Web Application Speed Testing

• https://www.dotcom-tools.com/
• https://gf.dev/website-audit - Website Audit for Best practices, Performance and SEO
• https://performance.sucuri.net/ - Test how fast is your site's performance from across the globe
• https://gtmetrix.com/ - See how your site performs, reveal why it's slow and discover optimization opportunities. It can compare multiple sites in one page. 
• https://tools.pingdom.com/ - test the page load time, analyze it and find bottlenecks
• https://www.webpagetest.org - Run a free website speed test from multiple locations around the globe using real browser at real consumer connection speed. 
• https://www.websitepulse.com/help/testtools.web-page-test.html 
• https://www.site24x7.com/web-page-analyzer.html

• White Box Testing: White box testing is typically used for testing the software code to check Internal security holes, broken or poorly structured paths, functionality of conditional loops, etc. In white box testing, the strategy used are
• Code Coverage analysis
• Path Coverage

• Gray Box Testing: This testing technique is a combination of both Black Box Testing as well as White box testing. It is carried out in accordance to find Defect based on improper structure or application use.

• Static Application Security Testing (SAST) – Big software organizations worldwide are gravitating towards CICD, Agile and DevOps setups. SAST solutions have all the characteristics to blend into these Software Life Cycle’s. Code can be scanned fast, vulnerabilities are located accurately and untouched code doesn’t have to be re-scanned.
• Dynamic Application Security Testing (DAST) – While DAST tools provide risk analysis and assist in the remediation efforts, developers don’t really know where exactly the vulnerabilities are located, not do they always now what countermeasures to implement. DAST methodology reporting is less than satisfactory in numerous instances.

• Selenium
• IBM Rational Robot
• RFT (Rational Functional Tester)
• Load Runner ( HP Performance Tester)
• Apache Jmeter

• Nikto (www.cirt.net)
• Spike Web Proxy (www.immunitiysec.com)
• Stealth Scanner (www.nstalker.com) Free/Commercial

• OWASP Top 10
• A1:2017-Injection
• A2:2017-Broken Authentication
• A3:2017-Sensitive Data Exposure
• A4:2017-XML External Entities (XXE)
• A5:2017-Broken Access Control
• A6:2017-Security Misconfiguration
• A7:2017-Cross-Site Scripting (XSS)
• A8:2017-Insecure Deserialization
• A9:2017-Using Components with Known Vulnerabilities
• A10:2017-Insufficient Logging&Monitoring
• WASC TCv2 (WASC Threat Classification v2.0) Web Application Security Consortium Threat Classification

• Attacks

  Weaknesses

  Abuse of Functionality Brute Force Buffer Overflow Content Spoofing Credential/Session Prediction Cross-Site Scripting Cross-Site Request Forgery Denial of Service Fingerprinting Format String HTTP Response Smuggling HTTP Response Splitting HTTP Request Smuggling HTTP Request Splitting Integer Overflows LDAP Injection Mail Command Injection Null Byte Injection OS Commanding Path Traversal Predictable Resource Location Remote File Inclusion (RFI) Routing Detour Session Fixation SOAP Array Abuse SSI Injection SQL Injection URL Redirector Abuse  XPath Injection XML Attribute Blowup XML External Entities XML Entity Expansion  XML Injection XQuery Injection

  Application Misconfiguration Directory Indexing Improper Filesystem Permissions Improper Input Handling Improper Output Handling Information Leakage Insecure Indexing Insufficient Anti-automation Insufficient Authentication Insufficient Authorization Insufficient Password Recovery Insufficient Process Validation Insufficient Session Expiration Insufficient Transport Layer Protection Server Misconfiguration

  
  
  
  
  
  
• CWE 25
• CWE™ (Common Weakness Enumeration) is a community-developed list of common software security weaknesses. It serves as a common language, a measuring stick for software security tools, and as a baseline for weakness identification, mitigation, and prevention efforts.a

• Sandboxie, which lets you run programs independent of the rest of your system. That way they can't infect, access, or otherwise interfere with your Windows installation. It supports 64bits and Win8. 
• PowerShadow works both pro-actively and protectively to shield you from anything that threatens the life of your computer system. Installation of PowerShadow is like planting an amazing protection mechanism called the Shadow Mode. It is designed to defend you against millions of viruses, spyware and Trojan horse that would love to invade your system.

• Security Education Platform - Wombat, (Now it is part of Proofpoint) Leader in the Magic Quadrant for Security Awareness Computer-Based Training (CBT).

• B.A.S.E - SANS.org 
• Baseline,
• Audit & Assess
• Secure the environment
• Evaluate & Education
• NIST 800-37 Risk Management Framework (RMF) - Six Main Steps + One Preparatory Step
• Prepare 
• Categorize
• Select
• Implement
• Assess
• Authorize
• Monitor

• SANS SIFT
• Paladin suite

• Integrated Development Environments (IDEs) : Eclipse
• Version Control Systems: Git
• Defect/Issue Tracking Systems: Jira

• Jenkins, an automation server that may be utilized either as simple CI servers, or turned into CD hubs for projects, with plugins that support integration with various tools in the CI/CD toolchain.
• Docker, a software container technology platform that enables its users to create, deploy, run, and manage applications within the containers. Docker containers run within the kernel of the host machine and they don’t require additional hypervisor load, so they are lightweight.
• Kubernetes is an open-source system for automating deployment, scaling, and management of containerized applications.
• Chef, a configuration management tool that delivers fast, scalable, and flexible automation of Web-scale IT. Chef automation tool uses ‘recipes’ for web-server configuration, databases and load balancers.
• Puppet, a flexible, cross-platform and open source DevOps configuration management tool that automates the delivery and operation of a software during its entire lifecycle.
• Ansible, a server and configuration management tool that makes IT automation simple as it ends repetitive tasks and enables faster application deployments. It automates configuration management, orchestration, application deployment, cloud provisioning, and a number of other IT requirements.
• Other tools/frameworks for adding security to the DevOps pipeline include Gauntlt and OWASP Zed Attack Proxy (ZAP). These tools may be used during deployment, allowing for automated security tests. Gauntlt provides hooks to a variety of organizational tools that are used for security testing such as nmap, curl, sqlmap, and others. There are also tools such as Splunk that should be mentioned here, primarily for continuous monitoring of the production environment for detection of cybersecurity threats.