Site icon JVM Advent

Pentesting Java applications

Clojure core.async

Clojure core.async

Have you even wondered whether you Java application is secure enough before going to production ? Or how to uncover security vulnerabilities during the development lifecycle ? I am guessing the answer is YES and probably the first thing that comes to the Java developer’s mind is to introduce static analysis tool like SonarQube, PMD or FindBugs to the current CI/CD process with the hope to uncover certain issues (including security ones) in the codebase. While static analysis can discover and provide possibility to alleviate certain types of security issues like non validated input or outdated and potentially vulnerable versions of libraries being used it certainly cannot address security concerns related to the operational aspect of the application. This is where penetration testing tries to fill the gaps and provide more insights on potential vulnerabilities. However putting penetration testing into action requires more time and skills which for many projects (especially once for which security is not a critical concern) is out of budget. Conducting penetration tests can be deducted to several distinct phases which vary in their formulation in the different sources but can be summarized as follows:

Depending on how critical security might be for a target organization penetration testing might be adopted by different roles in the organization such as:

Many organizations are willing to also pay for commercial security tools that may reduce costs and complexity in conducting penetration tests in-house. Such tools that may conduct penetration tests with a context knowledge of Java applications might be Veracode or Burp for example. If however the team conducting the performance tests is willing to step on a free and potentially open source set of tools there is also plenty to choose from such as OWASP ZAP or Metasploit that can conduct exploits specific to Java applications. A good list of free/commercial tools that can be used is available at: https://owasp.org/www-community/Vulnerability_Scanning_Tools. A detailed review of penetration testing tools bundled in the Kali Linux distribution is available at https://tools.kali.org/tools-listing.
It might be quite overwhelming to get a grasp on the majority of tools available for penetration testing by the general recommendation is to look for those covering certain security aspect and related exploits needed for the target application and start adopting a small set of tools initially with the possibility to gradually support the penetration testing process with more tools and practices based on the evolution of the application.

Author: Martin Toshev

Exit mobile version