We want to regularly test our web apps for vulnerabilities - we have a BurpSuite licence but would like to look into the possibility of using an online solution.
Benefits as we see them:
Little/no staff training required
It's always up to date (checking the latest known vuns)
It may be more cost-effective
Has anyone used such a solution before? How was the experience over manual testing with a local app such as BurpSuite?
Does your regular testing involve running purely automated scans or manual analysis using BurpSuite?
A cloud-based scanner isn't going to offer as much interactivity as running BurpSuite locally. Manual analysis is important for analyzing design issues, authorization problems, or logic errors. What a fully automated scanner will (or should) do is take care of tedious tests for vulns like SQL injection and XSS. (Think of it as finding implementation problems rather than design problems.)
A cloud-based scanner could be a drop-in replacement for BurpSuite scans you're running "out of the box" -- i.e. not using much configuration. But it should never the less complement, not replace, good manual testing. This can be a benefit cost-wise.
While a cloud-based scanner can be "always up to date", in reality there are very few new web vulns. For example, the OWASP Top 10 has only changed a little in the last 7 years. The updated vulns will help if you're mostly using open source or commercial web apps, but they won't have any bearing on the apps you build in house.
(FYI, my perspective comes from working on a cloud-based scanner.)
Related
I want to build a constantly running forex trading application (even if the web page is not opened),
But I don't know what is the best way to do it, it's a software that should run constantly with constant internet connection, should I write it in Python as a PC application or web application ?, or is there anything better ?
Thank you for your support,
I don't see any point of making a web application in your case. Architecture of algorithmic trading systems is a broad subject but most of the time it's an application which is only connected to a market data provider and a broker. A trading system can be built as a web application for example for browsing portfolio, historical trades or when some external events trigger trades but you should focus on the strategy itself rather than on a time consuming UI.
You should learn some basics from books/online course depending on your programming language but I think that Python is a great choice for rapid prototyping of strategies. You can also try some existing platforms like Quantopian which can give a quick start for strategies testing.
Focus your efforts on thorough testing of the strategy because most of the time they look good on a paper but turn out to be an utter garbage in practice and without a strategy there is no need for an infrastructure.
There are lots of technologies for developing "always on" scanners; I won't scour the internet for you; however, to give you an example, you can use something like Azure Functions -- it can run your scanner on a schedule. It can be built with Python, if that's your language of choice.
Of course, there are a lot of third-party tools to choose from as well.
How can i test my local RIA?
I need to do a stress test, graph response time and memory usage when user increases.
Do you know any software?
RIA tool support is often dictated by the development platform. For instance if you have GWT and need Javascript support in the tool then you will be pushed to one subset of tools, Silverlight to another, etc...
Looks to your development team, System Requirements Document and Architecture documentation for information on the developmnent toolkits used by your rick internet application. Once you have good insight there, into both which toolkit and what version then take a look at the commercial and open source tools out there to see which ones support your interface. There are few things more frustrating than driving a nail with the butt end of a screwdriver, but if your tool and your interface are a poor match you could wind up doing just that.
All of the commercial vendors are offering short term licenses at this point that you should be able to tie directly back to the project budget. Something to keep in mind on the open source front is that the level of effort on the labor front tends to be higher overall because of the efficiencies built into the commercial tools on the development, monitoring integration and analysis fronts.
If you want an open source solution, I can think on Apache JMeter. There are others like Rational Performance Tester or Mercury LoadRunner but those are not free. You might want to verify if there's a trial version out there.
Does anyone know how to understand the security or penetration test coverage?
I found the traditional method for functional test coverage measurement is not quite useful for security test. Because for security test, actually, you don't need to cover every logic branch. If you cover the whole URLs and parameters, basically, you cover everything.
Any idea?
Thanks.
One possible metric for coverage of a web application security assessment is the range of issues tested for. At a bare minimum, the OWASP Top 10 issues should be tested for, but a high quality assessment will properly assess business logic and application specific issues. Also, the tester should have an understanding of any specific technologies used by the web application (e.g. Adobe Flash, Google Gears).
Penetration testing is a specialist activity, so get a trustworthy and respected company to perform the testing. In the UK, the CHECK scheme is highly respected, a list of certified companies can be found here: http://www.crest-approved.org/member_companies.php
Full disclosure: I work for Verizon Business who offer penetration testing services.
As far as I can see the offerings fall into two categories – scanning services such as McAfee, Comodo, etc. and tools such as Burp Proxy, HP’s WebInspect,CodeScan, etc.
