Although static code scanning can be used to discover security problems, security vulnerabilities at system level still may emerge after components are integrated together or after the system is deployed into test environment, such as security problems of XSS, CSRF and SQL injection attacks. Therefore, security problems can be discovered by dynamic security scanning applied at this moment in the shortest possible time. There are two types of dynamic security scanning: active scanning and passive scanning.
Active scanning indicates that the address of the system subject to scanning shall be given firstly, the scanning tool accesses the system by some way such as by various known vulnerability models, and vulnerabilities of the system are then predicated based on the feedback results; or various types of random data (fuzz test) are embedded into access request to implement some simple penetration tests and weak password tests. However, active scanning is not applicable to systems with complex business process. For example, for a payment system which needs logging in and filling a lot of forms, passive scanning shall be applied.
Fundamental principle of passive scanning is to set scanning tool as a proxy server. Function test accesses the system through this proxy server, and the scanning tools can intercept all the interactive data and analyze them. Through pattern matching with known security problems, possible security vulnerabilities can be discovered. In order to be integrated into CI more easily during practice, passive scanning is usually used when performing automatic function test to realize the continuous security scanning.
List for Some Security Scanning Tools for Web Application:
| Tool | Leak type | Copyright | Homepage |
|---|---|---|---|
| ZAP | General Web Applications | Free | https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project |
| SQLMap | SQL Injection | Free | http://sqlmap.org/ |
| Burp Suite | General Web Applications | Commercial | http://www.portswigger.net/ |
| N-Stalker | General Web Applications | Commercial | http://www.nstalker.com/ |