Which software security testing tools do you use?

Hey guys!

I’m writing an article about software security testing tools. I wonder if any of you could share your experience. Have you used tools like Netsparker, Zed Attack Proxy, or Nessus, or perhaps there are better options? What were the pros and cons of using the tool?

I would really appreciate the feedback from pentesters, security experts, or anyone possessing hands-on experience with security testing tools.

1 Like

Hello,

Security testing plays an important role in the software development process. Security testing helps us to identify security-related issues, weakness. These security testing tools are very helpful to know the unknown vulnerabilities from the application. Here is the list of Penetration Testing tools for 2021.

  • Netsparker
  • Acunetix
  • Intruder
  • Indusface
  • Intrusion Detection Software
  • Traceroute NG
  • ExpressVPN
  • Owasp
  • WireShark
  • w3af
1 Like

Thank you very much for your answer! Can you highlight the pros and cons you noticed while was using it? Especially cons are interesting for me. Maybe you remember something you found annoying as a user?

Nice question!

Before discussing the tools that are used for software security testing, Don’t you think!!!.. Firstly, we should know “What exactly the Software Security Testing is and why we need to do it?” Right!

So, let’s start!!!

Software security testing is performed in software testing services company to ensure that software systems and applications are free from any vulnerabilities, threats, and risks that may cause these tremendous losses.

Security testing of any system is about finding all possible loopholes and weaknesses of the system which might result in a loss of information, revenue, and reputation caused by employees or malicious external hackers.

With the information provided from testing, development teams can fix any vulnerabilities before malicious hackers exploit them.

The following are the critical areas that are covered by Security testing:-

  • Confidentiality
  • Authentication
  • Authorization
  • Integrity
  • Non-repudiation
  • Availability

Now, our next question is "Why we need to do Software Security Testing?"

Here, is an answer to your question:

-The primary purpose of security testing is to identify the security leakage and fix it in the initial stage itself. This helps to rate the stability of the current system and also helps to stand in the market for a longer time.

Security testing helps to avoid the following:

  • Loss of important information.
  • Loss of customer’s trust.
  • Inconsistent website performance.
  • Unexpected breakdown.
  • Additional costs required for repairing websites after an attack.
  • Information theft by an unauthorized user.

Finally, we have reached the last and the most important question " Which tools are used for software security testing?"

The following are some widely recommended tools used for software security testing:

1. SonarQube

  • It is an open-source tool that is used to measure the quality of source code.

  • Though written in Java, it can analyze over twenty different programming languages. It can easily integrate with continuous integration tools like Jenkins server, etc. The results will be populated to the SonarQube server with ‘green’ and ‘red lights’.

  • Nice charts and project level issue lists can be viewed. We can invoke it from the GUI as well as the command prompt.

2. Klocwork

  • It is a code analysis tool that is used to identify a security, safety, and reliability issues of the programming languages like C, C++, Java, and C#.

  • We can easily integrate it with continuous integration tools like Jenkins and can also raise bugs in Jira upon encountering new issues.

3. NetSparker

  • Netsparker has out-of-the-box support for several popular issue tracking, CI/CD, and other services used in development environments. Though if you use a system for which Netsparker does not have out of the box support you can always use the REST API.

  • It works with Proof-Based Scanning, an exclusive technology that automatically verifies identified vulnerabilities, proving they are and not false positives.

4. Nmap

  • In addition to the classic command-line Nmap executable, the Nmap suite includes an advanced GUI and results in the viewer (Zenmap), a flexible data transfer, redirection, and debugging tool (Ncat), a utility for comparing scan results (Ndiff), and a packet generation and response analysis tool (Nping).

  • Nmap has been used to scan huge networks of hundreds of thousands of machines.

  • Significant effort has been put into comprehensive resources for it such as whitepapers, tutorials, and even a book. You can find them in multiple languages.

  • It’s well supported by a vibrant community of developers and users. Most of this interaction occurs on the Nmap mailing lists. You can also find Nmap on Facebook and Twitter.

5. OWASP Zed Attack Proxy

  • It’s designed to be used by both beginners and professionals.

  • Cross-platform – works across all OS (Linux, Mac, Windows).

  • ZAP provides automated scanners as well as a set of tools that allow you to find security vulnerabilities manually.

6. Sboxr

  • Sboxr finds issues by just browsing through your site, there’s almost no learning curve.

  • The creators of Sboxr will help you in understanding, validating or remediating issues through its professional support.

7. VAddy

  • It’s the easiest tool to use if you want to add security checks into your CI pipeline.

  • There is no tool to install or any special settings to configure.

