Slijede razlike između dviju inačica stranice.
| Starije izmjene na obje strane Starija izmjena Novija izmjena | Starija izmjena | ||
|
racfor_wiki:dinamicka_analiza_sigurnosti_aplikacija [2021/01/16 17:52] smatesic [Dynamic testing drawbacks] |
racfor_wiki:dinamicka_analiza_sigurnosti_aplikacija [2023/06/19 18:17] (trenutno) |
||
|---|---|---|---|
| Redak 3: | Redak 3: | ||
| ===== Summary ===== | ===== Summary ===== | ||
| - | Security testing is crucial to ensuring | + | Security testing is crucial to ensuring |
| losses of private data and to some - loss of reputation. Costs of testing are non-negligible, | losses of private data and to some - loss of reputation. Costs of testing are non-negligible, | ||
| the cost of data breaches in total is even greater. | the cost of data breaches in total is even greater. | ||
| Redak 39: | Redak 39: | ||
| ===== Dynamic testing tools ===== | ===== Dynamic testing tools ===== | ||
| - | Tools provide much needed automatization when it comes to security testing. Although tools provide help to testers both in dynamic and static testing scenarios, static testing has a much better use for the automatization they offer because of the potential for enormous code bases which can be daunting to analyze manually. That being said, dynamic testing also has uses for tools. Many tools exist, both open-source and commercial, which can help a tester in finding vulnerabilities. OWASP provides a list of vulnerability scanning tools aimed at web applications which they have deemed the best in the business. | + | Tools provide much needed automatization when it comes to security testing. Although tools provide help to testers both in dynamic and static testing scenarios, static testing has a much better use for the automatization they offer because of the potential for enormous code bases which can be daunting to analyze manually. That being said, dynamic testing also has uses for tools. Many tools exist, both open-source and commercial, which can help a tester in finding vulnerabilities. OWASP provides a list of vulnerability scanning tools aimed at web applications which they have deemed the best in the business |
| - | The tool chosen to demonstrate what open-source dynamic security testing tools can do is OWASP ZAP. It is an open-source web scanner developed by OWASP with thourough and user-friendly documentation. In its core it is a MITM proxy. | + | The tool chosen to demonstrate what open-source dynamic security testing tools can do is OWASP ZAP. It is an open-source web scanner developed by OWASP with thourough and user-friendly documentation. In its core it is a MITM proxy [11]. |
| {{: | {{: | ||
| Redak 55: | Redak 55: | ||
| The target URL will be http:// | The target URL will be http:// | ||
| - | To start testing, simply click the Attack button. Testing takes quite a long time because of the extensive list of features the application has. | ||
| - | |||
| {{: | {{: | ||
| + | Scan results are shown in the image above. As the image shows, ZAP can provide information on the most common and dangerous vulnerabilities. | ||
| + | ===== Conclusion ===== | ||
| + | Even though certain drawbacks keep it from being the ultimate security testing method in all cases, dynamic testing still presents a valuable method of testing in most cases, and even the best in some scenarios. To utilize its potential to the fullest, a combination of manual testing and automated tool-based testing is recommended. | ||
| + | Many very good tools exist, some of which are open source, so that even the penetration-testing enthusiasts can test their applications to improve upon their development. Other, commercial tools, serve to improve professional testing quality and reduce costs which can help mitigate a lot of threats to data security which are present because testing bears a greater price than many would accept. | ||
| + | To make sure a system is secure in a broader set of scenarios, a hybrid method should be used - a combination of dynamic and static testing. | ||
| + | This would allow for a tester to assess the full security profile of a system. | ||
| + | |||
| - | + | ===== Sources | |
| - | + | ||
| - | + | ||
| - | ===== Zaključak ===== | + | |
| - | + | ||
| - | Even though certain drawbacks keep it from being the ultimate security testing method in all cases, dynamic testing still presents a valuable method of testing in most cases, and even the best in some scenarios. To utilize its potential to the fullest, a combination of manual testing and automated tool-based testing is recommended. Many very good tools exist, some of which are open source, so that even the penetration-testing enthusiasts can test their applications to improve upon their development. Other, commercial tools, serve to improve professional testing quality and reduce costs which can help mitigate a lot of threats to data security which are present because testing bears a greater price than many would accept. | + | |
| - | + | ||
| - | ===== Literatura | + | |
| [1] IBM, Cost of a Data Breach Study Report highlights, https:// | [1] IBM, Cost of a Data Breach Study Report highlights, https:// | ||
| Redak 87: | Redak 85: | ||
| [9] HDivSecurity, | [9] HDivSecurity, | ||
| + | |||
| + | [10] OWASP, Vulnerability Scanning Tools, https:// | ||
| + | |||
| + | [11] OWASP ZAP, Documentation, | ||