-2

Does anyone know of a way to manage Web application security vulnerabilities? Im looking for a tool that might integrate with selenium and or burp. I'm want to be able to run the tests over and over. In the application we need to be in a certain point in the application to exploit certain vulnerabilities. I'm not sure anything like that is out there but I figure I would ask. Open-source would be preferable.

bdawg
  • 187
  • 12
  • 2
    Are you looking for a tool that has this feature (tool recommendations are off-topic), or a "way" to re-test findings? What I do is simply re-run all tests and run a diff. Would that not work for you? – schroeder Jan 07 '16 at 04:24
  • A way to retest findings and keep track of them. – bdawg Jan 07 '16 at 13:01
  • Sounds like you're looking for a web regression test tracker and executor. That is likely off topic here. – Neil Smithline Jan 08 '16 at 05:00
  • Not off topi according to the rules. I am asking about a way to run a penetration test over and over again. What topics can I ask about here? IT Security Stack Exchange is for Information Security professionals to discuss protecting assets from threats and vulnerabilities. Topics include, but are not limited to: web app hardening network security social engineering, including phishing risk management policies penetration testing security tools using cryptography incident response physically securing the office, datacentre, information assets etc. – bdawg Jan 08 '16 at 16:08
  • By looking for a tool, it's typically off-topic, as I mentioned. That's why I made my first comment. Tools come and go. If you can make it over to the [DMZ](http://chat.stackexchange.com/rooms/151/the-dmz), you can talk to folks directly. – schroeder Jan 08 '16 at 16:47
  • Here is the link to the on topic topics [link](http://security.stackexchange.com/help/on-topic ) Please let me know if tools are in there and also penetration testing – bdawg Jan 09 '16 at 00:31

1 Answers1

1

There are a few options... we are technically not supposed to provide vendor based recommendations in our answers, but... as an example:

HP Webinspect will perform web application vulnerability scans and allow one to restest/rescan/verify a fix or fixes were implemented without re-scanning the entire application.

It also integrates with HP Quality Center and IBM Rational ClearQuest for vulnerability tracking.

There are other vulnerability scanners from multiple vendors available, such as Acunetix, Nessus, Qualys, and BeyondTrust but I am unfamiliar with their offerings and they will have varying degrees of "web application" scanning support.

To me, it seems like you have two separate questions:

  • Can the vulnerability scanner retest/verify vulnerabilities?
    • What are my options for managing/tracking discovered vulnerabilities?

In regards to tracking, you might be able to leverage OWASP Dependency-Track

Dependency-Track has two main goals:

Document the use of third-party components across multiple applications and determine the use of vulnerable components across applications

Or possibly VScan

VScan was created as after a vulnerability assessment it can sometimes be difficult to track the implementation of a security improvement program, so this tool can help you measure your progress and simplify the process of fixing any problems found.

Or ThreadFix

ThreadFix is a software vulnerability aggregation and management system that reduces the time it takes to fix software vulnerabilities. ThreadFix imports the results from dynamic, static and manual testing to provide a centralized view of software security defects across development teams and applications.

k1DBLITZ
  • 3,933
  • 14
  • 20