QASource Newsletter

QASource Blog Shieldcast: Fall 2017

Shieldcast: Fall 2017

How To Choose Security Assessment Tools?

Identify Goals

Outline specific goals to determine whether you require a port scanner to check for live systems, an application scanner to check for web application vulnerabilities or a network analyzer to show what protocols are running. If your research proves the tool isn't likely to address your goals, find another.

Use Combination Of Open-Source And Commercial Tools

Since all possible security tests may not be performed using only a single security assessment tool, utilizing open-source tools to uncover some vulnerabilities will be a good option. They can help cut costs associated with testing. Enterprise editions of commercial tools can be utilized to test across an organization's application portfolio.

Employ Diagnostic Experience

While good tools generate strong results, human expertise is required for proper analysis of scan results.

Look For Reporting Features

Apart from the required vulnerability testing features, security assessment tools should generate a variety of useful reports, including those for technical, developer and QA departments. These reports need to contain complete vulnerability details along with the recommendations for fixing these vulnerabilities. Additionally, pick tools that generate reports with meaningful graphs such as pie charts or bar graphs for upper management audiences.

Threat Exposure

Denial-of-Service

Denial-of-service is an attack on a website or service, inundating it with a high number of malicious requests that consume all of the system or network resources, making the site/service unavailable to legitimate users.

Denial of Service

Impact

  • Shuts down the service
  • Leads to revenue loss
  • Impairs customer's confidence

Useful Tools

  • Mercury LoadRunner
  • Empirix e-Load

Testing Recommendations

  • Make sure client sessions are being timed out
  • Resources are being released in a timely manner
  • Testing should include simulating the load for the expected number of maximum concurrent users
  • Check if the application is enforcing user-level thresholds as against global thresholds, wherever possible
  • Verify that the application exits only after completing all housekeeping tasks in case of error
  • Ensure that redundancy of service (fail over mechanism) is implemented in the application
  • Testing team should check the verbosity of the logs generated
  • Anti-automation techniques should be tested

Evaluation – Tools and Technologies

OWASP ZAP

OWASP ZAP 2.6 (short for Zed Attack Proxy) is an open-source web application security scanner. It's a great tool for experienced pentesters to use for manual security testing.

Evaluation – Tools and Technologies
Inbuilt Features
  • Intercepting proxy server
  • Traditional and AJAX Web crawlers
  • Automated/Passive scanner
  • Forced browsing
  • Fuzzer
  • WebSocket/Plug-n-Hack support
New Features
  • Launch browser from within ZAP
  • Support for variety of browsers
  • Support for Jenkins plugin
  • API security changes
Suggestions

Suggestions?

We would love to hear your feedback, questions, comments and suggestions. This will help us to make us better and more useful next time.
Share your thoughts and ideas at knowledgecenter@qasource.com

Disclaimer

The logos used in this post are owned by the individual companies of each logo or trademark. The logo is not authorized by, sponsored by, or associated with the trademark owner, but QASource is using the logos only for reviewing purposes. The endorsement of the used logos by QASource is neither intended nor implied.

Written by QA Experts

QASource Blog, for executives and engineers, shares QA strategies, methodologies, and new ideas to inform and help effectively deliver quality products, websites, and applications.

Contact Us

Authors

Our bloggers are the test management experts at QASource. They are executives, QA managers, team leads, and testing practitioners. Their combined experience exceeds 100 years and they know how to optimize QA efforts in a variety of industries, domains, tools, and technologies.