Application Security Tools





  • Application Development
  • Application Vulnerabilities and Test
  • Windows System/Appication Test Software
  • Security Awareness 
  • Security Assessment Methodology
  • Digital Forensic Investigation Tools







There are some other related posts in this blog:



Application Development


  • SDLC : SDLC is Software Development Life Cycle. It is the process by which Information Systems or Software are developed and designed. Like every other process, SDLCs have various methods to complete the steps. One of the oldest ways to go about is the Waterfall method. The first known usage of Waterfall was in 1956 by Herbert D. Benington at Symposium on advanced programming methods for digital computers. One of the major competitions that Waterfall method faces is the Agile Method. The waterfall method goes through the phases of Conception, Initiation, Analysis, Design, Construction, Testing, Production/Implementation, and Maintenance one after the other like the motion of a waterfall. The team cannot move on to a phase till the previous phase is complete. The positive thing about this method, even though it is time consuming, is that if the bugs are found early on it saves a lot of time and money later. For instance if a bug is found in the conception or initiation phase then it can be corrected before going to the design phase rather than it being discovered while the software is getting designed and then has to be scrapped completely. This method requires intensive documentation in each phase and in that way the process is not dependent on any individual on the team. If a component of the team needs to be replaced, the new person can understand where the project is currently, easily.
  • The Agile method on the other hand is an iterative and incremental approach to software development. In this form of SDLC small modules of the final products are released for the users to review and then are changed accordingly. As per the name, this environment is flexible and can be changed according to the circumstances. Here different developers work on their own task simultaneously and then combine their work in the end. The focus is on delivering a working software rather than documentation. Since it’s iterative, that means it works in cycles. New things are discovered during each iteration and then can be improved upon or fixed before the next cycle begins. Communication, rather than documentation, is used and as such it is faster to work in an Agile environment. Agile methods seem best for developmental and non-sequential projects; as such they are ineffectual in some types of projects and is not taken seriously by a lot of companies.

  • REST based Services/Architecture VS RESTFUL Services/Architecture
To differentiate or compare these 2, you should know what is REST. REST (REpresentational State Transfer) is basically an architectural style of development having some principles...
  • It should be stateless
  • It should access all the resources from the server using only URI
  • It does not have inbuilt encryption
  • It does not have session
  • It uses one and only one protocol that is HTTP
  • For performing CRUD operations, it should use HTTP verbs such as get, post, put and delete
  • It should return the result only in the form of JSON or XML, atom, OData etc. (lightweight data )
REST based services follow some of the above principles and not all, whereas RESTFUL means it follows all the above principles.
  • SonarQube
  • VeraCode
  • Fortify SCA and Fortify WebInspect
  • IBM AppScan



Application Test Methodologies with Tools


Application Testing

Types of Testing

Web Application Testing Functional and Performance Testing
Cross-browser Testing
Load and stress Testing
Regression and Compliance Testing
User Acceptance Testing
Beta Testing
Exploratory and Smoke Testing
Multilanguage support and compatibility Testing
Desktop Application Testing UI Testing
Usability Testing
Performance Testing
Compatibility Testing (Software/ Hardware)
Functional Testing
Security Testing
Mobile Application Testing UI Testing
Rule based Testing
Regression Testing
Functional Testing
Security Testing




  • Black Box Testing:  Black Box Testing technique is used commonly for testing Functional testing, Non-functional testing, and Regression Testing. In black box testing, the strategy used are
    • Equivalence Class Testing
    • Boundary Value Testing
    • Decision Table Testing
    • State Transition Tables
  • White Box Testing: White box testing is typically used for testing the software code to check Internal security holes, broken or poorly structured paths, functionality of conditional loops, etc. In white box testing, the strategy used are
    • Code Coverage analysis
    • Path Coverage
  • Gray Box Testing: This testing technique is a combination of both Black Box Testing as well as White box testing. It is carried out in accordance to find Defect based on improper structure or application use.
  • Static Application Security Testing (SAST) – Big software organizations worldwide are gravitating towards CICD, Agile and DevOps setups. SAST solutions have all the characteristics to blend into these Software Life Cycle’s. Code can be scanned fast, vulnerabilities are located accurately and untouched code doesn’t have to be re-scanned.
  • Dynamic Application Security Testing (DAST) – While DAST tools provide risk analysis and assist in the remediation efforts, developers don’t really know where exactly the vulnerabilities are located, not do they always now what countermeasures to implement. DAST methodology reporting is less than satisfactory in numerous instances.
Tools
  • Selenium
  • IBM Rational Robot
  • RFT (Rational Functional Tester)
  • Load Runner ( HP Performance Tester)
  • Apache Jmeter
Example:
One Good Practice from Security Compass:

Web Server Scans
- Full TCP /UDP Port Scans
- Web Server Scans
  • Nikto (www.cirt.net)
  • Spike Web Proxy (www.immunitiysec.com)
  • Stealth Scanner (www.nstalker.com) Free/Commercial
- SSL Version (40/56/128 Bit)
- Administrator Port
- Internal IP
- Internal Port
- Internal Server Name
- Load Balancer

Web Application: Background Information on the site
- Identify Technologies used and application architecture
- Mirror site
- Sift through client side code (review comments and client side code)
- Authenticate to the site and browse the site
- Document all the links and pages on the site

Web Applications: Threat Analysis
Web Application: Begin Testing of the Web Application
- Configuration Management (Web Server)
- Backup Files (.bak / .inc/ .gz / .zip)
- Autehntication (ACLS on Files / ACLs on Data / Cookies)
- Session / Cookie Management
- Input Validation (XSS/SQL Injection / Field Overflows / Field Underflow)
- Hiddent Tags / Hidden Cookie variables / Hidden Pages
- File Upload ( File Type / Location of upload)
- Buffer Overflows (ISAPI/Modules)
- Cryptography
- Sensitive Data

Web Application: Search Engine Hacking
- groups.google.com
- yahoo.com
- archive.org

Authentication
Authorization
Session Management
User Management
Cryptography, PII, Critical Data
Data Validation
Data Handling
Error & Exception
Event Logging





Application Vulnerabilities

Windows System/Appication Test Software

  • Sandboxie, which lets you run programs independent of the rest of your system. That way they can't infect, access, or otherwise interfere with your Windows installation. It supports 64bits and Win8. 
  • PowerShadow works both pro-actively and protectively to shield you from anything that threatens the life of your computer system. Installation of PowerShadow is like planting an amazing protection mechanism called the Shadow Mode. It is designed to defend you against millions of viruses, spyware and Trojan horse that would love to invade your system.


Security Awareness
  • Security Education Platform - Wombat, Leader in the Magic Quadrant for Security Awareness Computer-Based Training (CBT).


Security Assessment Methodology

Digital Forensic Investigation Tools











No comments:

Post a Comment

NetSec Youtube Videos