Web application security testing

Question

We are developing a web application using Spring framework and Hibernate ORM. As far as application security is concerned we are using acegi to provide authentication and authorization support.

Now about user input sanitation, we have tried to take take care about attacks like XSS and sql injections. We have tried to use as much as prepared statements and hibernate criteria for database updates and queries. Inputs are sanitized for javascript also.

For testing these we have tried to use tools like Firebug, Tamper IEand Fiddler2 etc.

We have also used tools like Watch Mouse to do vulnerability tests.

What are the other tools available for web application security and what are the things to be considered before starting a web applications security testing.

Thanks you

Answer 1

HP has a security assessment tool called Webinspect, but it not free and I wouldn't recommend it. Either my company doesn't know how to use it, or the tool has no consistency in finding vulnerabilities.

Answer 2

You're better off hiring an actual pen-testing contracting agency to look for vulnerabilities in your site. Sure, you could run automated scanners, but they can only do so much. You'll probably waste more money and resources attempting to learn and implement proper pen testing then you would just hiring someone else to do it.

The fact that you're asking this question means that you are not qualified to give the kind of confidence or complete coverage a commercial application would need before launch.

Answer 3

Burpsuite is an amazing tool for web application testing.

I do agree with hiring an outside team however, but if your company cannot/will-not, put a weekend into getting familiar with BurpSuite and you will undoubtedly find some bugs.

Answer 4

You can use AppScan, but its not free.

Answer 5

I agree with those who have encouraged you to look to an outside pen testing firm, if you want the best results now.

That said, one of the best all-around web app pen testing tools I have used is Burp Suite (portswigger.net). There is a free version that gives you most of the functionality, but investing $400 in the Pro version, which adds a vulnerability scanner and the ability to save state, is well worth it.

In addition, you should become very familiar with the OWASP organization (owasp.org), and the information/tools they make available for web app security. The Cheat Sheets and the Testing Guides can be very helpful, if you know how to use them.

Finally, if you are determined to build up your own application security team, then you should consider hiring some folks with extensive application security experience as well as a background in software development. There is more to application security than security testing. Static security code analysis and threat modeling are just two of the other areas you should be thinking about.