Hey guys!
Iām writing an article about software security testing tools. I wonder if any of you could share your experience. Have you used tools like Netsparker, Zed Attack Proxy, or Nessus, or perhaps there are better options? What were the pros and cons of using the tool?
I would really appreciate the feedback from pentesters, security experts, or anyone possessing hands-on experience with security testing tools.
Hello,
Security testing plays an important role in the software development process. Security testing helps us to identify security-related issues, weakness. These security testing tools are very helpful to know the unknown vulnerabilities from the application. Here is the list of Penetration Testing tools for 2021.
Thank you very much for your answer! Can you highlight the pros and cons you noticed while was using it? Especially cons are interesting for me. Maybe you remember something you found annoying as a user?
Nice question!
Before discussing the tools that are used for software security testing, Donāt you think!!!.. Firstly, we should know āWhat exactly the Software Security Testing is and why we need to do it?ā Right!
So, letās start!!!
Software security testing is performed in software testing services company to ensure that software systems and applications are free from any vulnerabilities, threats, and risks that may cause these tremendous losses.
Security testing of any system is about finding all possible loopholes and weaknesses of the system which might result in a loss of information, revenue, and reputation caused by employees or malicious external hackers.
With the information provided from testing, development teams can fix any vulnerabilities before malicious hackers exploit them.
The following are the critical areas that are covered by Security testing:-
Now, our next question is "Why we need to do Software Security Testing?"
Here, is an answer to your question:
-The primary purpose of security testing is to identify the security leakage and fix it in the initial stage itself. This helps to rate the stability of the current system and also helps to stand in the market for a longer time.
Security testing helps to avoid the following:
Finally, we have reached the last and the most important question " Which tools are used for software security testing?"
The following are some widely recommended tools used for software security testing:
1. SonarQube
It is an open-source tool that is used to measure the quality of source code.
Though written in Java, it can analyze over twenty different programming languages. It can easily integrate with continuous integration tools like Jenkins server, etc. The results will be populated to the SonarQube server with āgreenā and āred lightsā.
Nice charts and project level issue lists can be viewed. We can invoke it from the GUI as well as the command prompt.
2. Klocwork
It is a code analysis tool that is used to identify a security, safety, and reliability issues of the programming languages like C, C++, Java, and C#.
We can easily integrate it with continuous integration tools like Jenkins and can also raise bugs in Jira upon encountering new issues.
3. NetSparker
Netsparker has out-of-the-box support for several popular issue tracking, CI/CD, and other services used in development environments. Though if you use a system for which Netsparker does not have out of the box support you can always use the REST API.
It works with Proof-Based Scanning, an exclusive technology that automatically verifies identified vulnerabilities, proving they are and not false positives.
4. Nmap
In addition to the classic command-line Nmap executable, the Nmap suite includes an advanced GUI and results in the viewer (Zenmap), a flexible data transfer, redirection, and debugging tool (Ncat), a utility for comparing scan results (Ndiff), and a packet generation and response analysis tool (Nping).
Nmap has been used to scan huge networks of hundreds of thousands of machines.
Significant effort has been put into comprehensive resources for it such as whitepapers, tutorials, and even a book. You can find them in multiple languages.
Itās well supported by a vibrant community of developers and users. Most of this interaction occurs on the Nmap mailing lists. You can also find Nmap on Facebook and Twitter.
5. OWASP Zed Attack Proxy
Itās designed to be used by both beginners and professionals.
Cross-platform ā works across all OS (Linux, Mac, Windows).
ZAP provides automated scanners as well as a set of tools that allow you to find security vulnerabilities manually.
6. Sboxr
Sboxr finds issues by just browsing through your site, thereās almost no learning curve.
The creators of Sboxr will help you in understanding, validating or remediating issues through its professional support.
7. VAddy
Itās the easiest tool to use if you want to add security checks into your CI pipeline.
There is no tool to install or any special settings to configure.
8. Burp Suite
The decoder tool in Burp Suite does the job of encoding and decoding data. A web application penetration tester needs to be able to understand the type of encoding that has been applied and then successfully decode the piece of data.
Comparer tool: Useful for when you want to see how different values for parameters and headers enable subtle changes in the responses that you receive. It allows you to see how the application reacts to a valid user, invalid password combination compared to an invalid user, and invalid password combination.
When you might be working on multiple projects for a client, the ability to Save State and Restore State comes in handy.
9. Acunetix
With this tool, itās possible to easily find and report many types of web weaknesses such as SQL injection, blind SQL injection, cross-site scripting, CRLF injection, code execution, directory traversal, file inclusion, and authentication bypass.
Detailed penetration scenarios can be performed with Acunetixās HTTP Editor, HTTP Sniffer, HTTP Fuzzer, WVS Scripting Tool, and Blind SQL Injector tools for advanced penetration testing processes.
With the support of captcha, single sign-on and two-factor authentication, Acunetix can adapt to any kind of Web application.
Conclusion:
Software testing tools are pivotal in a software testing services companyās business strategy. To overlook system and information security is akin to business suicide. As crucial as software testing is, and as useful as software testing tools are, the implementation process is highly customized to suit the need of the business.
For this reason, it is important to have a trusted software security testing vendor.
With the tools youāre naming, Iām going to assume youāre testing web applications. Some of the best tests you can run are:
Zed Attack Proxy is my favorite for manual exploration and fuzzing. Itās similar to Burp Suite, but free, open source, and maintained by OWASP, who I like. The custom fuzzing options are really nice - you can build wordlists or sample strings tuned to your application, and get more useful results than you can from most stock wordlists.
Its UI can be confusing, especially for someone who has never used an intercepting proxy before.
If youāre in a multi-domain Windows environment, it also does not like Kerberos, but thatās enough of an edge case that I have no qualms about recommending it.
BurpSuite is another intercepting proxy that does a good job of scanning web applications. I find its UI even more cluttered than ZAPās, and many features I rely on are paid only.
Postman is excellent for APIs, and you can script it to do almost whatever you want. It has nice sharing features, so that you can have multiple teammates collaborate on a single test set.
ReadyAPI is ā¦okay? I like it less than Postman for security testing. It integrates Groovy scripting, so you can do some interesting things with it, but I found it to require a lot of maintenance.
Wireshark is an amazingly powerful tool when you need to go to the protocol level and examine traffic between your applications. Itās unrivaled for its power and flexibility. Read or watch some tutorials; Wireshark is a deep subject in and of itself, and I found the online documentation somewhat difficult to work through.
As mentioned above, nmap is a tremendously powerful network scanner. It can not only map networks, but has many prebuilt security tests, and a huge market of scripts that you can run. Just like anything, if you are downloading code from an untrusted source (nmap scripts!) be very sure you know what it does before you run it.
Beware: some appliances do NOT like nmap scans. Talk to your Ops team before you start throwing packets around.
Hereās a bit of my list:
OWASP ZAP
Easy to integrate Vulnerability Scanner into the pipeline.
Also easy to use for manual testing, brute forcing, fuzzing etc. (some may use BurpSuite)
Snyk
Automatically find, prioritize and fix vulnerabilities in the open source dependencies used to build your cloud native applications
OneListForAll & Big List of Naughty Strings
GitHub - six2dez/OneListForAll: Rockyou for web fuzzing
A list of words used for bruteforcing
GitHub - minimaxir/big-list-of-naughty-strings: The Big List of Naughty Strings is a list of strings which have a high probability of causing issues when used as user-input data.
Crunch
crunch | Penetration Testing Tools
Wordlist generator
Knockpy
GitHub - guelfoweb/knock: Knock Subdomain Scan
Awesome tool to find subdomains.
So, looking at getting started in the area, itās perplexing. Burpsuite is just an Everest sized mountain to use in demo mode, because you donāt seem to be able to save anything you just did between sessions. For a beginner itās daunting, and Ā£300 for a license is really steep. Am I understanding things correctly, itās not a tool I would pay for out of my pocket and take with me as a skill later on?
As someone who is looking for some help navigating, with a goal to only āmodify requestsā maliciously and not wanting to āAPIā test an app at all, what is the right learning track to jump into? Postman appears to be the tool to use, if Iām not wanting to learn about scanning at all?
You can do that in the free version of BurpSuite, Iām doing that also. Just go to HTTP History & send to Repeater. The only downpart is, if you wish to use Intruder itās very limited & slow. Thatās why I often use ZAP for it.
Extra contribution to the thread of things I use (depending on your needs):
If you really want to get into it, you should follow some influencers and bug bounty platforms.
They often do demoās of tools & interviews with bug bounty hunters and theyāll tell you more about what they use.
Kristof. Right now itās a lot of word-soup because itās a big bag of things to take in. Iām kind of hoping that by gaining some background I can later focus on just one area. Iām really relying on our security tester to do most of the scans and specific feature test explorations. Iāve decided to follow a few folk and gradually build up background.
So far, I suspect I want to use Burpsuites repeater tool, yes. Keen to learn how to simulate service errors, as well as simulate someone injecting malicious java into an app. And for example work out how to expire web-tokens to force an app to error on demand at a very specific point in the application lifecycle. All with my very basic java skill, something the tools assume you already are proficient in. Iām expecting a long journey 
I would like to advise you to read security reports; that has been a big help for me when I started doing security for ārealā => https://twitter.com/disclosedh1 is a bot that tweets publicly disclosed reports from HackerOne
A good book with real life examples is: Real-World Bug Hunting: A Field Guide to Web Hacking
If you want to get into security there is a saying: Donāt just learn Security, learn hacking.
Iāve followed several courses on Udemy/Pluralsight etc but the real hands on experience is different.
Some good practice labs:
And if you feel a bit confident you can start doing bug bounty programs.
I would advise to start learning and mastering 1-3 vulnerabilities and search for these in programs, such as IDOR, XXE, OpenRedirect, XSS, ā¦ donāt try to do them all at once.
If you are exploring a program and you see a CSV export, then learn about CSV Injection and try it out.
EDIT: You donāt really need programming skillsā¦ I mean you do but depending on what you want to do.
JavaScript is always useful when doing XSS of course. But Java isnāt required to test for IDORs, SSRF, XXE or OpenRedirects etcā¦
If you wish to code your own programs, Python is probably the nr 1 go to 
But someone might have already written it, so no need to re-invite the wheel twice 
Thatās true and normal. Security is such a large area. Pick a topic you wish to focus on and just start out with that. At the beginning it might seem impossible or a lotā¦ but once you get rolling youāll notice itās not that hard and ow so so so sooooooo much fun 
Especially when you find a security breach/holeā¦ a P1ā¦ youāll get so much adrenaline. Itās better then sports
LOL, I have at least got isolation so itās easy to make sure Iām always only testing things non-production. There is definitely a bit of mindset to get into here, I keep coming at things from a white-box perspective and need to instead think āmaliciousā the whole time while learning all these techniques.
Big yup!
See an export? CSV Injection! Be careful because eventually when you are browsing other websites you might get tempted
That feeling when you see:
/viewinvoice.php?id=1234 in the URL of an application you donāt have permission to test.
