We have been creating business-class web applications since the late 1990’s. The profession and the environment of being a web “programmer” has dramatically changed since the early days of the web. Not only have the available languages, techniques, tools and business needs changed, but so has the environment a public-facing website has to handle. One major area of change is that of website security.
These days, every software engineer and web developer must have security on their minds with every line of code they type. “Don’t trust any input”, “validate every piece of every request”, “use an abstracted, secure framework/architecture for all data coming from the client”, etc. are all things the secure coding world touts. (You can learn more at OWASP.) Learning the ins and outs of secure coding is one thing, but ensuring your techniques are effective is another. So, how do you know if you have plugged all the holes in your website’s code? Fortunately, there are scanning tools available to us all that allow you to test your site’s code and your network architecture.
These tools are a useful part of securing your systems, because attackers use these same kinds of tools. You have to plug ALL the holes, but the attackers just have to find the one you missed (it’s not easy being the “good guy”). One important thing to note is that these tools can (and probably will) do damage to your systems (at least the data). As a result, it is best to run them against a test system and not your production system. These tools will act like a herd of end users banging away at your site. This means they will be creating logins, filling out forms (sending “contact us” emails, job applications, etc.).
Keep in mind that using these tools is one thing, but using them properly with appropriate penetration testing techniques and protocols is another. The topic of HOW to go about proper pen testing is for another day. Here, we are simply highlighting the tools.
- OWASP ZAP (Zed Attack Proxy) isthe web application pen test tool from nonprofit OWASP, the Open Web Application Security Project. ZAP offers automated and manual web application scanning in order to serve the novice and the established professional pen tester. ZAP is an open source tool now available on GitHub.
- SQLmap automates the discovery of SQL Injection holes. It then exploits those vulnerabilities and takes complete control of databases and underlying servers.
- Metasploit is a framework with a large programmer fan base that adds custom modules, test tools that test for weaknesses in operating systems and applications. People release these custom modules on GitHub and Bitbucket.
- Nessus Vulnerability Scanner is a popular, signature-based tool for locating vulnerabilities. Nessus only compares scans to a database of known vulnerability signatures.
- Burp Suite is another popular web application pen test tool. It maps and analyzes web applications, finding and exploiting vulnerabilities, according to Burp Suite web security tool vendor, PortSwigger.
- Kali Linux is an all-in-one tool comprising a suite of dedicated, pre-installed penetration testing (and security and forensics) tools. Kali Linux suposedly has tools for people who have no knowledge of security.
- Nmap network scanner is a bit different than the rest in that it is focused on the network, not the website code. Nmap enables pen testers to determine the types of computers, servers, and hardware the enterprise has on its network. The fact that these machines are identifiable via these external probes is in itself a vulnerability. Attackers use this information to lay the groundwork for attacks.
We like OWASP ZAP for our first pass at testing our secure coding. Not only is it free, but it is produced by the foremost authority in web security – the OWASP group.