Harden Your Web Applications with Practical Security Testing

features.

Many of these tools have features that need to be studied and understood before trying to utilize them. There is no sense trying to apply an advanced testing mechanism without knowing how to interpret the testing results on your particular application. It is best to start slow and master one or two testing features at a time before moving on.  

Another free OWASP tool is Mantra, an open source, browser-based framework for penetration testing. Mantra offers a large number of plug-ins that can be used for various categories of testing, such as information gathering and application auditing. Both SQL Inject Me and XSS Me plug into the Mantra framework as well. In addition, Mantra offers tools that can interrogate network and proxy information. There are approximately fifty tools available as plug-ins to the Mantra framework. The best part about Mantra is that OWASP provides some very good documentation supporting the proper usage of each tool, which is valuable for beginning and intermediate testers alike.

Additionally, there are a number of free web application vulnerability scanners, such as Websecurify, Netsparker Community Edition, and w3af. These scanners allow you to identify common vulnerabilities through a scanning mechanism, interpret the results, and perform some deeper tests to further explore the vulnerabilities discovered. There are varying features across these tools and, again, it will take the beginner a while to come up to speed. Do the proper due diligence around each category of vulnerability that each tool helps identify so that you understand the severity and the risks.

Thorough security testing is a complicated and technical undertaking, but with some incremental first steps, testers can begin to master some critically important techniques and tools that increase the security of web applications and make it more difficult for hackers to gain access. Over time, your organization can develop a secure testing methodology that is complemented by a set of tools that act as a line of defense for your applications prior to release to production. As with many other aspects of testing, security testing is most effective when done by different individuals who specialize in certain types of testing methods. This allows for the development of a diverse set of tests from a diverse set of testers. The main objective for those taking on a security testing role is to develop a set of comprehensive security regression tests that can be iterated on and expanded over time to further protect your users and corporate brand from the risks of insecure software.

Security testing is a comprehensive discipline that requires a great deal of study and experimentation to master and, as noted above, there are literally hundreds of tools available to help. While you can achieve a foundational level of effectiveness by using the tools presented here, you will need to supplement them with a more comprehensive strategy. This could include outsourcing some security testing tasks to an expert testing organization or through your internal corporate IT security group. Learning a new testing discipline is a journey. Once you become familiar with some of the foundational techniques of security testing and the right tools, your testing organization will be well on its way to providing another safety net protecting your organization’s consumers and corporate assets.