8. Burp Suite

  • The decoder tool in Burp Suite does the job of encoding and decoding data. A web application penetration tester needs to be able to understand the type of encoding that has been applied and then successfully decode the piece of data.

  • Comparer tool: Useful for when you want to see how different values for parameters and headers enable subtle changes in the responses that you receive. It allows you to see how the application reacts to a valid user, invalid password combination compared to an invalid user, and invalid password combination.

  • When you might be working on multiple projects for a client, the ability to Save State and Restore State comes in handy.

9. Acunetix

  • With this tool, it’s possible to easily find and report many types of web weaknesses such as SQL injection, blind SQL injection, cross-site scripting, CRLF injection, code execution, directory traversal, file inclusion, and authentication bypass.

  • Detailed penetration scenarios can be performed with Acunetix’s HTTP Editor, HTTP Sniffer, HTTP Fuzzer, WVS Scripting Tool, and Blind SQL Injector tools for advanced penetration testing processes.

  • With the support of captcha, single sign-on and two-factor authentication, Acunetix can adapt to any kind of Web application.

Conclusion:

Software testing tools are pivotal in a software testing services company’s business strategy. To overlook system and information security is akin to business suicide. As crucial as software testing is, and as useful as software testing tools are, the implementation process is highly customized to suit the need of the business.

For this reason, it is important to have a trusted software security testing vendor.

3 Likes

@skillinen, fyi, you would be interested in this post.

1 Like

With the tools you’re naming, I’m going to assume you’re testing web applications. Some of the best tests you can run are:

  • Fuzzing - throw a lot of data at an application, log its responses, and look for patterns. If you notice that a certain character always causes a 500, for instance, you probably have a parser somewhere that can’t handle that input. Fuzzing is useful for functional and security testing. Fuzzing with attack strings is a great way to find vulnerabilities in your code, and also a great way to cause an enormous mess in your test environment.
  • Dynamic scanning or DAST (dynamic application security testing) - what a lot of people mean when they say “security testing.” Intercepting proxies such as ZAP and Burp have some prebuilt dynamic scanning features. You can get a lot of benefit out of customizing them for your application.

Zed Attack Proxy is my favorite for manual exploration and fuzzing. It’s similar to Burp Suite, but free, open source, and maintained by OWASP, who I like. The custom fuzzing options are really nice - you can build wordlists or sample strings tuned to your application, and get more useful results than you can from most stock wordlists.

Its UI can be confusing, especially for someone who has never used an intercepting proxy before.
If you’re in a multi-domain Windows environment, it also does not like Kerberos, but that’s enough of an edge case that I have no qualms about recommending it.

BurpSuite is another intercepting proxy that does a good job of scanning web applications. I find its UI even more cluttered than ZAP’s, and many features I rely on are paid only.

Postman is excellent for APIs, and you can script it to do almost whatever you want. It has nice sharing features, so that you can have multiple teammates collaborate on a single test set.

ReadyAPI is …okay? I like it less than Postman for security testing. It integrates Groovy scripting, so you can do some interesting things with it, but I found it to require a lot of maintenance.

Wireshark is an amazingly powerful tool when you need to go to the protocol level and examine traffic between your applications. It’s unrivaled for its power and flexibility. Read or watch some tutorials; Wireshark is a deep subject in and of itself, and I found the online documentation somewhat difficult to work through.

As mentioned above, nmap is a tremendously powerful network scanner. It can not only map networks, but has many prebuilt security tests, and a huge market of scripts that you can run. Just like anything, if you are downloading code from an untrusted source (nmap scripts!) be very sure you know what it does before you run it.

Beware: some appliances do NOT like nmap scans. Talk to your Ops team before you start throwing packets around.

1 Like

Here’s a bit of my list:

  1. OWASP ZAP
    Easy to integrate Vulnerability Scanner into the pipeline.
    Also easy to use for manual testing, brute forcing, fuzzing etc. (some may use BurpSuite)

  2. Snyk
    Automatically find, prioritize and fix vulnerabilities in the open source dependencies used to build your cloud native applications

  3. OneListForAll & Big List of Naughty Strings
    GitHub - six2dez/OneListForAll: Rockyou for web fuzzing
    A list of words used for bruteforcing
    GitHub - minimaxir/big-list-of-naughty-strings: The Big List of Naughty Strings is a list of strings which have a high probability of causing issues when used as user-input data.

  4. Crunch
    crunch | Penetration Testing Tools
    Wordlist generator

  5. Knockpy
    GitHub - guelfoweb/knock: Knock Subdomain Scan
    Awesome tool to find subdomains.