What is Security Testing?
testing is performing to ensure the data within an information system is protected
and not accessible by unauthorized users. Security protects applications acting
against external malware and other unanticipated threats that may result
exploitation of the application. Security testing mainly cover the below areas:
The following flow need to
be checked for every phase in the software development lifecycle:
Security testing helps avoid:
Loss of customer
required to repair website after an attack
Other legal implications
that arise due to lax security measures
Here are few open source tools that are popular among security
ZED Attack Proxy (ZAP)
ZED Attack Proxy (ZAP) – It’s an open source tool designed to help security
professionals to find out the security vulnerabilities present in the web
application, it was developed by AWASP to run over
Windows, Unix/Linux and Macintosh platforms. It can be used as a scanner/filter
to test a webpage manually. Its key features are Intercepting Proxy, Automated Scanner, Passive Scanning, Brute Force
Scanner, Fuzzing, Dynamic SSL Certificates and a REST based API
Link for download — https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project
The Open Web Application Security Project (OWASP) is an application,
which dedicated to providing information about application security. The OWASP
Top 10 Web Application Security Risks are commonly found in web applications,
which are also easy to exploit. These OWASP top 10 risks will make the
application harmful, because they may allow stealing data, or completely taking
over your web servers.
OWASP Top 10
We can execute OWASP using
GUI as well as command prompt:
to trigger OWASP through CLI —
zap-cli –zap-path “+EVConfig.ZAP_PATH+” quick-scan –self-contained
–spider -r -s xss http://”+EVConfig.EV_1_IP+” -l Informational
§ Steps to
run OWASP from GUI :
§ Set the local proxy in browser and record the
§ Once the completion of record, right click over the
link in OWASP tool, then click on ‘active scan’
§ After completion of scanning, download the
report in .html format.
option to execute OWASP:
Set the local proxy in the browser.
Give the URL in the ‘URL to attack’ text box
then click on ‘Attack’ button
In the left side of the screen, we can see the
scanned sitemap content.
From the bottom potion we can find request,
response and bug severity.
Burp Suite is a tool to performing security
testing of web applications. It has professional and community edition, It’s
has 100+ predefined vulnerability conditions and it apply these conditions to
our website to find out vulnerability.
More than 100+
generic vulnerabilities, such as
SQL injection, cross-site scripting (XSS), Xpath injection, …etc. some of these
are more famous in security prevention, and we can perform scanning in
different speed like fast, normal. Using this tool we can scan entire application or a particular branch of
the site, or an individual URL.
Burbsuite shows the result
in a tree view structure. We can drill down the detailed individual items
inside selecting branch or node. The scanned result came up with red
indication, if it’s found any vulnerability.
Vulnerabilities are marked with confidence and severity. That will be
very helpful for taking decision to look on most significant issues.
Detailed custom advisories will be available for all reported
vulnerabilities. Which include a full description of the issue, confidence
type, issue severity and path of the file.
We can download HTML reports with discovered
vulnerabilities. Which clearly shows severity and confidence of the
is an open source tool for measure the quality of source code. It’s written in
Java but it can analyze 20+ different programming languages. It has a feature
to easy integration with continuous integration tools such as a Jenkins server.
The results will be populated to sonarqube server with ‘green’ and ‘red lights’,
nice charts, project level issue list can be viewable.
§ To perform the analysis download the SonarQube Runner and unzip it.
§ Put this file in the root directory of your
§ Open a terminal/console in the root
directory of your project to check and run the
successful execution of the SonarQube Runner you can find the results in the http://localhost:9000 web page
Project wise home page:
Klocwork is a code analysis tool which is used to identify security, safety and reliability
issues of the programming language C, C++, Java and C#. We can easily integrate this with continuous integration tools like
Jenkins, and we can raise a new bug in Jira, if we found any new issue. It’s
allowing to take the printout of the result from the web page.
scanned result :
We can see the range and ratio of the issue by
click on ‘Report’ icon in the home page. In the home page we can see all
scanned projects with ‘new’ and ‘existing’ issue count
By enter various search condition in the ‘search’ textbox we
can filter the result. Issues present with severity, state and some more
needful information. By click on issue we can find the line of issue.
Mark the issue code:
quick identification klocwork highlight the issue raised ‘line of code’ and it
will saw how this issue come and how can we overcome that.