Using automated web application security testing tools for developers - Best practice or exception?
71 views
Skip to first unread message
tho...@duebendorfer.ch
Mar 9, 2019, 4:46:00 AM3/9/19
to Switzerland chapter
Dear OWASP readers
While unit testing frameworks have become best practice for Web application software developers, it seems that continuous security testing is rather the exception than the norm. Despite the fact that there are many complex types of web application vulnerabilities known and despite very powerful web programming frameworks available, many vulnerabilities still slip by unnoticed into productive systems.
I'd like to learn
1) if you currently use web application security testing tools during the development process, which ones and how they proved useful for in your case.
2) if you don't use any security testing tools, I'd like to understand why not.
Thanks for sending your comments. If you prefer not to respond to this semi-public list, you can also write me privately at tho...@duebendorfer.ch.
Best Regards,
Thomas
P.S.:
For those that don't know me: I'm the past president of Information Security Society Switzerland (ISSS), a former tech lead and software engineer at Google in Zürich and since 2013 mostly active an entrepreneur and angel investor in software startups, and currently the president of the Swiss ICT Investor Club (SICTIC), which invested in about 40 startups in year 2018, some of which were in the field of Cyber Security.
Antonio Kulhanek
Mar 20, 2019, 3:08:59 AM3/20/19
to Switzerland chapter
Hello Thomas
I can judge this from the point of view of a penetration tester. we use burpsuite pro. a powerful tool for automated testing of web applications.
whether it is also suitable for developers? i think so, because it is relatively easy to use and explains findings in a comprehensible way.
Burpsuite enterprise also needs to be looked at more closely, because it offers even more automation possibilities.
for any questions please do not hesitate to contact me.
greetings
toni
Translated with www.DeepL.com/Translator
sven vetsch
Mar 22, 2019, 10:38:57 AM3/22/19
to Switzerland chapter
Hi Thomas
I've got two views on this.
From a penetration testing view:
Our security testing team uses a wide variety of tools. burpsuite Pro is definitely among the most used when it comes to web security as it includes a lot of "sub-tools" that work well together and allow for semi-automated testing. Depending on the specific application and project scope we also use other tools and scripts (OSS and proprietary) that match e.g. the technology stack.
From a secure development consulting view:
In our secure development trainings I would say we have around one in twenty developers who has already used tools like OWASP ZAP, burpsuite or any other kind of specific security tools. On the other hand more and more companies integrate security tools in their CI/CD pipelines (yep we're mainly talking DevSecOps environments here). Most companies that have such initiatives integrate either static source code analysis to identify coding mistakes/vulnerabilities or tools to identify outdated/vulnerable libraries.
So in short: Developers themselves don't normally use any kind of security tools on their own but the security team injects security into their existing pipelines.
In my opinion this makes total sense as I don't see how all developers would find the time to regularly perform tests with ZAP or burp. What can make sense is to have developers with the additional role of a security champion who definitely should get dedicated time to have a look at security aspects and leverage the available tools.
As I'm currently (and in the past years) supporting clients on how to integrate security into their development cycle and pipelines please don't hesitate to let me know if you (and maybe others) would like to grab a drink in Zurich somewhen to exchange thoughts on this interesting and important topic.
regards
Sven
> --
> You received this message because you are subscribed to the Google Groups "Switzerland chapter" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to switzerland-cha...@owasp.org.
> To post to this group, send email to switzerla...@owasp.org.
> Visit this group at https://groups.google.com/a/owasp.org/group/switzerland-chapter/.
> To view this discussion on the web visit https://groups.google.com/a/owasp.org/d/msgid/switzerland-chapter/03f3df5c-daf1-4237-8c2f-f84663d76598%40owasp.org.
> For more options, visit https://groups.google.com/a/owasp.org/d/optout.
I've got two views on this.
From a penetration testing view:
Our security testing team uses a wide variety of tools. burpsuite Pro is definitely among the most used when it comes to web security as it includes a lot of "sub-tools" that work well together and allow for semi-automated testing. Depending on the specific application and project scope we also use other tools and scripts (OSS and proprietary) that match e.g. the technology stack.
From a secure development consulting view:
In our secure development trainings I would say we have around one in twenty developers who has already used tools like OWASP ZAP, burpsuite or any other kind of specific security tools. On the other hand more and more companies integrate security tools in their CI/CD pipelines (yep we're mainly talking DevSecOps environments here). Most companies that have such initiatives integrate either static source code analysis to identify coding mistakes/vulnerabilities or tools to identify outdated/vulnerable libraries.
So in short: Developers themselves don't normally use any kind of security tools on their own but the security team injects security into their existing pipelines.
In my opinion this makes total sense as I don't see how all developers would find the time to regularly perform tests with ZAP or burp. What can make sense is to have developers with the additional role of a security champion who definitely should get dedicated time to have a look at security aspects and leverage the available tools.
As I'm currently (and in the past years) supporting clients on how to integrate security into their development cycle and pipelines please don't hesitate to let me know if you (and maybe others) would like to grab a drink in Zurich somewhen to exchange thoughts on this interesting and important topic.
regards
Sven
> You received this message because you are subscribed to the Google Groups "Switzerland chapter" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to switzerland-cha...@owasp.org.
> To post to this group, send email to switzerla...@owasp.org.
> Visit this group at https://groups.google.com/a/owasp.org/group/switzerland-chapter/.
> To view this discussion on the web visit https://groups.google.com/a/owasp.org/d/msgid/switzerland-chapter/03f3df5c-daf1-4237-8c2f-f84663d76598%40owasp.org.
> For more options, visit https://groups.google.com/a/owasp.org/d/optout.
Reply all
Reply to author
Forward
0 new messages