Software security tools to improve your skills in a single day

There are several good books on this subject like Exploiting Software: How to Break Code and 19 Deadly Sins of Software Security. I highly recommend these books. But what if you're not a developer? Where's a good place to start learning about hands-on software security? Whether you're a DBA, developer, security professional, or all of the above, it only takes playing around with some great tools to take your software security expertise to the next level.

Enter Foundstone's Hacme toolset and OWASP's WebGoat. Using these tools, you'll learn about the critical software security problems such as:

Learning how these weaknesses are exploited in web applications, web services, and related databases is guaranteed to help you sharpen your security skills, especially when it comes to keeping your systems' crown jewels protected. The bonus is that these tools are free and the time required is minimal.

Let's take a peek at the Foundstone tools first. The Hacme tools are essentially a set of poorly-coded web applications (J2EE, C++, ColdFusion, and a web service) and you're tasked with finding the security holes in them. There are currently five themed tools: Hacme Casino (shown in Figure 1 below), Hacme Shipping, Hacme Travel, Hacme Books, and Hacme Bank.

[IMAGE] Figure 1 - The main page for Foundstone's Hacme Casino

Each tool has very good documentation with pre-canned hacking lessons and screenshots that step you through what you need to know, so you're not just hacking blin

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT SQL Server Security The keys to database backup protection for SQL Server Understanding transparent data encryption in SQL Server 2008 The fine line between not encrypting your databases and breach notification Securing SQL Server with access control, login monitoring and DDL triggers SQL Server security: Controlling access via database roles Implementing security audit in SQL Server 2008 New security features in SQL Server 2008 leave some work for you Can I encrypt and restore a database backup in SQL Server 2005? FAQ: How to troubleshoot and grant SQL Server permissions Secure SQL Server from SQL injection attacks SQL Server Management A first look at Microsoft SQL Server 2008 R2 Maintaining high availability of SQL Server virtual machines Creating fault-tolerant SQL Server installations Using Microsoft Hyper-V for SQL Server consolidation Scaling up vs. scaling out with SQL Server 2008 Migrating to SQL Server 2008 and leveraging new features Testing a SQL Server environment before an upgrade Does upgrading to SQL Server 2008 fit your business? Meeting business needs with SQL Server full-text search Using dynamic management views to improve SQL Server index effectiveness

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary data corruption  (SearchSQLServer.com) data hiding  (SearchSQLServer.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary

dly. You could literally spend an hour or less on each one and learn a ton about how not to write software and manage your systems.

Now on to the popular WebGoat. WebGoat – now at version 5.0 – is sponsored by the Open Web Application Security Project (OWASP). It's similar to the Foundstone Hacme tools, as built-in lessons are included and there's good documentation to help you along. However, WebGoat focuses solely on the J2EE and Tomcat platform which limits its scope and your ability to learn software security on various platforms. Arguably, a software security flaw on one platform is essentially the same on all others. Whether you want to focus on Java is up to you. That said, WebGoat is more of an extensible framework with its own open source community, where you can share ideas and contribute your own lesson plans. A sample WebGoat page is shown in Figure 2.

[IMAGE]
Figure 2 - The first WebGoat lesson on HTTP basics

Like the Foundstone Hacme tools, just a couple of hours spent with WebGoat and you'll grow your software security skills practically overnight. You could also perform automated testing on the Hacme and WebGoat applications using tools such as SPI Dynamics WebInspect and the N-Stalker Web Application Security Scanner. There's certainly some value in this and I encourage you to do so if you have the tools. However, the main intent with the Hacme tools and WebGoat is to step through software security problems manually. You'll get to know the application logic and understand how specific exploits are carried out at the hands of the bad guys. Either way, the bonus of working with tools like Foundstone's Hacme and WebGoat is that you don't have to worry about messing around with your own production environment. You can do everything conveniently at your own computer.

Forget the fancy four-and five-letter security certifications everyone covets. OK, they do add value, especially when it comes to getting work. However, it's hands-on experience with these types of security tools that will give you the real-world experience to keep your skills fresh. Ultimately, you'll be ahead of the competition. Bottom line: the Foundstone Hacme tools and WebGoat should be required learning for anyone who takes security seriously.

[TABLE]

Rate this Tip To rate tips, you must be a member of SearchSQLServer.com. Register now to start rating these tips. Log in if you are already a member. DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.