10 Web Application Security Tools You Can’t Do Without

By Zack Sanders – Director of Security – APconnections

Since initiating our hacking challenge last year, we’ve helped multiple organizations shore up security flaws in their web application infrastructure. Proper web application security testing is always a mix of automated testing and manual testing. If you just run automated tests and don’t have the knowledge to interpret the results, the amount of false positives thrown at you will result in little value. If you don’t know the ins and outs of common vulnerabilities, manual testing alone will get you nowhere. With the right mix, you can create a baseline analysis from the automated tests that will help determine what areas of the application should be explored further manually.

Here are some of the tools I use the most when assessing a new web application along with brief descriptions*:

1) Metasploit – http://www.metasploit.com/ – Metasploit is an entire framework for penetration testing and security analysis. The tools are all open source and the community behind the software is outstanding.

2) DirBuster – http://sourceforge.net/projects/dirbuster/ – DirBuster is a directory brute force tool that allows you to create a tree view of a web application’s file system.

3) Nessus – http://www.tenable.com/products/nessus – Nessus is a great tool for identifying server-level vulnerabilities.

4) John the Ripper – http://www.openwall.com/john/ – JTR is a password cracker tool.

5) Havij – http://www.itsecteam.com/products/havij-v116-advanced-sql-injection/ – Havij is an advanced SQL injection tool that provides a GUI for conducting injection tests.

6) Charles Web Proxy – http://www.charlesproxy.com/ – Charles is an awesome tool that allows you to modify requests and responses in web applications.

7) Tamper Data Firefox Add-On – https://addons.mozilla.org/en-us/firefox/addon/tamper-data/ – Like Charles, this tool also allows you to modify requests.

8) Skipfish – http://code.google.com/p/skipfish/ – Skipfish is a web application security vulnerability scanner that will scan an entire website for issues. It results in quite a few false positives but also legitimate issues.

9) Firebug – https://getfirebug.com/ – This is a debugging tool for web developers but it is useful for security professionals in that you can easily see what is happening behind the scenes.

10) Websecurify – http://www.websecurify.com/ – Websecurify is an entire security environment meant for assisting in the manual testing phase.

These are only some of the tools out there for security professionals who are testing web applications. There are many more. But, they aren’t just available to the good guys. Bad guys have access to them too and are using them in attacks all the time. Let us know if we can run a security assessment for your organization using the same tools hackers do. The investment will be well worth it.

Contact us today at: ips@apconnections.net

*Use these tools at your own risk and only on websites you have permission to test.

Four Reasons Why Companies Remain Vulnerable to Cyber Attacks

Over the past year, since the release of our IPS product, we have spent many hours talking to resellers and businesses regarding Internet security. Below are our observations about security investment, and more importantly, non-investment.

1) By far the number one reason why companies are vulnerable is procrastination.

Seeing is believing, and many companies have never been hacked or compromised.

Some clarification here, most attacks do not end in something being destroyed or any obvious trail of data being lifted. This does not mean they do not happen; it’s just that there was no immediate ramification in many cases hence, business as usual.

Companies are run by people, and most people are reactive, and furthermore somewhat single threaded, thus they can only address a few problems at a time. Without a compelling obvious problem, security gets pushed down the list. The exception to the procrastination rule would be verticals such as financial institutions, where security audits are mandatory (more on audits in a bit). Most companies, although aware of  risk factors, are reluctant to spend on a problem that has never happened. In their defense, a company that reacts to all the security FUD, might find itself hamstrung and out of business. Sometimes, to be profitable, you have to live with a little risk.

2) Existing security tools are ignored.

Many security suites are just too broad to be relevant. Information overload can lead to a false sense of coverage.

The best analogy I can give is the Tornado warning system used by the National Weather Service. Their warning system, although well-intended, has been so diffuse in specificity that after a while people ignore the warnings. The same holds true with security tools. In order to impress and out-do one another, security tools have become bloated with quantity, not quality. This overload of data can lead to an overwhelming glut of frivolous information. It would be like a stock analyst predicting every possible outcome and expecting you to invest on that advice. Without a specific, targeted piece of information, your security solution can be a distraction.

3) Security audits are mandated formalities.

In some instances, a security audit is treated as a bureaucratic mandate. When security audits are mandated as a standard, the process of the audit can become the objective. The soldiers carrying out the process will view the completed checklist as the desired result and thus may not actually counter existing threats. It’s not that the audit does not have value, but the audit itself becomes a minimum objective. And most likely the audit is a broad cookie-cutter approach which mostly serves to protect the company or individuals from blame.

4) It may just not be worth the investment.

The cost of getting hacked may be less than the ongoing fees and consumption of time required to maintain a security solution. On a mini-scale, I followed this advice on my home laptop running Windows. It was easier to re-load my system every 6 months when I got a virus rather than mess with all the security virus protection being thrown at me, slowing my system down. The same holds true on a corporate scale. Although nobody would ever come out and admit this publicly, or make it deliberately easy, but it might be more cost-effective to recover from a security breach than to proactively invest in preventing it. What if your customer records get stolen, so what? Consumers are hearing about the largest banks and government security agencies getting hacked every day. If you are a mid-sized business it might be more cost-effective to invest in some damage control after the fact rather than jeopardize cash flow today.

So what is the future for security products? Well, they are not going to go away. They just need to be smarter, more cost-effective, and turn-key, and then perhaps companies will find the benefit-to-risk more acceptable.

<Article Reference:  Security Data overload article >

%d bloggers like this: