
	Home > Software Quality Tips > Application Security Strategies > What to look for in a Web application security testing tool

Software Quality Tips:

EMAIL THIS

TIPS & NEWSLETTERS TOPICS

APPLICATION SECURITY STRATEGIES

What to look for in a Web application security testing tool

Kevin Beaver, CISSP
06.23.2007
Rating: --- (out of 5)

Software quality news and advice

Digg This! StumbleUpon Del.icio.us

I get a lot of questions regarding what the ideal Web application security scanner should be able to do and how it should "handle." Having used most of the commercial, open source and freeware tools over the past several years, I've come across a lot of likes and even more dislikes. The good news is that commercial scanner vendors are starting to realize what's important, and they're making their tools much more capable and friendly to the average user.

The following are features of Web application security testing tools that I believe are absolute must-haves if you do a lot of scanning. They'll save you lots of time and effort and maximize the number of valid vulnerabilities that you'd never find otherwise.

In the end you'll save money (even if you have to pay more to get a good tool), and you'll end up coming across as a true expert that takes Web application security testing seriously.

I highly recommend getting an evaluation version of the tool. If you can't, this may not be a vendor you want to deal with anyway. After installing the tool on your local system, I guarantee you'll know within 15 minutes if it's going to be a good fit for you based on the way you think and work. If during the trial period you come across any of the fo

To continue reading for free, register below or login

Requires Membership to View

To gain access to this and all member only content, please provide the following information (all fields required):

Email Address:
Create Password:
Confirm Password:

By joining SearchSoftwareQuality.com you agree to receive email updates from the TechTarget network of sites, including updates on new content, magazine or event notifications, new site launches and market research surveys. Please verify all information and selections above. You may unsubscribe at any time from one or more of the services you have selected by editing your profile or unsubscribing via email.

TechTarget cares about your privacy. Read our Privacy Policy

To read more you must become a member of SearchSoftwareQuality.com

As an existing member of the TechTarget network please provide your password to activate your account (Forgot your password?):

Password:

By joining SearchSoftwareQuality.com you agree to receive email updates from the TechTarget network of sites, including updates on new content, magazine or event notifications, new site launches and market research surveys. Please verify all information and selections above. You may unsubscribe at any time from one or more of the services you have selected by editing your profile or unsubscribing via email.

TechTarget cares about your privacy. Read our Privacy Policy

Digg This! StumbleUpon Del.icio.us

RELATED CONTENT

Application Security Strategies

Fixing four Web 2.0 input validation security mistakes

Social engineering training could disrupt botnet growth

Web security problems: Five ways to stop login weaknesses

Common mistakes in real-time Java programming

Preparing for testing applications in the cloud

The role of quality assurance (QA) pros in software security

Common software security risks and oversights

Using the Firefox Web Developer extension to find security flaws

Web application security testing checklist

How to develop secure applications

Software security testing tools

Commonly-overlooked security flaws in rich Internet applications

10 steps to acing Web app security assessments

New tools target software QA, testing: Spring roundup

Hack maliciously to boost your software's security

What is fuzz testing? What are some ways to use fuzz testing?

Why the quality assurance department should be involved in testing

Using the Firefox Web Developer extension to find security flaws

Top tools for testing Web application security

Static analysis tool helps software engineers find bugs during builds

Web security: Web services an overlooked entry point for attacks

Web application security tools and services

Static analysis tool helps software engineers find bugs during builds

Automated security tool finds flaws in enterprise apps

Parasoft enhances its Application Security Solution

Cenzic Web application security tool targets CSRF attacks

Ruby on Rails security audit service available

Secure software measures: Their strengths and limitations

HP software security suite treats vulnerabilities as defects

Dynamic analysis tool from Coverity looks at concurrency defects

Veracode provides security audits for externally sourced code

Enhanced application protection in Dotfuscator Professional 4.3

RELATED GLOSSARY TERMS

Terms from Whatis.com − the technology online dictionary

penetration testing (SearchSoftwareQuality.com)

RELATED RESOURCES

2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems

Search Bitpipe.com for the latest white papers and business webcasts

Whatis.com, the online computer dictionary

llowing issues, try to clarify with the vendor whether the specific issue is a known problem or "undocumented feature":

If you come across those issues and can't get a reasonable explanation, run away -- fast.

In the majority of cases, you're going to get what you pay for in a Web application security testing tool. At the end of the day, find a tool that you feel comfortable with and one that works well in your environment. Never underestimate the value of a little up-front homework when selecting the right Web vulnerability scanner. It will pay off.

-----------------------------------------
About the author: Kevin Beaver is an independent information security consultant, speaker, and expert witness with Atlanta-based Principle Logic, LLC. He has more than 19 years of experience in IT and specializes in performing information security assessments revolving around IT compliance. Kevin has authored/co-authored six books on information security including Hacking For Dummies and Hacking Wireless Networks For Dummies (Wiley) as well as The Practical Guide to HIPAA Privacy and Security Compliance (Auerbach). He's also the creator of the Security On Wheels series of audiobooks. Kevin can be reached at kbeaver@principlelogic.com.

Rate this Tip

To rate tips, you must be a member of SearchSoftwareQuality.com.
Register now to start rating these tips. Log in if you are already a member.

DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.

Software Design & Testing - Project Management

SEARCH

TechTarget provides technology professionals with the information they need to perform their jobs - from developing strategy, to making cost-effective purchase decisions and managing their organizations' technology projects - with its network of technology-specific websites, events and online magazines.


TechTarget Corporate Web Site \| Media Kits \| Site Map All Rights Reserved, Copyright 2006 - 2009, TechTarget \| Read our Privacy Policy