1. Software Development Center
Web Application Security Testing Tools
Created by: Nhuan Lai-Duc
Effective date: December 09, 2012
Version: 1.0
Template ID: Base_Template_ODP_1_0.otp

2. Document Control
Version Change description Changed by Date Approved by Date
0.1 Initiate Nhuan Lai-Duc November 29, 2012 N/A N/A
1.0 Format update Nhuan Lai-Duc December 09, 2012 Nhuan Lai-Duc December 09, 2012
Web Application Security Testing Tools 2

3. Review Record
Version Defects Type Severity Reviewed by Date
0.1 Format W Minor Nhuan Lai-Duc December 09, 2012
Types:
A – Ambiguous (something described unclearly, unintelligibly)
M – Missing (something needs to be there but is not)
W – Wrong (something is erroneous with something else)
E – Extra (something unnecessary is present)
Severity:
Fatal, Major, Minor, Cosmetic
Web Application Security Testing Tools 3

4. Agenda
 Introduction
 Top 10 most critical web app security risks
 OWASP: Open Web App Security Project
 OWASP Top 10 for 2010
 Web app security testing tools
 Use security testing tools to test your web app
 Security report for your web app
 Plan to deal with prioritized security issues
 Open issues
Web Application Security Testing Tools 4

5. Introduction
 ISO 25010: Software Quality Requirements
 ISO 25010: 3 Quality Models
 System / Software Product Quality
 Data Quality
 Quality In Use
 System / Software Product Quality
 8 characteristics
 Broken down to 31 sub-characteristics
 Security
 1 / 8 characteristics
 5 sub-characteristics
 Web app security: Guarantee system / software quality!
Web Application Security Testing Tools 5

6. Top 10 most critical web app security risks
 OWASP: The Open Web Application Security Project
Web Application Security Testing Tools 6

7. Web Application Security Testing Tools
 Each tool for each web app security risk
Web Application Security Testing Tools 7

8. Web Application Security Testing Tools
 Injection: W3AF
 Cross Site Scripting: ZAP
 Broken Authentication & Session Management: HackBar
 Insecure Direct Object References: Burp suite
 Cross Site Request Forgery: Tamper Data
 Security Misconfiguration: Watobo
 Failure to Restrict URL Access: Wikto
 Insecure Cryptographic Storage: N/A
 Insufficient Transport Later Protection: Calomel Add-on
 Unvalidated Redirects and Forwards: Watcher
Web Application Security Testing Tools 8

9. Web App Security Testing Tool: W3AF
Web Application Security Testing Tools 9

10. Web App Security Testing Tool: ZAP
Web Application Security Testing Tools 10

11. Web App Security Testing Tool: Hackbar
Web Application Security Testing Tools 11

12. Web App Security Testing Tool: Burp Suite
Web Application Security Testing Tools 12

13. Security Testing Tool: Tamper Data
Web Application Security Testing Tools 13

14. Web App Security Testing Tool: Watobo
Web Application Security Testing Tools 14

15. Web App Security Testing Tool: Wikto
Web Application Security Testing Tools 15

16. Security Testing Tool: Calomel Add-on
Web Application Security Testing Tools 16

17. Web App Security Testing Tool: Watcher
Web Application Security Testing Tools 17

18. Security Testing Tools:
Test Your Web App
 TBD
Web Application Security Testing Tools 18

19. Security Testing Tools:
Security Report For Your Web App
 TBD
Web Application Security Testing Tools 19

20. Security Testing Tools:
Plan: Deal With Prioritized Security Issues
 TBD
Web Application Security Testing Tools 20

21. Questions & Answers
?
Web Application Security Testing Tools 21

22. Thanks for your attention!
Web Application Security Testing Tools 22