group-icon
Hacker's Arena
Knowledge base and discussions group for Security enthusiasts
116 Members
Join this group to post and comment.
Radhika Deshpande
Radhika Deshpande
Computer Science
04 Jan 2019

Data Security Testing Scanner?


Web Application testing was very new in the era of  static websites. Today’s web applications are complex and extensive in terms of functionality. The job of QA engineers and software testers often includes the testing of web applications and web APIs, not just desktop and server software.


Hacks and data leaks have become the order of the day. The main reason for this is a lack of web applications and web API security testing. But, it is no longer acceptable for QA engineers not to know how to test for, and recognize, SQL Injections and cross-site scripting vulnerabilities. 


So, scanners are required to do something on identifying a vulnerability, what in your opinion are the options for scanners used for data security testing? 

Naveen Sunil
Naveen Sunil
Information Technology
3mos ago

Today a lot of research is going on in this area. As you see web apps grow is number and size everyday, the vulnerability scale also keeps raising no matter what QA it undergoes. Like you said QA team should know to test and identify XSS or SQLi, since these two are the most common and also dangerous bugs and probably many of us would have heard or know about this. XSS is the highest found bug on any Bug Bounty program. SQLi, CSFR and others follow.

Many developers create tools that scan for vulnerability in an application of which some work and others don't. Tools which work might return false positive vulnerable points at times. And this is the reason why our Indian government itself has asked for a web app which checks for all OWASP top 10 web app vulns (a problem statement by Ministry of External affairs in Smart India Hackathon 2019).

Now answering your question. There are definitely standardized tools which are free or paid or open source and these tools are often used by the Security team and I haven't seen QA or testers using it generally. Tools like Burpsuite, Zap, SQLmap are very famous open source tools. Other tools like Netsparker, Acunetix are paid softwares. AppScan by IBM is famous and costly at same time and so companies are ones who buy these tools.

There are several other FOSSA tools like Nmap, Nikto, Dirbuster, etc.. These tools can help in auditing security measures already in place. All these tools require certain level of knowledge to use them. This is the reason why we have a separate Security team in companies and other place where they work on important projects.

If you have heard or know about Linux distribution for Penetration Testing, Kali Linux is one among them and it is the most famous and highly used OS by security experts and also my favorite. The Kali linux pack 600+ tools for security audits, forensics, testing. This link contains all tools listing in Kali linux (Kali Linux Tools Listing)