Product/Application/ Software Security Testing
Application Security testing is the process to find security issues or security vulnerability in the application using automated and manual security scanner tools and share the identified issues or risk with development or application team. Process will remain mostly same in all the different types of application security scan. Before initiating security scan, its always good to identify the boundary and scope of your security testing. Below are the few example of which we can consider as Application or software. ( Scope for Application Security Testing)
Application Security testing is the process to find security issues or security vulnerability in the application using automated and manual security scanner tools and share the identified issues or risk with development or application team. Process will remain mostly same in all the different types of application security scan. Before initiating security scan, its always good to identify the boundary and scope of your security testing. Below are the few example of which we can consider as Application or software. ( Scope for Application Security Testing)
- Web Application, Portal.
- Web API.
- Desktop Software / Thick Client.
- Mobile Application.
- Web Services.
- Plug in, Add-On
The goal of application security is to secure the application and prevent the unwanted damaged. The process of performing security scan or audit is know as ASA (Application Security Assessment). Generally there are three types of ASA, SAST, DAST and PT.
Types of Application Security Testing:
- SAST (Static Application Security Testing)
- SAST is performed on source code of application, It is also know as secure code review. Mostly SAST performed using automated tools. With practice of regular code review and good understanding of coding/programming, manual code review will be feasible for small peace of code.
- DAST ( Dynamic Application Security Testing)
- PT (Penetration Testing or Manual Security Testing) :
- MAST ( Mobile Application Security Testing)
Application Security Testing Process:
- Application Pre-filed
- Application Security Questionnaire share with Application team.
- Application Demo
- From Application Team
- Application Feasibility Check
- QA environment access
- From Application Team
- Initiate Scan.
- FPA ( False Positive Analysis )
- FPA is one of the important activity in security assessment, Automated scan will generate lot of issues, assessor has to verify all the findings manually by verifying the details and by manual checking the issue using proxy tool like burpsuite.
- Prepare or Generate report.
- Closing Meeting
- with Application Team.
- Re-Validation.
- Close Findings.
Application Security Tools
- SAST:
- HCL AppScan Source
- Fortify Static Code Analyzer
- Veracode
- Checkmarx CxSAST
- DAST and PT:
- HCL AppScan
- Qualys WAS
- Micro Focus Web Inspect
- OWASP ZAP
- Burp Suite
- Acunetix Vulnerability Scanner
- Netsparker
- AppSider
- InsightAppSec
- NMAP
- Wireshark
- Metasploit
- Nessus
- Nikto
- OpenVAS
- PT:
- Burp Suite
- OWASP ZAP
- MAST:
- Appknox
Points to keep in consideration:
- Mention the application security scan coverage and scope covered in report.
- Do not store application source code in your personal device or any local machine.
- Delete source code once the SAST is complete.
- DAST or PT should be only be done only on QA environment or lower environment than production environment.
- Do not store application credential in unsecured location and do not share with any one else.
- Post DAST and PT ASA completed make sure your test access is being revoked.
What should I do to start learning Application Security:
- Study and Learn OWASP Top 10 and SANS 25 :
- Burp Suite or OWASP ZAP :
- Hands on :
- Test URL: http://demo.testfire.net
- Once clear about the concepts its time to practice more
Comments
Post a Comment