Armando Bioc, Security Consultant
AppScan has earned a place as a must-have security tool. AppScan has the ability to scan web applications as well as web services for security risks. It also provides a range of scan types, depending on how extensive a scan is needed. It includes a wide range of test types to tailor scans to specific needs. Platform concerns can be put at ease, as AppScan supports both .NET and J2EE. Not only is AppScan a tool for security teams, but it is intended for use within infrastructure, QA, and development teams as well. Scans can be run for wide ranging, all-encompassing tests, but also to search for specific vulnerabilities.
The Test Policy Manager gives users a clear presentation of which tests are being run, as well as how the tests are being run. This makes it easy to read and understand the extent of the tests. As if running comprehensive tests were not enough, AppScan has the ability to compare tests over time. This is one impressive feature -- this means that you can view the changes of test scenarios and application security over time. This helps to identify trends in application stability from one time to another.
However, finding weaknesses is one thing, resolving them is another. AppScan does just that by providing recommended fixes for the vulnerabilities that it detects, and provides information specific to .NET or J2EE, depending on your platform. In addition to security scanning and reporting problems, it also gives a very useful screen capture feature to associate a visual record to go with the results. Whatever you do, donÕt overlook this feature. While AppScan provides a great deal of information on vulnerabilities and remedies, the screen capture feature allows you to associate actual output to specific test results of your own application for future use. This means that the more you use AppScan for your application, the better your team will be at understanding, tracking-down, and resolving issues within the context of your own application.
We've all seen the increasing focus on security in the past few years. That puts a lot of pressure on developers to improve the security of their applications but most developers don't know much about security techniques. Fortunately, some new tools are arriving to help developers recognize security issues and fix them.
DevInspect takes an interesting approach. It is integrated with Visual Studio and Eclipse. The developer can use it to scan their current project and report on the current vulnerabilities. For each vulnerability, the DevInspect report includes a description of the vulnerability, an explanation of the risk level, and the recommended fix, including web links to more useful information.
The result is a useful tool that educates developers at the same time as it provides targeted information about the current project.
Fortify Source Code Analysis (SCA) 4.0
Real-world developers code in many different programming languages, but the problems with application security remain the same regardless of the codebase. Fortify Software addresses this fact with their Source Code Analysis tool that can parse some of the most popular code syntax including C and C++, Cold Fusion, Java, .NET, SQL, and XML, and scans for over 150 vulnerability categories. Results can be shared via comprehensive issue, portfolio and trend web-based report sets and policy-based alert notifications in the event of vulnerability detection. Fortify SCA integrates with many automated build tools, and even includes an open-source Java code quality scanner called FindBugs that can identify over 250 bug types.
One of Fotify SCA's more notable aspects is its ability to rank issue criticality and recommend an optimal course of action for such identified problems. These results can be annotated as well for further analysis and auditing needs.
Everyone involved in security testing should know about Metasploit. It's an open-source framework for developing exploit code, running the exploits, and executing the corresponding payload when the exploit succeeds. Metasploit can be a scary tool because it can just as easily be used by the bad guys. This is good motivation to test each web before the app is deployed on the Internet.
With Version 3.0, Metasploit has been rewritten in Ruby and now includes Exploit Automation, so a set of exploits and payloads can be automated for each target. That means any subset of Metasploit's entire history of exploits and payloads can now be run automatically against one target, testing and retesting until it finds a vulnerability. Once it finds a vulnerability, the corresponding payload code (e.g., a remote shell or VNC server) is used to gain access to the target.
Use it before it is used against you!