In an ideal world, I’d use something that actively scanned a certain URL (the target being a LAMP stack) on a daily basis (or as required if it’s a standalone tool), but I’m a bit wary of standalone tools in terms of their coverage and frequency of updating. (The ‘remote’ scanners such as McAfee are presumably updated as required.)
I’ve also had issues with some standalone tools (can’t remember which one unfortunately) that managed to get themselves lost within our URL rewriting system (there’s a facetted search in play, so you can imagine things get fairly deep on the URL front).
As such, I’m just wondering what experiences people have had with the offerings out there and whether the standalone tools stack up against the scanning services.
(Incidentally, I'm aware of Penetration testing tools - I'm just wondering if the situation has changed since then)
I have done penetration testing and exploit development. I can tell you from first hand experience that hacking isn't just firing off some tool. Sometimes tools can make life easier, but if you don't know what you are doing then a tool isn't going to help.
If you want to KNOW that your system is secure then you need to higher a skilled hacker to break in. The PCI-DSS is a certification required for credit card processing which mandates that you have regular penetration testing conducted on your server. Conducting regular penetration testing is something that you should adopt if you want to have a very secure server.
A very good security measure for web servers is a Web Application Firewall (WAF). WAFs are also required by the PCI-DSS. Mod_security is free and open source WAF. Mod_Security can be used to prevent hundreds of different types of attacks. A WAF can be a nightmare for a penetration tester or would be hacker.
Anyone have suggestions for security auditing of an .NET Web Application?
I'm interested in all options. I'd like to be able to have something agnostically probe my application for security risks.
EDIT:
To clarify, the system has been designed with security in mind. The environment has been setup with security in mind. I want an independent measure of security, other than - 'yeah it's secure'... The cost of having someone audit 1M+ lines of code is probably more expensive than the development. It looks like there really isn't a good automated/inexpensive approach to this yet. Thanks for your suggestions.
The point of an audit would be to independently verify the security that was implemented by the team.
BTW - there are several automated hack/probe tools to probe applications/web servers, but i'm a bit concerned about whether they are worms or not...
Best Thing to do:
Hiring a security guy for source code analysis
Second best thing to do hiring a security guy / pentesting company for black-box analysis
Following tools will help :
Static Analysis Tools Fortify / Ounce Labs - Code Review
Consider solutions such as HP WebInspects's secure object (VS.NET addon)
Buying a blackbox application scanner such as Netsparker, Appscan, WebInspect, Hailstorm, Acunetix or free version of Netsparker
Hiring some security specialist is so much better idea (will cost more though) because they won't only find injection and technical issues where an automated tool might find, they will also find all logical issues as well.
Anyone in your situation has the following options available:
Code Review,
Static Analysis of the code base using a tool,
Dynamic Analysis of the application at run time.
Mitchel has already pointed out the use of Fortify. In fact, Fortify has two products to cover the areas of static and dynamic analysis - SCA (static analysis tool, to be used in development) and PTA (that performs analysis of the application as test cases are executed during testing).
However, no tool is perfect and you can end up with false positives (fragments of your code base although not vulnerable will be flagged) and false negatives. Only a code review could solve such problems. Code reviews are expensive - not everyone in your organization would be capable of reviewing code with the eyes of a security expert.
To begin, with one can start with OWASP. Understanding the principles behind security is highly recommended before studying the OWASP Development Guide (3.0 is in draft; 2.0 can be considered stable). Finally, you can prepare to perform the first scan of your code base.
One of the first things that I have started to do with our internal application is use a tool such as Fortify that does a security analysis of your code base.
Otherwise, you might consider enlisting the services of a third-party company that specializes in security to have them test your application
Testing and static analysis is a very poor way to find security vulnerabilities, and is really a method of last resort if you haven't thought of security throughout the design and implementation process.
The problem is that you are now trying to enumerate all of the ways your application could fail, and deny those (by patching), rather than trying to specify what your application should do, and prevent everything that isn't that (by defensive programming). Since your application probably has infinite ways to go wrong and only a few things that it is meant to do, you should take an approach of 'deny by default' and allow only the good stuff.
Put it another way, it's easier and more effective to build in controls to prevent whole classes of typical vulnerabilities (for examples, see OWASP as mentioned in other answers) no matter how they may arise, than it is to go looking for which specific screwup some version of your code has. You should be trying to evidence the presence of good controls (which can be done), rather than the absence of bad stuff (which can't).
If you get somebody to review your design and security requirements (what exactly are you trying to protect against?), with full access to code and all details, that will be more valuable than some kind of black box test. Because if your design is wrong then it won't matter how well you implemented it.
We have used Telus to conduct Pen Testing for us a few times and have been impressed with the results.
May I recommend you contact Artec Group, Security Compass and Veracode and check out their offerings...