Finding and fixing security vulnerabilities

By Hernan Amaya – Java Developer at Santex

One of the main pillars of the Information Technology industry is security. Can you imagine what software would be like without security? Everyone could access privileged information everywhere, causing potentially precarious situations. It’s obvious that everybody who owns software wants to be secure against cyber attacks. Developers are always concerned about designing and implementing software that is protected. Yet, no matter what tools or knowledge are at our disposal, no one can be certain that his or her development is 100% secure. That is why once a certain software is stable, it is good to determine whether it has any security vulnerabilities. Luckily, nowadays it is possible to use security vulnerability scanners for this purpose.

In Santex, we have scanned https://demo.testfire.net (a web application available for this purpose). We have used AppScan from IBM in its desktop and web versions. Besides, we have used several free and open source tools, such as Open VAS, Vega and Zed Attack Proxy.

Each tool is easy to use, simple, and it detects vulnerabilities after the analysis. The steps to run a scan for a web application are:

  1. Select the URL.
  2. Start the scan we default configurations.

Once the analysis ends, vulnerabilities are presented by priority (high, medium, low) with a description and a fix recommendation.   

AppScan is a very powerful tool. It detects several types of vulnerabilities. We think that this is the best tool.

Open VAS is powerful for analyzing servers.

Vega and ZAP are powerful for analyzing web applications. But, they are not as powerful as AppScan

This is a summary of the vulnerabilities of type high:

To sum up, we have discovered that nowadays the most powerful security scanner available is IBM’s AppScan. However, using several free, Open Source scanners is an excellent alternative. Consequently, combining scanners such as Open VAS, Vega and ZAP can be powerful as well.