How to evaluate and use Web Application Security testing tools? (1)

Bkjia.com exclusive Article]Most of the security events of the past few days are closely related to Web applications. Many organizations and individuals have seen the importance of taking necessary measures to protect Web Application Security. I think it is necessary to perform a strict penetration test on my system before taking preventive measures. Because some professional application penetration testing tools and services help prevent your website from becoming a bridgehead for hackers and malware.

Some people think that the website of the organization does not need any other protection measures when it is protected by the Web firewall. This is wrong, because recent attacks and future attacks will become increasingly dependent on defects in Web applications, which usually contain vulnerabilities that are easy to exploit. According to statistics, most applications that support external access are Web-based, and most of them contain vulnerabilities that can be exploited.

Therefore, before pushing Web applications to practical use, you 'd better test them with Web application penetration tools. Currently, most of these tools can perform automatic scanning of Web applications. They can perform threat mode tests to reveal some common vulnerabilities, for example, many programs can reveal SQL injection attacks and cross-site scripting attacks. Sometimes, these tools also provide parameters for users to fix discovered vulnerabilities.

Users need to "hack" themselves before the attackers perform the damage. Today's Web penetration testing has been seen by most organizations as a key step to ensure the security of Web applications. Such security testing has become a crucial part of institutional risk management. Otherwise, the organization handed over the "test" to the hacker.

Today's Security Testing market does not have absolute standards, so it is necessary to explore some services and methods for evaluating and using these tools. (The Web application penetration testing tool involved in this article also refers to the Web application scanning tool)

Three elements

1. Users:

Due to its complexity, assigning the responsibility for ensuring the security of Web applications to appropriate personnel is not a simple task. This is a new concept for developers and consultants. Security management members may be more familiar with network problems than application problems. So who will do this? The author believes that it is unwise or even difficult for security experts to perform tests and hand over the results to developers. However, this is exactly what many companies are currently using, at least before developers are willing to use this tool.

If some information security experts assume the responsibility for Web Application Security, they believe that maintaining and ensuring enterprise network security is ultimately their responsibility, therefore, developers of the application do not have to solve the vulnerability. If the developer says, it doesn't matter. I should check it and it should be okay. What do you do?

Imagine if we use the testing tool by a developer, the security reports that he has checked are long enough to scare them? In fact, the security team can help developers use this tool. With professional knowledge and skills, security personnel can differentiate the priority and severity of security issues and edit these reports so that developers can implement corrective actions. If developers solve these problems themselves and discover 200 problems, how can they determine which are high-risk vulnerabilities and which are low-risk vulnerabilities?

Therefore, we must first determine the problem that this vulnerability scan program is intended for users.

2. nature of this scan:

Is it a tool or a service? Users can purchase related tools and invest resources to build a robust testing mechanism, or use a vendor to remotely scan Enterprise Web applications, verify the detected problems and generate a Security Focus Report. However, due to control, management, and trade secrets, many companies prefer to perform penetration testing and scanning on their own, but professional scanning services will continue to grow.

Companies can also choose and use it. If some security management personnel do not use Security Testing, they entrust other professional vendors to do so. This should be a wise choice, especially when you find that your company does not have professionals in this area to manage the massive volumes of data generated by security testing. Otherwise, enterprises will find that they are affected by many seemingly unexpected things and cannot get a complete report analysis of real vulnerabilities. Enterprises can turn to professional companies to analyze the test results and negotiate with developers to correct the problems. After getting familiar with such services or tools, enterprises can expand the use of such tools and adopt a three-step approach. Step 1: The developer tests the code and coordinates with the security testing vendor. Step 2: security management personnel use security testing tools to further test the program. Step 3: Push applications to the Internet, where professional testing companies or tools are used for testing.

3. How to integrate?

These tools run properly after being integrated with other systems used by developers or consulting teams through localization or application interface APIs. Such as integration with content management tools, project management tools, and other tools, so as to facilitate tracking and correction of other code defects. For example, if Visual Studio is integrated with Microsoft Visual Development, developers can perform scanning on their desktops. the user interface is similar to the interface of their development tools.

The best tool should be able to export the results directly to a static code scanning tool. This is exactly what vulnerabilities the Web application testing tool can tell users, but it does not identify the cause of the problem in the code.