The automated-testing tag has no wiki summary.
4
votes
4answers
134 views
Could a computer program be used to automate testing for trapdoors?
Could a computer program given the source or object version of another program be used to automate testing for trapdoors/backdoors?
7
votes
2answers
102 views
How to mitigate the risk of a continuous integration service security breach?
We are using a Continuous Integration service to automatically run our product test suite. Every time we push code to our central Git repository production branch, the CI services is notified and ...
2
votes
2answers
350 views
Security testing plan template or example
What does a security testing plan look like?
Can anyone point out a template for such a document or an example?
3
votes
1answer
171 views
How to determine which security testing method to use if resources are limited
My resources are limited, and thus i am wondering what methodology can I apply to know where black box testing is best fit, where white box testing is best fit? Or even where pen testing is better ...
10
votes
4answers
1k views
Legitimately using tools like Havij
I'm a developer, not a security guru. My primary focus is ensuring that I'm not introducing security holes through bad programming. I understand how to code to protect against the OWASP Top 10, as ...
4
votes
3answers
193 views
How to rate Open Source Libraries?
Is there some kind of automated scanning tool which detects threats in Open Source Java Libraries?
I think the OWASP Orizon project tried to build such a tool, but it seems to be inactive for years ...
2
votes
1answer
196 views
Can fuzzing be considered a software testing technique for any vulnerability type
I'm doing a research on fuzzing and I would like to know the answer to the question in the title. The cvedetails uses the following categories for vulnerabilities:
Bypass a restriction or similar
...
3
votes
2answers
75 views
Automated browser-level countermeasures to look-alike login pages
For example, say an unsuspecting visitor gets a link security.stackexchange.com/.... Then it re-opens the login page, with or without an explanation as to why they have to log in again. (this is more ...
6
votes
5answers
621 views
Websites that interactively test browser security (XSS, CSRF, Javascript, etc)
I'm looking for a comprehensive list of browser test sites so that I can visually prove that the browser is patched and configured for safe web browsing. My intent is to know what risks may exist ...
6
votes
1answer
207 views
How many iterations of fuzzing is enough?
Fuzzing is a convenient, relatively low-cost way to detect some kinds of vulnerabilities, particularly in C/C++ code.
My question: How much fuzzing is enough? Are there are any standards or best ...
4
votes
1answer
98 views
testing for 'Dangling Cursor'
While reading the updated Top 25 exploits in the Common Weakness Enumeration I came across an exploit that I was not familiar with. It is numbered CWE-619: Dangling Database Cursor.
I was wondering ...
7
votes
1answer
325 views
What evaluation criteria would you use for an Oracle scanning tool?
What evaluation criteria would you use to select the right Oracle scanning tool?
Context:
To deploy an automated scanning tool (nessus / SQuirreL etc) for use by both development teams and security ...
5
votes
6answers
466 views
Fortify360 - Sinks & Sources - Vulnerability count
In an application security environment, I use Fortify Software's Fortify360 on a daily basis.
One of my biggest hurdles is explaining the numbers (sources vs sinks)
Fortify flags each location in ...
5
votes
4answers
420 views
Benefits of secure code review in-IDE vs. fatapp vs. webapp
For those of you who have worked with commercial secure code review tools such as:
Klocwork
Coverity
Armorize
Fortify
Checkmarx
Appscan Source Edition (formerly
Ounce)
Or perhaps a free or ...
6
votes
5answers
581 views
Automated tools vs. Manual reviews
What are the advantages of using automated tools, as opposed to manual review? What are the disadvantages?
This applies both to external blackbox vulnerability scanning, and to static code analysis.
...
