One of the biggest trends in issues in web application testing today is Security Testing. Most people know their web application is important for their business; no one wants a big security breach. With hackers becoming more and more sophisticated, and vulnerabilities becoming easier and easier to exploit the odds are not in your favor. Unfortunately for many companies out there, most testers don’t know where to start. So, in the next few weeks I’m going to introduce you to a variety of security testing tools to get you going.
So where do we start?
One of the easiest security testing tools to learn is WebSecurify. Don’t think just cause it’s easy it’s not powerful, though! WebSecurify is a fairly powerful web application testing tool designed to cover a lot of your application. Any tester out there should be able to get WebSecurify up and running in a matter of minutes. On top of everything else it is works on all platforms and has a free open-source version. Now there are some tutorials out there but the great thing for beginners is, with this tool you don’t even have to bother. It’s as easy as typing in your web address and pressing ‘Go!’
The real benefit here is the elegance and ease of use. The tool runs pretty quick and provides a good level of coverage too (Yes, for you Security Ninjas it does cover all the OWASP Top 10). The interface works well in a browser or as a standalone Desktop Application. You can even extend it with 3rd Party Extensions, if you want to get fancy.
WebSecurify also has a mobile version for your android or iPhone. I think this is pretty neat for testing on the go, but I’ve yet to test its usefulness or how it compares to the free version. I got to admit though, it has a whole lot of cool factor.
So what’s the catch? There’s always a catch…
The basic version gets you started and provides the basics (hence the name), but the advanced version is so much better. For starters the reporting in the basic version is pleasant to the eyes and provides enough detail some of the time, but the advanced version provides more detailed reports, automated screenshots of vulnerabilities and exportable reports in multiple formats. When you don’t necessarily understand what each vulnerability means this will help tremendously!
While the basic version will provide you coverage of your whole web application, the advanced version allows you to adjust your test scope, authenticate and even test multiple sites at once. In my humble opinion, this is the biggest downfall of the free version. For an advanced tester, this will annoy you fast.
Don’t get discourages there is a silver lining to the paid version. It’s only $239.99 and the licensing is super flexible. If you’ve done any research on security testing tools at this point, you’ll realize this is a steal!
Try it out today, let me know your thoughts in the comments.