Today, millions of web applications exist to make our lives easier and much more interesting. We can shop online, pay bills, chat with friends and relatives, or communicate with people all over the world. With all this provision, The “malicious” Eve is always lurking, waiting for the perfect moment to attack.
In order to develop secure applications, it is necessary to use a security development lifecycle. Security should be considered and tested throughout the application project lifecycle. Shiledcast is here to help you in security testing tasks. In this newsletter, we will discuss about the things to consider while choosing security testing tool, details about DOS(Denial-of-Service) Attack and OWASP ZAP along with some latest news on cyber security.
Latest Cyber Security News
- Defray ransomware seen targeting education, healthcare industry
- Microsoft patches critical Windows Search vulnerability
How To Choose Security Assessment Tools?
Outline specific goals to determine whether you require a port scanner to check for live systems, an application scanner to check for web application vulnerabilities or a network analyzer to show what protocols are running. If your research proves the tool isn't likely to address your goals, find another.
Use Combination Of Open-Source And Commercial Tools
Since all possible security tests may not be performed using only a single security assessment tool, utilizing open-source tools to uncover some vulnerabilities will be a good option. They can help cut costs associated with testing. Enterprise editions of commercial tools can be utilized to test across an organization's application portfolio.
Employ Diagnostic Experience
While good tools generate strong results, human expertise is required for proper analysis of scan results.
Look For Reporting Features
Apart from the required vulnerability testing features, security assessment tools should generate a variety of useful reports, including those for technical, developer and QA departments. These reports need to contain complete vulnerability details along with the recommendations for fixing these vulnerabilities. Additionally, pick tools that generate reports with meaningful graphs such as pie charts or bar graphs for upper management audiences.
Denial-of-service is an attack on a website or service, inundating it with a high number of malicious requests that consume all of the system or network resources, making the site/service unavailable to legitimate users.
- Shuts down the service
- Leads to revenue loss
- Impairs customer's confidence
- Mercury LoadRunner
- Empirix e-Load
- Make sure client sessions are being timed out
- Resources are being released in a timely manner
- Testing should include simulating the load for the expected number of maximum concurrent users
- Check if the application is enforcing user-level thresholds as against global thresholds, wherever possible
- Verify that the application exits only after completing all housekeeping tasks in case of error
- Ensure that redundancy of service (fail over mechanism) is implemented in the application
- Testing team should check the verbosity of the logs generated
- Anti-automation techniques should be tested
Evaluation – Tools and Technologies
OWASP ZAP 2.6 (short for Zed Attack Proxy) is an open-source web application security scanner. It's a great tool for experienced pentesters to use for manual security testing.
- Intercepting proxy server
- Traditional and AJAX Web crawlers
- Automated/Passive scanner
- Forced browsing
- WebSocket/Plug-n-Hack support
- Launch browser from within ZAP
- Support for variety of browsers
- Support for Jenkins plugin
- API security changes
We would love to hear your feedback, questions, comments and suggestions. This will help us to make us better and more useful next time.
Share your thoughts and ideas at firstname.lastname@example.org
The logos used in this post are owned by the individual companies of each logo or trademark. The logo is not authorized by, sponsored by, or associated with the trademark owner, but QASource is using the logos only for reviewing purposes. The endorsement of the used logos by QASource is neither intended nor implied.