
The more popular your web site or application, the more hackers there are out there who are keen to hack it. To protect your site, you’ll need to perform security testing. This article will describe the two leading approaches to testing web security: application security scanners, which perform black box testing, and source security scanners, which inspect the web application’s source code for vulnerabilities.
Application Security Scanners
- An Application security scanner is a software program which performs automatic black box testing on a web application and identifies security vulnerabilities. Application security scanners do not access the source code; they only perform functional testing and try to find security vulnerabilities.
- The Security scanner improves security for web applications and computer networks, by providing auditing and protection from threats and malware.
- A scanner simulates a malicious user by attacking and probing, identifying results which are not part of the expected result set. As a dynamic testing tool, a web scanner is language independent. A web application scanner is able to scan engine-driven web applications.
- Attackers could theoretically test their attacks against popular scanning tools to find holes in the scanning tools’ security coverage. So, many of the tools described here can be vulnerable against competent and broad-targeting attackers.
- There are many commercial and Open Source security scanners available in the market which perform a deep binary analysis to protect your applications against threats and attacks.
- Here are some popular application security scanners:
- OWASP ZAP (https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project)
The OWASP Zed Attack Proxy (ZAP) is one of the world’s most popular free security tools and is actively maintained by hundreds of international volunteers*. It can help you automatically find security vulnerabilities in your web applications while you are developing and testing your applications. It’s also a great tool for experienced pen testers to use for manual security testing. - Arachni (http://www.arachni-scanner.com/)
Arachni is an open source application security scanner which runs as a separate service and provides a web interface to run / schedule the security scans. It generates a report with vulnerabilities and information about best practices to fix them. - HP WebInspect (http://sectools.org/tool/webinspect/)
WebInspect is a web application security assessment tool that helps identify known and unknown vulnerabilities within the Web application layer. It can also help check that a Web server is configured properly, and attempts common web attacks such as parameter injection, cross-site scripting, directory traversal and more. It was produced by Spidynamics, which is now part of HP. - Veracode (https://www.veracode.com/)
CA Veracode’s unified platform assesses and improves the security of applications from inception through production so that businesses can confidently innovate with the web and mobile applications they build, buy and assemble, as well as the components they integrate into their environments. It is a commercially licensed tool. - SonarQube + OWASP plug-in (https://www.sonarqube.org/)
The OWASP SonarQube project aims to provide open source SAST (Static Application Security Testing) using existing open source solutions. SonarQube is one of the world’s most popular continuous code quality tools and it is actively used by many developers and companies. - WhiteSource (https://www.whitesourcesoftware.com/)
WhiteSource integrates fully into your build process, no matter your programming languages, build tools, or development environments. It works automatically, continuously, and silently in the background, checking the security, licensing, and quality of your open source components against WhiteSource’s constantly-updated definitive database of open source repositories. - BlackDuck (https://www.blackducksoftware.com/)
BlackDuck helps security and development teams identify and mitigate Open Source security risks across application portfolios.
Source Security Scanners
- Source security scanners examine the source code to detect issues or vulnerabilities in code or API’s, helping the developer write error-free code. Based on static, web or cloud-based applications, many tools are available in the market to check and scan the code to protect the application from vulnerability.
Here are a few popular source security scanners.
- Checkmarx (https://info.checkmarx.com/)
Checkmarx is among the most powerful static source code analysis tools available today. It provides Visual Studio and Eclipse plugins for developers to run private scans. - OWASP Dependency Check (https://www.owasp.org/index.php/OWASP_Dependency_Check)
Dependency Check is a utility that identifies project dependencies and checks whether there are any known, publicly disclosed vulnerabilities. Currently Java and .NET are supported; additional experimental support has been added for Ruby, Node.js, Python, and limited support for C/C++ build systems. - Fortify Static Code Analysis (https://software.microfocus.com/en-us/products/static-code-analysis-sast/overview)
Fortify Static Code Analyzer reduces software risk by identifying security vulnerabilities that pose the biggest threats to your organization. It pinpoints the root cause of the vulnerability, correlates and prioritizes results, and provides best practices so developers can develop code more securely.
- OWASP ZAP (https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project)