
	Home > Learning Guide: Application security testing techniques

Learning Guide:

EMAIL THIS

Learning Guide: Application security testing techniques

14 Sep 2006 | SearchSoftwareQuality.com

Software quality news and advice

Digg This! StumbleUpon Del.icio.us

Testing applications for security purposes is such a basic, important safety measure that most security professionals wouldn't think twice about it. Yet just a few years ago, the methods for application security testing were limited in both scope and number.

All that has changed. Now the tools and techniques for testing are more sophisticated. We can expect advancements in methodology, novel approaches to testing and many new products to come. This learning guide breaks testing down into several categories, although there is inevitably some overlap. Use these papers, expert opinions, articles, news and tips to refine your application security testing strategy. If you know of an article, tip, tool or method that should be included, send me an e-mail with the information and I'll be happy to add it. – Jennette Mullaney, assistant editor.

TABLE OF CONTENTS
   Vulnerability Assessment
   Source Code/Static Analysis
   Penetration Testing
   Fuzz Testing
   Obfuscation
   Architectural Risk Analysis
   Other Useful Resources

  Vulnerability Assessment

[Return to Table of Contents]

Definition: vulnerability analysis
Definition: vulnerability scanner
Definition: vulnerability disclosure
Definition: ethical hacker
News: Application vulnerability detection improved by Fortify, Watchfire partnership
News: Vulnerability assessment pays off for Debt Exchange
News: Product roundup: New tools to secure application security
Article: Hacme Casino tool reveals online gaming vulnerabilities
Expert response: Reasons for application vulnerabilities
Article: App security tools target Ajax vulnerabilities
Tip: Understanding technical vs. logical vulnerabilities
Tip: Testing Ajax, JavaScript and ActiveX for vulnerabilities
Podcast: There's a hole in your network – vulnerability management is no mystery

Source Code/Static Analysis

[Return to Table of Contents]

Definition: dynamic analysis
Definition: static analysis
Tip: Static and dynamic code analysis: A key factor for application security success
News: Klockwork analysis tool proves its worth, finds bugs in open source projects
Tip: Source code security scanners: A revamped option for securing custom software
News: ASP.NET tool upgrade: Compuware releases SecurityChecker 2.5
Expert Response: Code analysis: Which tool is right for you?
Article: Ounce Labs reaches out to developers with new analysis tool
Article: Code analysis
Article: Source code analysis tools- Overview
White paper: Implementing Source Code Vulnerability Testing in the Software Development Life Cycle

Penetration Testing

[Return to Table of Contents]

Definition: penetration testing
Book excerpt: Professional Pen Testing for Web Applications – Chapter 6, Attack Simulation Techniques and Tools
Tip: Buffer overflow tools facilitate application testing
Tip: Inside application assessment: Pen testing vs. code review
Tip: Best practices for pen testing Web applications
News: Penetration testing tool released by Metasploit founder
Expert response: Manual vs. automated penetration testing
News: Core security updates pen testing software
News: Free tool helps find SQL injection vulnerabilities
Article: Penetration testing for Web applications (part one)
Article: Penetration testing for Web applications (part two)
Article: Penetration testing for Web applications (part three)
Article: Demonstrating ROI for penetration testing (part two)

Fuzz Testing

[Return to Table of Contents]

Definition: fuzzer
Expert response: Using fuzzer tools to find vulnerabilities
Tool: Web services pen testing tool released
Overview: fuzz testing
Site: Fuzz testing of application reliability
News: Free fuzzing tool launched
News: Hackers use AI to uncover vulnerabilities
News: Browsers feel the fuzz
News: The fuzz: To serve and protect
Article: Fuzzing with WebScarab

Obfuscation

[Return to Table of Contents]

Definition: obfuscation
Definition: decompile
Definition: reverse engineering
Article: PreEmptive package helps make obfuscation part of the SDLC
Introduction: obfuscator: Java Glossary
White paper: Next-Generation Protection Against Reverse Engineering
White paper: Obfuscation of Design Intent in Object-Oriented Applications
News: Zend upgrades IP protection for PHP applications
Tool: .NET Obfuscator protects against source code extraction
Tool FAQ: Java and .NET obfuscation frequently asked questions
Guide: How to select and obfuscation tool for .NET

Architectural Risk Analysis

[Return to Table of Contents]

Definition: architectural risk analysis
Definition: risk analysis
Book excerpt: Software Security: Building Security In – Chapter 5: Architectural Risk Analysis
Definition: threat modeling
Guide: Threat Modeling
Tool: Control Objectives for Information and related Technology(COBIT)
Definition: COBIT
Tool: OCTAVE Information Security Risk Evaluation
White paper: Risk analysis in software design
Article: Architectural risk analysis
Expert response: Assessing security of Web services, part one
Article: Bridging the gap between software development and information security
Article: Microsoft P&P delivers threat modeling guidance for Web apps
Guide: Security Risk Management Guide
Guide: Security Self-Assessment Guide for Information Technology Systems
Tool: Automated Security Self-Evaluation Tool (ASSET)
Tool: Operationally Critical Threat, Asset and Vulnerability Evaluation (OCTAVE) Framework, v1.0
Tool: Microsoft Threat Analysis & Modeling v2.1.2
Blog: Microsoft application threat modeling blog

Other useful resources

[Return to Table of Contents]

Expert advice on tools and technologies

Do you have a question about application security testing techniques? Our Tools & Technologies expert Brad Arkin may have the answer. Read advice he has given or submit your own questions.

Course: Web and Software Application Security Testing
Project: OWASP Testing Project
Product: Web Application Security and Testing from SPI Dynamics
Product: Security Innovation – Application Security Testing
Product: Application Security Assessment from Cenzic
Book: Testing Web Security: Assessing the Security of Web Sites and Applications
Book: Testing Applications on the Web: Test Planning for Internet-Based Systems

Send in your suggestions
Are there other topics you'd like to see learning guides on? Send assistant editor Jennette Mullaney an e-mail at jmullaney@techtarget.com and let her know what they are.

Digg This!

StumbleUpon

Del.icio.us

RELATED CONTENT

	Software security testing and techniques
	Ajax security -- Is anyone listening?
	Critical security issues found in the Spring Framework
	Web application security and the PCI DSS
	PCI DSS compliance: Web application firewalls (WAFs)
	PCI DSS compliance: The basics
	PCI DSS compliance: Code review
	PCI DSS compliance: WAF, code review or both?
	The realities of using WAFs for PCI DSS 6.6 compliance
	The realities of PCI DSS 6.6 application code reviews
	Ruby on Rails security audit service available

RELATED RESOURCES

2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems

Search Bitpipe.com for the latest white papers and business webcasts

Whatis.com, the online computer dictionary

SEARCH

TechTarget provides enterprise IT professionals with the information they need to perform their jobs - from developing strategy, to making cost-effective IT purchase decisions and managing their organizations' IT projects - with its network of technology-specific Web sites, events and magazines.


TechTarget Corporate Web Site \| Media Kits \| Reprints \| Site Map All Rights Reserved, Copyright 2006 - 2008, TechTarget \| Read our Privacy Policy