Latest Cyber Security News
How To Choose Security Assessment Tools?
Identify Goals
Outline specific goals to determine whether you require a port scanner to check for live systems, an application scanner to check for web application vulnerabilities or a network analyzer to show what protocols are running. If your research proves the tool isn't likely to address your goals, find another.
Use Combination Of Open-Source And Commercial Tools
Since all possible security tests may not be performed using only a single security assessment tool, utilizing open-source tools to uncover some vulnerabilities will be a good option. They can help cut costs associated with testing. Enterprise editions of commercial tools can be utilized to test across an organization's application portfolio.
Employ Diagnostic Experience
While good tools generate strong results, human expertise is required for proper analysis of scan results.
Look For Reporting Features
Apart from the required vulnerability testing features, security assessment tools should generate a variety of useful reports, including those for technical, developer and QA departments. These reports need to contain complete vulnerability details along with the recommendations for fixing these vulnerabilities. Additionally, pick tools that generate reports with meaningful graphs such as pie charts or bar graphs for upper management audiences.
Threat Exposure
Denial-of-Service
Denial-of-service is an attack on a website or service, inundating it with a high number of malicious requests that consume all of the system or network resources, making the site/service unavailable to legitimate users.
Impact
- Shuts down the service
- Leads to revenue loss
- Impairs customer's confidence
Useful Tools
- Mercury LoadRunner
- Empirix e-Load
Testing Recommendations
- Make sure client sessions are being timed out
- Resources are being released in a timely manner
- Testing should include simulating the load for the expected number of maximum concurrent users
- Check if the application is enforcing user-level thresholds as against global thresholds, wherever possible
- Verify that the application exits only after completing all housekeeping tasks in case of error
- Ensure that redundancy of service (fail over mechanism) is implemented in the application
- Testing team should check the verbosity of the logs generated
- Anti-automation techniques should be tested
Evaluation – Tools and Technologies
OWASP ZAP 2.6 (short for Zed Attack Proxy) is an open-source web application security scanner. It's a great tool for experienced pentesters to use for manual security testing.
Inbuilt Features
- Intercepting proxy server
- Traditional and AJAX Web crawlers
- Automated/Passive scanner
- Forced browsing
- Fuzzer
- WebSocket/Plug-n-Hack support
New Features
- Launch browser from within ZAP
- Support for variety of browsers
- Support for Jenkins plugin
- API security changes
Suggestions?
We would love to hear your feedback, questions, comments and suggestions. This will help us to make us better and more useful next time.
Share your thoughts and ideas at knowledgecenter@qasource.com
Disclaimer
The logos used in this post are owned by the individual companies of each logo or trademark. The logo is not authorized by, sponsored by, or associated with the trademark owner, but QASource is using the logos only for reviewing purposes. The endorsement of the used logos by QASource is neither intended nor implied.
