Information Security Advisor, CISO & CIO, Docutek Services at Docutek Services
Consultant
2015-07-07T11:26:02Z
Jul 7, 2015
It depends.
Let me explain. If you are looking to find SQL injection, header injection, directory listing, shell injection, cross site scripting and file inclusion? Or are you looking for file disclosure, inclusion, cross site scripting, CED, CRLF injection, sel injection, xpath injection, weak .htaccess or backup files disclosure?
Also, proxy check is very important. I use several software since I deal with healthcare Apps. So, I don't think one program does it all but if you have the time to do a "cook off" I can recommend the following software:
Some of them do the same are repetitive but I think these are the best open source web application security testing tools.
If you want to start penetration testing, I will recommend using Linux distributions which have been created for penetration testing. These environments are backtrack, gnacktrack, backbox and blackbuntu. All these tools come with various free and opensource tools for website penetration testing. So, you can go with those environments.
I wrote my own solution. Securis. It is customized for healthcare federal regulations only. Let me know if I can help.
Search for a product comparison in Application Security Testing (AST)
Sr. Adviseur Bedrijfsvoering ICT (Sr. Business Consultant ICT) at a government with 1,001-5,000 employees
Vendor
2015-07-12T11:31:30Z
Jul 12, 2015
We have been looking for a good solution too and still haven't decided yet. But you might benefit from our aproach:
- we didn't rule out closed source from the start. Security is too important to simply ignore that category. There are some good tools available but they come at a cost... (we are considering the folowing candidates: HP Fortify SCA, Acunetix, Netsparker)
- don't look for THE TOOL to do everything but look at the different security aspects to cover. (We differentiate between Dynamic and Static Application Security Testing. Dynamic Application Security Testing is testing the application from the outside it, looking at the application in its running state. Whereas Static Application Security Testing is looking at the sourcecode the application is made of.)
Use comparison material from internet: we use among others Gartners Magic Quadrant reports (securityintelligence.com).
The answers provide by others are all fine answers regarding open source and in our research until now we (also) have identified OWASP's Zed Attack Proxy as the prime open source candidate.
If you are looking for Web application security testing then I would recommend- OWASP-ZAP(Open Source) and Burp Suite(Licensed with cost as low as 299$ per yr.)
The Zed Attack Proxy (ZAP) is an easy to use integrated penetration testing tool for finding vulnerabilities in web applications.It is designed to be used by people with a wide range of security experience and as such is ideal for developers and functional testers who are new to penetration testing. ZAP provides automated scanners as well as a set of tools that allow you to find security vulnerabilities manually.
Burp Suite is an integrated platform for performing security testing of web applications. Its various tools work seamlessly together to support the entire testing process, from initial mapping and analysis of an application's attack surface, through to finding and exploiting security vulnerabilities.
Burp gives you full control, letting you combine advanced manual techniques with state-of-the-art automation, to make your work faster, more effective, and more fun.
Technology Program Manager at a non-tech company with 51-200 employees
Vendor
2015-07-07T11:17:56Z
Jul 7, 2015
As you have not indicated what langue the development is done in nor what specific concerns you have, I can only offer a more general recommendation. Start with Owasp. Here is a link to their site:
www.owasp.org
They have many decent open source tools for validating various aspects of web security. In addition, they have the top 10, which outlines the most prevalent risks found/exploited currently. Fixing those goes a long way towards imporiving your web security.
Application Security Testing (AST) solutions are used to identify and fix security vulnerabilities in software applications. They can be used at all stages of the software development lifecycle, from development to testing to deployment.
It depends.
Let me explain. If you are looking to find SQL injection, header injection, directory listing, shell injection, cross site scripting and file inclusion? Or are you looking for file disclosure, inclusion, cross site scripting, CED, CRLF injection, sel injection, xpath injection, weak .htaccess or backup files disclosure?
Also, proxy check is very important. I use several software since I deal with healthcare Apps. So, I don't think one program does it all but if you have the time to do a "cook off" I can recommend the following software:
Grabber
Vega
Zed Attack Proxy
Wapiti (Only Win 32bit)
W3af
WebScarab
Skipfish
Ratproxy
SQLMap
Wfuzz
Grendel-Scan
Watcher
X5S
Arachni
Some of them do the same are repetitive but I think these are the best open source web application security testing tools.
If you want to start penetration testing, I will recommend using Linux distributions which have been created for penetration testing. These environments are backtrack, gnacktrack, backbox and blackbuntu. All these tools come with various free and opensource tools for website penetration testing. So, you can go with those environments.
I wrote my own solution. Securis. It is customized for healthcare federal regulations only. Let me know if I can help.
We have been looking for a good solution too and still haven't decided yet. But you might benefit from our aproach:
- we didn't rule out closed source from the start. Security is too important to simply ignore that category. There are some good tools available but they come at a cost... (we are considering the folowing candidates: HP Fortify SCA, Acunetix, Netsparker)
- don't look for THE TOOL to do everything but look at the different security aspects to cover. (We differentiate between Dynamic and Static Application Security Testing. Dynamic Application Security Testing is testing the application from the outside it, looking at the application in its running state. Whereas Static Application Security Testing is looking at the sourcecode the application is made of.)
Use comparison material from internet: we use among others Gartners Magic Quadrant reports (securityintelligence.com).
The answers provide by others are all fine answers regarding open source and in our research until now we (also) have identified OWASP's Zed Attack Proxy as the prime open source candidate.
ZAP for sure. Maintained by Mozilla.
also
www.gallop.net
FYI
vanets.vuse.vanderbilt.edu
w3af only
If you are looking for Web application security testing then I would recommend- OWASP-ZAP(Open Source) and Burp Suite(Licensed with cost as low as 299$ per yr.)
The Zed Attack Proxy (ZAP) is an easy to use integrated penetration testing tool for finding vulnerabilities in web applications.It is designed to be used by people with a wide range of security experience and as such is ideal for developers and functional testers who are new to penetration testing. ZAP provides automated scanners as well as a set of tools that allow you to find security vulnerabilities manually.
Burp Suite is an integrated platform for performing security testing of web applications. Its various tools work seamlessly together to support the entire testing process, from initial mapping and analysis of an application's attack surface, through to finding and exploiting security vulnerabilities.
Burp gives you full control, letting you combine advanced manual techniques with state-of-the-art automation, to make your work faster, more effective, and more fun.
As you have not indicated what langue the development is done in nor what specific concerns you have, I can only offer a more general recommendation. Start with Owasp. Here is a link to their site:
www.owasp.org
They have many decent open source tools for validating various aspects of web security. In addition, they have the top 10, which outlines the most prevalent risks found/exploited currently. Fixing those goes a long way towards imporiving your web security.