I agree with those who have encouraged you to look to an outside pen testing firm, if you want the best results now.
That said, one of the best all-around web app pen testing tools I have used is Burp Suite (portswigger.net). There is a free version that gives you most of the functionality, but investing $400 in the Pro version, which adds a vulnerability scanner and the ability to save state, is well worth it.
In addition, you should become very familiar with the OWASP organization (owasp.org), and the information/tools they make available for web app security. The Cheat Sheets and the Testing Guides can be very helpful, if you know how to use them.
Finally, if you are determined to build up your own application security team, then you should consider hiring some folks with extensive application security experience as well as a background in software development. There is more to application security than security testing. Static security code analysis and threat modeling are just two of the other areas you should be thinking about.
HP has a security assessment tool called Webinspect, but it not free and I wouldn't recommend it. Either my company doesn't know how to use it, or the tool has no consistency in finding vulnerabilities.
You're better off hiring an actual pen-testing contracting agency to look for vulnerabilities in your site. Sure, you could run automated scanners, but they can only do so much. You'll probably waste more money and resources attempting to learn and implement proper pen testing then you would just hiring someone else to do it.
The fact that you're asking this question means that you are not qualified to give the kind of confidence or complete coverage a commercial application would need before launch.
Burpsuite is an amazing tool for web application testing.
I do agree with hiring an outside team however, but if your company cannot/will-not, put a weekend into getting familiar with BurpSuite and you will undoubtedly find some bugs.
发布评论
评论(5)
如果您现在想要最好的结果,我同意那些鼓励您寻找外部笔测试公司的人的观点。
也就是说,我用过的最好的全能 Web 应用笔测试工具之一是 Burp Suite (portswigger.net)。有一个免费版本可以为您提供大部分功能,但投资 400 美元购买专业版是非常值得的,该版本增加了漏洞扫描器和保存状态的功能。
此外,您应该非常熟悉 OWASP 组织 (owasp.org) 以及他们为 Web 应用程序安全提供的信息/工具。如果您知道如何使用备忘单和测试指南,它们会非常有帮助。
最后,如果您决定建立自己的应用程序安全团队,那么您应该考虑雇用一些具有丰富应用程序安全经验以及软件开发背景的人员。应用程序安全性不仅仅是安全测试。静态安全代码分析和威胁建模只是您应该考虑的其他两个领域。
I agree with those who have encouraged you to look to an outside pen testing firm, if you want the best results now.
That said, one of the best all-around web app pen testing tools I have used is Burp Suite (portswigger.net). There is a free version that gives you most of the functionality, but investing $400 in the Pro version, which adds a vulnerability scanner and the ability to save state, is well worth it.
In addition, you should become very familiar with the OWASP organization (owasp.org), and the information/tools they make available for web app security. The Cheat Sheets and the Testing Guides can be very helpful, if you know how to use them.
Finally, if you are determined to build up your own application security team, then you should consider hiring some folks with extensive application security experience as well as a background in software development. There is more to application security than security testing. Static security code analysis and threat modeling are just two of the other areas you should be thinking about.
惠普有一个名为 Webinspect 的安全评估工具,但它不是免费的,我不推荐它。要么我的公司不知道如何使用它,要么该工具在查找漏洞方面没有一致性。
HP has a security assessment tool called Webinspect, but it not free and I wouldn't recommend it. Either my company doesn't know how to use it, or the tool has no consistency in finding vulnerabilities.
您最好聘请一家实际的笔测试承包机构来寻找您网站中的漏洞。当然,您可以运行自动扫描仪,但它们只能做这么多。您可能会浪费更多的金钱和资源来尝试学习和实施适当的笔测试,然后您就雇用其他人来完成它。
事实上,您提出这个问题意味着您没有资格提供商业应用程序在启动之前所需的信心或完整覆盖范围。
You're better off hiring an actual pen-testing contracting agency to look for vulnerabilities in your site. Sure, you could run automated scanners, but they can only do so much. You'll probably waste more money and resources attempting to learn and implement proper pen testing then you would just hiring someone else to do it.
The fact that you're asking this question means that you are not qualified to give the kind of confidence or complete coverage a commercial application would need before launch.
您可以使用 AppScan,但它不是免费的。
You can use AppScan, but its not free.
Burpsuite 是一个令人惊叹的 Web 应用程序测试工具。
不过,我确实同意雇用外部团队,但如果您的公司不能/不愿意,花一个周末来熟悉 BurpSuite,您无疑会发现一些错误。
Burpsuite is an amazing tool for web application testing.
I do agree with hiring an outside team however, but if your company cannot/will-not, put a weekend into getting familiar with BurpSuite and you will undoubtedly find some bugs.