DOS Attack And Tips To Choose Security Assessment Tools: Shieldcast - Fall 2017

QASource | October 4, 2017

How To Choose Security Assessment Tools?

Identify Goals

Outline specific goals to determine whether you require a port scanner to check for live systems, an application scanner to check for web application vulnerabilities or a network analyzer to show what protocols are running. If your research proves the tool isn't likely to address your goals, find another.

Use Combination Of Open-Source And Commercial Tools

Since all possible security tests may not be performed using only a single security assessment tool, utilizing open-source tools to uncover some vulnerabilities will be a good option. They can help cut costs associated with testing. Enterprise editions of commercial tools can be utilized to test across an organization's application portfolio.

Employ Diagnostic Experience

While good tools generate strong results, human expertise is required for proper analysis of scan results.

Look For Reporting Features

Apart from the required vulnerability testing features, security assessment tools should generate a variety of useful reports, including those for technical, developer and QA departments. These reports need to contain complete vulnerability details along with the recommendations for fixing these vulnerabilities. Additionally, pick tools that generate reports with meaningful graphs such as pie charts or bar graphs for upper management audiences.


Threat Exposure


Denial-of-service is an attack on a website or service, inundating it with a high number of malicious requests that consume all of the system or network resources, making the site/service unavailable to legitimate users.

Denial of Service
  • Impact

    • Shuts down the service
    • Leads to revenue loss
    • Impairs customer's confidence
    • Useful Tools: Mercury LoadRunner, Empirix e-Load
  • Testing Recommendations

    • Make sure client sessions are being timed out
    • Resources are being released in a timely manner
    • Testing should include simulating the load for the expected number of maximum concurrent users
    • Check if the application is enforcing user-level thresholds as against global thresholds, wherever possible
    • Verify that the application exits only after completing all housekeeping tasks in case of error
    • Ensure that redundancy of service (fail over mechanism) is implemented in the application
    • Testing team should check the verbosity of the logs generated
    • Anti-automation techniques should be tested

Evaluation – Tools and Technologies


OWASP ZAP 2.6 (short for Zed Attack Proxy) is an open-source web application security scanner. It's a great tool for experienced pentesters to use for manual security testing.

Evaluation – Tools and Technologies

Inbuilt Features

  • Intercepting proxy server
  • Traditional and AJAX Web crawlers
  • Automated/Passive scanner
  • Forced browsing
  • Fuzzer
  • WebSocket/Plug-n-Hack support

New Features

  • Launch browser from within ZAP
  • Support for variety of browsers
  • Support for Jenkins plugin
  • API security changes
Have Suggestions?

Have Suggestions?

We would love to hear your feedback, questions, comments and suggestions. This will help us to make us better and more useful next time.
Share your thoughts and ideas at


The logos used in this post are owned by the individual companies of each logo or trademark and QASource claims no rights to ownership of the logos. Nor is QASource sponsored by, or associated with the owners of the logo, and uses them for informational purposes.

This publication is for informational purposes only, and nothing contained in it should be considered legal advice. We expressly disclaim any warranty or responsibility for damages arising out of this information and encourage you to consult with legal counsel regarding your specific needs. We do not undertake any duty to update previously posted materials.