(5)Security testing for applications

Security testing techniques scour for vulnerabilities or security holes in applications.these vulnerabilities leave applications open to exploitation.Ideally,security testing is implemented throughout the entire software development life cycle(SDLC) so that vulnerabilities may be addressed in a timely and thorough manner.Unfortunately,testing is often conducted as an afterthought at the end of the development cycle.
Vulnerabilities scanners,and more specifically web application scanners,otherwise known as penetration testing tools (i.e.ethical hacking tools)have been historically used by security organizations within corporations and security consultants to automate the security testing of http request/responses;however,this is not a substitute for the need for actual source code review .Physical code reviews of an application's source code can be accomplished manually or in an automated fashion.Given the common size of individual programs (oftem 500K Lines of Code or more),the human brain can not execute a comprehensive data flow analysis needed in order to completely check all circuitous paths of an application program to find vulnerability points,The human brain is suited more for filtering,interrupting and reporting the outputs of automated source code analysis tools available commercially versus trying to race every possible path through a compiled code base to find the root cause level vulnerabilities.
The two types of autormated associated with application vulnerability detection (application vunlnerability scanners) and Source Code Analysis Tools(otherwise known as White Box Testing Tools).Tools in the Black Box Testing arena include Devfense,Watchfire,HP( though the acquisition of SPI Dynamics),Cenzic ,Nikto(open source),Grendel-Scan(open source).N-Stalker and Sandcat(freeware).Tools in the White Box Testing arena include Armorize Technologies,Fortify Software and Ounce Labs.