Application Security Project


Web applications are a common attack vector and many companies are keen to address this threat. Due to their nature, web applications are located in the extranet and can be exploited by malicious attackers from outside of your corporate network.  I managed a project which reduced the risk of the company’s systems being compromised through application level flaws. It improved the security of internet facing applications by:

  • Fixed over 30,000 application level flaws (e.g. cross-site scripting, SQL injection, etc) across 100+ applications.
  • Introduced a new testing approach to build secure coding practices into the software development life cycle and to use static and dynamic scanning tools.
  • Embedded continuous application testing capabilities.
  • Helped raise awareness of application security issues within internal development teams and third parties.
  • Prompted the decommissioning of legacy applications.

Image courtesy Danilo Rizzuti /

Risk management and compliance tools

Citicus MOCA – iPhone/iPad tool that enables you to complete a criticality assessment in minutes, anywhere, anytime, using a highly-respected technique that has been successfully applied to many thousands of assessments over the last decade.  In essence, this highlights the maximum credible loss to your organisation if the worst happens to an asset (e.g. theft, fire, flood, malfunction).

Control Systems Security Program (CSSP) – free tool that provides users with a systematic and repeatable approach for assessing the security posture of their cyber systems and networks. It includes both high-level and detailed questions related to all industrial control and IT systems.

If you struggle to comply with HIPAA, the NIST HIPAA Security Toolkit Application can help you better understand the requirements of the HIPAA Security Rule, implement those requirements, and assess implementations in operational environment.

Penetration Tester’s Toolkit

BackTrack is a Linux-based penetration testing arsenal that aids security professionals in the ability to perform assessments in a purely native environment dedicated to hacking. The manuals section provides you with simple information in order to get up and running with Back|Track and help with some additional features unique to the suite.

Nmap –free open source tool for network analysis and security audits.

Typical use:
nmap -A -T4 localhost
-A to identify operating system, trace and scan with scripts
-T4 configure time parameters (scale 0 to 5, higher the number – higher the speed)
localhost — target host

You can use “slow comprehensive scan” to get more detailed information pertaining target system
nmap -sS -sU -T4 -A -v -PE -PP -PS21,22,23,25,80,113,31339 -PA80,113,443,10042 -PO –script all localhost

For more information please refer to Nmap Reference Guide

Hydra is a flexible and fast password auditing tool which supports numerous protocols and parallelization.

Nikto – Open Source (GPL) web-scanner. This tool can help you find undeleted scripts (such as test.php, index_.php, etc), database administration utilities ((/phpmyadmin/, /pma, etc) and many more typical errors on target website.

To use simply start with:
/ -host localhost

Acunetix – very easy to use web vulnerability scanner. Free version still has great functionality and can help checking web applications for SQL Injection, XSS & other web vulnerabilities

Nessus – very powerful free for home use web-scanner, which helps security auditors identify available running services on target system, check for potential security misconfiguration and many more

To test identified vulnerabilities you can use Metasploit Framework or try to find exploit (on explot searchExplot-db, etc.) and use it manually on your system

The Metasploit Framework helps security and IT professionals identify security issues, verify vulnerability mitigations, and manage expert-driven security assessments./

It is possible to use Nmap to analyze ports, identify services and Metasploit to exploit vulnerabilities depending on service (ssh, ftp, etc.)

Armitage – tool that can help you test network for vulnerabilities. Basically, it is a GUI for Metasploit Framework and Nmap. It visualizes targets, collects data and makes whole process of penetration testing easier

And to test all of these for those of you, who interested in vulnerability analysis, reverse engineering, debugging,, exploit development and privilege escalation, you can refer to Linux hacking challenges. This project has several virtual machines, exercises and manuals to help you improve your skills.

Here are some additional TOP lists of tools for penetration testing

Top 100 Network Security Tools
Top 10 Web Vulnerability Scanners
Top 10 Vulnerability Scanners
OWASP Top 10 Tools and Tactics
Web-based Application Security Scanners
Web Application Security Scanner List by WebAppSec

Information systems auditing


Information systems audit do’s:

1. The main goal of an audit is not to find weak controls or policy violations, but to help a company mitigate its risks and achieve compliance.
2. Remember that an audit strengthens a discipline within a company.
3. An auditor is responsible for making sure that risks in weak areas don’t materialize, so he makes appropriate observations and comments.
4. Beware of flattery and concealment.
5. Replace opinions with facts and evidences.
6. Invest in improving communication skills.
7. When you finish interviewing someone, always give them a brief summary of the current situation (e.g. your observations: good and/or bad) if possible.
8. Do not add any photo/video materials or document copies to your final report.
9. Create good report templates in advance.

Information systems audit don’ts:

1. Don’t criticize.
2. Don’t argue.
3. Don’t use professional or specialized jargon.
4. Don’t say that you understand if you actually don’t.
5. Don’t try to guess.
6. Don’t use tests that can potentially cause incidents.
7. Don’t write only negative observations in your final report.

Image courtesy of Michal Marcol /