4.0
1NSchAb
1NSchAb
- No tags were found...
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
216<br />
Appendix<br />
jsp/products/soatest.jsp?itemId=101<br />
• MatriXay - http:/www.dbappsecurity.com/webscan.html<br />
• N-Stalker Web Application Security Scanner - http:/www.nstalker.<br />
com<br />
• HP WebInspect - http:/www.hpenterprisesecurity.com/products/<br />
hp-fortify-software-security-center/hp-webinspect<br />
• SoapUI (Web Service security testing) - http:/www.soapui.org/<br />
Security/getting-started.html<br />
• Netsparker - http:/www.mavitunasecurity.com/netsparker/<br />
• SAINT - http:/www.saintcorporation.com/<br />
• QualysGuard WAS - http:/www.qualys.com/enterprises/<br />
qualysguard/web-application-scanning/<br />
• Retina Web - http:/www.eeye.com/Products/Retina/Web-<br />
Security-Scanner.aspx<br />
• Cenzic Hailstorm - http:/www.cenzic.com/downloads/datasheets/<br />
Cenzic-datasheet-Hailstorm-Technology.pdf<br />
Source Code Analyzers<br />
Open Source / Freeware<br />
• Owasp Orizon<br />
• OWASP LAPSE<br />
• OWASP O2 Platform<br />
• Google CodeSearchDiggity - http:/www.stachliu.com/resources/<br />
tools/google-hacking-diggity-project/attack-tools/<br />
• PMD - http:/pmd.sourceforge.net/<br />
• FlawFinder - http:/www.dwheeler.com/flawfinder<br />
• Microsoft’s FxCop<br />
• Splint - http:/splint.org<br />
• Boon - http:/www.cs.berkeley.edu/~daw/boon<br />
• FindBugs - http:/findbugs.sourceforge.net<br />
• Find Security Bugs - http:/h3xstream.github.io/find-sec-bugs/<br />
• Oedipus - http:/www.darknet.org.uk/2006/06/oedipus-opensource-web-application-security-analysis/<br />
• W3af - http:/w3af.sourceforge.net/<br />
• phpcs-security-audit - https:/github.com/Pheromone/phpcssecurity-audit<br />
Commercial<br />
• Armorize CodeSecure - http:/www.armorize.com/index.php?link_<br />
id=codesecure<br />
• Parasoft C/C++ test - http:/www.parasoft.com/jsp/products/<br />
cpptest.jsp/index.htm<br />
• Checkmarx CxSuite - http:/www.checkmarx.com<br />
• HP Fortify - http:/www.hpenterprisesecurity.com/products/hpfortify-software-security-center/hp-fortify-static-code-analyzer<br />
• GrammaTech - http:/www.grammatech.com<br />
• ITS4 - http:/seclab.cs.ucdavis.edu/projects/testing/tools/its4.html<br />
• Appscan - http:/www-01.ibm.com/software/rational/products/<br />
appscan/source/<br />
• ParaSoft - http:/www.parasoft.com<br />
• Virtual Forge CodeProfiler for ABAP - http:/www.virtualforge.de<br />
• Veracode - http:/www.veracode.com<br />
• Armorize CodeSecure - http:/www.armorize.com/codesecure/<br />
Acceptance Testing Tools<br />
Acceptance testing tools are used to validate the functionality of web<br />
applications. Some follow a scripted approach and typically make use<br />
of a Unit Testing framework to construct test suites and test cases.<br />
Most, if not all, can be adapted to perform security specific tests in<br />
addition to functional tests.<br />
Open Source Tools<br />
• WATIR - http:/wtr.rubyforge.org<br />
• A Ruby based web testing framework that provides an interface into<br />
Internet Explorer.<br />
• Windows only.<br />
• HtmlUnit - http:/htmlunit.sourceforge.net<br />
• A Java and JUnit based framework that uses the Apache HttpClient<br />
as the transport.<br />
• Very robust and configurable and is used as the engine for a number<br />
of other testing tools.<br />
• jWebUnit - http:/jwebunit.sourceforge.net<br />
• A Java based meta-framework that uses htmlunit or selenium as the<br />
testing engine.<br />
• Canoo Webtest - http:/webtest.canoo.com<br />
• An XML based testing tool that provides a facade on top of htmlunit.<br />
• No coding is necessary as the tests are completely specified in XML.<br />
• There is the option of scripting some elements in Groovy if XML does<br />
not suffice.<br />
• Very actively maintained.<br />
• HttpUnit - http:/httpunit.sourceforge.net<br />
• One of the first web testing frameworks, suffers from using the<br />
native JDK provided HTTP transport, which can be a bit limiting for<br />
security testing.<br />
• Watij - http:/watij.com<br />
• A Java implementation of WATIR.<br />
• Windows only because it uses IE for its tests (Mozilla integration is<br />
in the works).<br />
• Solex - http:/solex.sourceforge.net<br />
• An Eclipse plugin that provides a graphical tool to record HTTP<br />
sessions and make assertions based on the results.<br />
• Selenium - http:/seleniumhq.org/<br />
• JavaScript based testing framework, cross-platform and provides a<br />
GUI for creating tests.<br />
• Mature and popular tool, but the use of JavaScript could hamper<br />
certain security tests.<br />
Other Tools<br />
Runtime Analysis<br />
• Rational PurifyPlus - http:/www-01.ibm.com/software/awdtools/<br />
purify/<br />
• Seeker by Quotium - http:/www.quotium.com/prod/security.php<br />
Binary Analysis<br />
• BugScam IDC Package - http:/sourceforge.net/projects/bugscam<br />
• Veracode - http:/www.veracode.com<br />
Requirements Management<br />
• Rational Requisite Pro - http:/www-306.ibm.com/software/<br />
awdtools/reqpro<br />
Site Mirroring<br />
• wget - http:/www.gnu.org/software/wget, http:/www.interlog.<br />
com/~tcharron/wgetwin.html<br />
• curl - http:/curl.haxx.se<br />
• Sam Spade - http:/www.samspade.org<br />
• Xenu’s Link Sleuth - http:/home.snafu.de/tilman/xenulink.html<br />
OWASP Testing Guide Appendix B:<br />
Suggested Reading<br />
Whitepapers<br />
• The Economic Impacts of Inadequate Infrastructure for Software