Testing applications for security purposes is such a basic, important safety measure that most security professionals wouldn't think twice about it. Yet just a few years ago, the methods for application security testing were limited in both scope and number.
All
Requires Free Membership to View
that has changed. Now the tools and techniques for testing are more sophisticated. We can expect advancements in methodology, novel approaches to testing and many new products to come. This learning guide breaks testing down into several categories, although there is inevitably some overlap. Use these papers, expert opinions, articles, news and tips to refine your application security testing strategy. If you know of an article, tip, tool or method that should be included, send me an e-mail with the information and I'll be happy to add it. – Jennette Mullaney, assistant editor.
|
TABLE OF CONTENTS Vulnerability Assessment Source Code/Static Analysis Penetration Testing Fuzz Testing Obfuscation Architectural Risk Analysis Other Useful Resources |
| Vulnerability Assessment |
- Definition: vulnerability analysis
- Definition: vulnerability scanner
- Definition: vulnerability disclosure
- Definition: ethical hacker
- News: Application vulnerability detection improved by Fortify, Watchfire partnership
- News: Vulnerability assessment pays off for Debt Exchange
- News: Product roundup: New tools to secure application security
- Article: Hacme Casino tool reveals online gaming vulnerabilities
- Expert response: Reasons for application vulnerabilities
- Article: App security tools target Ajax vulnerabilities
- Tip: Understanding technical vs. logical vulnerabilities
- Tip: Testing Ajax, JavaScript and ActiveX for vulnerabilities
- Podcast: There's a hole in your network – vulnerability management is no mystery
| Source Code/Static Analysis |
- Definition: dynamic analysis
- Definition: static analysis
- Tip: Static and dynamic code analysis: A key factor for application security success
- News: Klockwork analysis tool proves its worth, finds bugs in open source projects
- Tip: Source code security scanners: A revamped option for securing custom software
- News: ASP.NET tool upgrade: Compuware releases SecurityChecker 2.5
- Expert Response: Code analysis: Which tool is right for you?
- Article: Ounce Labs reaches out to developers with new analysis tool
- Article: Code analysis
- Article: Source code analysis tools- Overview
- White paper: Implementing Source Code Vulnerability Testing in the Software Development Life Cycle
| Penetration Testing |
- Definition: penetration testing
- Book excerpt: Professional Pen Testing for Web Applications – Chapter 6, Attack Simulation Techniques and Tools
- Tip: Buffer overflow tools facilitate application testing
- Tip: Inside application assessment: Pen testing vs. code review
- Tip: Best practices for pen testing Web applications
- News: Penetration testing tool released by Metasploit founder
- Expert response: Manual vs. automated penetration testing
- News: Core security updates pen testing software
- News: Free tool helps find SQL injection vulnerabilities
- Article: Penetration testing for Web applications (part one)
- Article: Penetration testing for Web applications (part two)
- Article: Penetration testing for Web applications (part three)
- Article: Demonstrating ROI for penetration testing (part two)
| Fuzz Testing |
- Definition: fuzzer
- Expert response: Using fuzzer tools to find vulnerabilities
- Tool: Web services pen testing tool released
- Overview: fuzz testing
- Site: Fuzz testing of application reliability
- News: Free fuzzing tool launched
- News: Hackers use AI to uncover vulnerabilities
- News: Browsers feel the fuzz
- News: The fuzz: To serve and protect
- Article: Fuzzing with WebScarab
| Obfuscation |
- Definition: obfuscation
- Definition: decompile
- Definition: reverse engineering
- Article: PreEmptive package helps make obfuscation part of the SDLC
- Introduction: obfuscator: Java Glossary
- White paper: Next-Generation Protection Against Reverse Engineering
- White paper: Obfuscation of Design Intent in Object-Oriented Applications
- News: Zend upgrades IP protection for PHP applications
- Tool: .NET Obfuscator protects against source code extraction
- Tool FAQ: Java and .NET obfuscation frequently asked questions
- Guide: How to select and obfuscation tool for .NET
| Architectural Risk Analysis |
- Definition: architectural risk analysis
- Definition: risk analysis
- Book excerpt: Software Security: Building Security In – Chapter 5: Architectural Risk Analysis
- Definition: threat modeling
- Guide: Threat Modeling
- Tool: Control Objectives for Information and related Technology(COBIT)
- Definition: COBIT
- Tool: OCTAVE Information Security Risk Evaluation
- White paper: Risk analysis in software design
- Article: Architectural risk analysis
- Expert response: Assessing security of Web services, part one
- Article: Bridging the gap between software development and information security
- Article: Microsoft P&P delivers threat modeling guidance for Web apps
- Guide: Security Risk Management Guide
- Guide: Security Self-Assessment Guide for Information Technology Systems
- Tool: Automated Security Self-Evaluation Tool (ASSET)
- Tool: Operationally Critical Threat, Asset and Vulnerability Evaluation (OCTAVE) Framework, v1.0
- Tool: Microsoft Threat Analysis & Modeling v2.1.2
- Blog: Microsoft application threat modeling blog
| Other useful resources |
| Expert advice on tools and technologies Do you have a question about application security testing techniques? Our Tools & Technologies expert Brad Arkin may have the answer. Read advice he has given or submit your own questions. |
- Course: Web and Software Application Security Testing
- Project: OWASP Testing Project
- Product: Web Application Security and Testing from SPI Dynamics
- Product: Security Innovation – Application Security Testing
- Product: Application Security Assessment from Cenzic
- Book: Testing Web Security: Assessing the Security of Web Sites and Applications
- Book: Testing Applications on the Web: Test Planning for Internet-Based Systems
- Tip: Web application security testing checklist
Send in your suggestions
Are there other topics you'd like to see learning guides on? Send assistant editor Jennette Mullaney an e-mail at jmullaney@techtarget.com and let her know what they are.
This was first published in September 2006
Join the conversationComment
Share
Comments
Results
Contribute to the conversation