google.com
- yahoo.com
- archive.org

Authentication
Authorization
Session Management
User Management
Cryptography, PII, Critical Data
Data Validation
Data Handling
Error & Exception
Event Logging





Application Vulnerabilities

Windows System/Appication Test Software

  • Sandboxie, which lets you run programs independent of the rest of your system. That way they can't infect, access, or otherwise interfere with your Windows installation. It supports 64bits and Win8. 
  • PowerShadow works both pro-actively and protectively to shield you from anything that threatens the life of your computer system. Installation of PowerShadow is like planting an amazing protection mechanism called the Shadow Mode. It is designed to defend you against millions of viruses, spyware and Trojan horse that would love to invade your system.


Security Awareness
  • Security Education Platform - Wombat, Leader in the Magic Quadrant for Security Awareness Computer-Based Training (CBT).


Security Assessment Methodology

Digital Forensic Investigation Tools











No comments:

Post a Comment