To ensure that data within any information system remains secure and is not accessible by unapproved users, we perform security testing.
Security testing helps protect systems and applications from threats; They detect glitches, errors and other inefficiencies, and prevent these applications from crashing or stopping working as expected.
The main objectives of security testing implementation are:
- Help improve product safety and lifespan.
- Identify and fix various security issues in the early stage of development.
- Rate the stability in the current state.
But it would be a mistake if we do these tests only in the production phase, since they help discover loopholes and failures in an application from the development stage. To begin with, it is very important to determine if the code has been written correctly. To do this, we will use different tools that allow us to evaluate it and, in turn, provide feedback on its status. For example:
SONARQUBE
It is an open source security testing tool. It allows you to perform a static analysis of the code, a function that is very useful to verify its quality.
In addition, it is one of those that we study in our Master in Cybersecurity Management, Ethical Hacking and Offensive Security, specifically in the subject “Security in software development”.
This tool is capable of exposing existing vulnerabilities in coding, which can lead to future security incidents.
One of its advantages is that it supports more than 20 programming languages. Each of them has a series of rules that allow detecting general or specific problems of a particular language. It easily integrates with tools like Jenkins, for example, classifies issues based on risk level, among others.
WAPITI
If our intention is to know the existing vulnerabilities in an application or web page, we can use tools like Wapiti.
Free open source. Find possible vulnerabilities from black box security. This tool only scans the web page, not its source code. It is considered very useful in the initial phases of penetration testing and is also easy to use.
Wapati is capable of detecting the following vulnerabilities
- Database Injection (PHP/ASP/JSP SQL Injections and XPath Injections)
- Cross Site Scripting (XSS)
- File disclosure detection
- Command Execution detection
- XXE (Xml eXternal Entity) injection
- CRLF Injection
How is it installed?
If we are working on our Kali machine or any Debian or Ubuntu based system, we can use the following command line:
sudo apt install wapiti
SQLMap
Tool that will help us test/automate the process of detecting and exploiting SQL injections.
Supports a wide variety of database engines such as MySQL, Oracle, PostgreSQL, Microsoft SQL Server, SQLite, etc., which allows testing many specific characteristics of each of them and to check their security.
Once the tool detects vulnerabilities and code injections that can be performed, the user can choose from a variety of options to perform the penetration test; recover user and database, list users, password hashes, privileges, databases, dump entire or user-specific tables/columns, and more.
Do you want to know what other tools we can use to audit and test our code or application?
Take our cybersecurity master's degree and you will become a real crack!
