Top tools for testing Web application security

RELATED CONTENT Application Security Are SQL injection attacks really a big software security risk? Beating software's cross-site scripting, authentication problems Expert resolves issues plaguing OpenSTA users What is fuzz testing? What are some ways to use fuzz testing? How do I convince management to take application security seriously? Security testing sales, marketing websites How to prevent HTTP response splitting PCI DSS compliance: WAF, code review or both? Open source application security testing tools Web application security testing basics Software security testing tools Why you don't need to buy a testing tool, except when you do Old problems persist in Web 2.0 security practices Beating software's cross-site scripting, authentication problems Free tools for Agile testers Put a stop to software espionage by watermarking source code How to make your software tamperproof How can I tell if my software security has been breached? WebGoat: password weakness issues, basic application hacking concerns Lesser-known free software testing tools testers should try Demo: Using WebGoat, a free software testing tool

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary penetration testing  (SearchSoftwareQuality.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary

EXPERT RESPONSE FROM: Dan Cornell Pose a Question Other Software Quality Categories Meet all Software Quality Experts Become an Expert for this site

ANSWERED November 2008:

More about Web application security tools: Open source application security testing tools What to look for in a Web application security testing tool Free Web application security testing tools you need to get to know

There are a number of commercial vendors and open source products that do security source code reviews, and most of the commercial products support a variety of Web application development languages and environments. Some prominent examples include Coverity, Fortify Software, Klocwork, and Ounce Labs. Each of their tools supports several languages, but you would have to check the vendor's documentation for specific details.

The open source or freely available tools in this space do tend to be more focused on a single language. For example, FindBugs and PMD do static analysis for Java. They are mostly focused on quality issues, but they also find some security defects. For .NET environments, FxCop from Microsoft checks for quality and security issues.

The OWASP Orizon project is intended to be a cross-language framework for security source code review. It is currently in the early stages, but support for both Java and .NET is planned.