Learning Guide: Application security testing techniques

TABLE OF CONTENTS    Vulnerability Assessment    Source Code/Static Analysis    Penetration Testing    Fuzz Testing    Obfuscation    Architectural Risk Analysis    Other Useful Resources

Vulnerability Assessment

[Return to Table of Contents]

• Definition: vulnerability analysis
• Definition: vulnerability scanner
• Definition: vulnerability disclosure
• Definition: ethical hacker
• News: Application vulnerability detection improved by Fortify, Watchfire partnership
• News: Vulnerability assessment pays off for Debt Exchange
• News: Product roundup: New tools to secure application security
• Article: Hacme Casino tool reveals online gaming vulnerabilities
• Expert response: Reasons for application vulnerabilities
• Article: App security tools target Ajax vulnerabilities
• Tip: Understanding technical vs. logical vulnerabilities
• Tip: Testing Ajax, JavaScript and ActiveX for vulnerabilities
• Podcast: There's a hole in your network – vulnerability management is no mystery

Source Code/Static Analysis

[Return to Table of Contents]

• Definition: dynamic analysis
• Definition: static analysis
• Tip: Static and dynamic code analysis: A key factor for application security success
• News: Klockwork analysis tool proves its worth, finds bugs in open source projects
• Tip: Source code security scanners: A revamped option for securing custom software
• News: ASP.NET tool upgrade: Compuware releases SecurityChecker 2.5
• Expert Response: Code analysis: Which tool is right for you?
• Article: Ounce Labs reaches out to developers with new analysis tool
• Article: Code analysis
• Article: Source code analysis tools- Overview
• White paper: Implementing Source Code Vulnerability Testing in the Software Development Life Cycle

Penetration Testing

[Return to Table of Contents]

• Definition: penetration testing
• Book excerpt: Professional Pen Testing for Web Applications – Chapter 6, Attack Simulation Techniques and Tools
• Tip: Buffer overflow tools facilitate application testing
• Tip: Inside application assessment: Pen testing vs. code review
• Tip: Best practices for pen testing Web applications
• News: Penetration testing tool released by Metasploit founder
• Expert response: Manual vs. automated penetration testing
• News: Core security updates pen testing software
• News: Free tool helps find SQL injection vulnerabilities
• Article: Penetration testing for Web applications (part one)
• Article: Penetration testing for Web applications (part two)
• Article: Penetration testing for Web applications (part three)
• Article: Demonstrating ROI for penetration testing (part two)

Fuzz Testing

[Return to Table of Contents]

• Definition: fuzzer
• Expert response: Using fuzzer tools to find vulnerabilities
• Tool: Web services pen testing tool released
• Overview: fuzz testing
• Site: Fuzz testing of application reliability
• News: Free fuzzing tool launched
• News: Hackers use AI to uncover vulnerabilities
• News: Browsers feel the fuzz
• News: The fuzz: To serve and protect
• Article: Fuzzing with WebScarab

Obfuscation

[Return to Table of Contents]

• Definition: obfuscation
• Definition: decompile
• Definition: reverse engineering
• Article: PreEmptive package helps make obfuscation part of the SDLC
• Introduction: obfuscator: Java Glossary
• White paper: Next-Generation Protection Against Reverse Engineering
• White paper: Obfuscation of Design Intent in Object-Oriented Applications
• News: Zend upgrades IP protection for PHP applications
• Tool: .NET Obfuscator protects against source code extraction
• Tool FAQ: Java and .NET obfuscation frequently asked questions
• Guide: How to select and obfuscation tool for .NET

Architectural Risk Analysis

[Return to Table of Contents]

• Definition: architectural risk analysis
• Definition: risk analysis
• Book excerpt: Software Security: Building Security In – Chapter 5: Architectural Risk Analysis
• Definition: threat modeling
• Guide: Threat Modeling
• Tool: Control Objectives for Information and related Technology(COBIT)
• Definition: COBIT
• Tool: OCTAVE Information Security Risk Evaluation
• White paper: Risk analysis in software design
• Article: Architectural risk analysis
• Expert response: Assessing security of Web services, part one
• Article: Bridging the gap between software development and information security
• Article: Microsoft P&P delivers threat modeling guidance for Web apps
• Guide: Security Risk Management Guide
• Guide: Security Self-Assessment Guide for Information Technology Systems
• Tool: Automated Security Self-Evaluation Tool (ASSET)
• Tool: Operationally Critical Threat, Asset and Vulnerability Evaluation (OCTAVE) Framework, v1.0
• Tool: Microsoft Threat Analysis & Modeling v2.1.2
• Blog: Microsoft application threat modeling blog

Other useful resources

[Return to Table of Contents]

Expert advice on tools and technologies Do you have a question about application security testing techniques? Our Tools & Technologies expert Brad Arkin may have the answer. Read advice he has given or submit your own questions.

• Course: Web and Software Application Security Testing
• Project: OWASP Testing Project
• Product: Web Application Security and Testing from SPI Dynamics
• Product: Security Innovation – Application Security Testing
• Product: Application Security Assessment from Cenzic
• Book: Testing Web Security: Assessing the Security of Web Sites and Applications
• Book: Testing Applications on the Web: Test Planning for Internet-Based Systems
• Tip: Web application security testing checklist

Send in your suggestions
Are there other topics you'd like to see learning guides on? Send assistant editor Jennette Mullaney an e-mail at jmullaney@techtarget.com and let her know what they are.