And here comes Firing Range!
Google's 'Firing Range' is a step towards
securing web applications against hacking. Released in November 2014, it is an
open source Java application built on Google App Engine which provides a test
ground for testing the effectiveness of security test tools. And it contains a wide range of XSS (Cross
Site Scripting) and other web vulnerabilities which are helpful to ‘test’
security testing tools.
Why do we need a testbed at all? Testbeds are used by Securitytesting tool vendors who want to create perfect test tools which are ready to
test all vulnerabilities. And the only way to ensure test tools are more and
more accurate is to test the tool itself against a testbed full of
vulnerabilities - a synthetic testbed to both test current capabilities of the
tool & set goals for what is needed to catch next.
Multiple testbeds similar to Google’s
Firing Range are also available which can be leveraged to evaluate the
effectiveness of a security testing/assessment tool. Some of them are OWASP
WebGoat, OWASP Broken Web Applications Project (OWASPBWA), OWASP Hackademic, Damn
Vulnerable Web Application (DVWA), Mutillidae and Metasploitable.
How does Google Firing Range benefit
businesses?
As websites get more dynamic and complex,
they have become more vulnerable to cyber-attacks. A report from Centre for
Strategic and International Studies (CSIS) puts the average cost to global
economy from cyber attacks at approximately $400bn. Businesses stand to face
millions of dollars in penalties when sensitive information like credit card
details, social security numbers etc. fall into the hands of hackers. The
associated loss of goodwill and trust could take years to regain.
- Major companies like Sony Entertainment, eBay, Snapchat and Apple iCloud became recent targets of hacking.
- The security bug Heartbleed, impacting over 66% of websites, remained undetected for 2 years exposing user login details to hackers.
The above shows hacking is rampant and bugs
can be very hard to detect.
Firing Range attempts to increase the
chances of detecting bugs and other vulnerabilities in the web application by
enabling efficient security testing tools. It provides a detailed testbed which
Web Application Vulnerability Scanners can use to detect vulnerability in the
website. Its biggest advantage is it
takes care of web vulnerabilities due to XSS. According to Claudio Criscione,
security engineer at Google, XSS bugs represent 70% of all vulnerabilities
detected at Google.
Firing Range is an open source code.
Developers are free to try it, build upon it and give suggestions to improve
the tool. It brings the advantage of Google's rich experience in web security.
As companies strive to attract customers
through innovative websites, they cannot afford to ignore the need to ensure
their customers a safe web experience. Partnering with a third party that has
expertise in evaluating security testing/assessment tools can be helpful in
strengthening and increasing the effectiveness of the tool. Gallop's Security
Testing CoE will undertake the rigorous process of evaluating the Security
Assessment tool, leveraging not only Google’s Firing Range but also similar
testbeds like OWASP WebGoat, OWASP Broken Web Applications Project (OWASPBWA),
Damn Vulnerable Web Application (DVWA), Mutillidae, OWASP Hackademic,
Metasploitable.
Gallop Solutions excels in providing
software security testingservices using proprietary test accelerators and expertise in world’s
leading test tools. With partnerships with these leading security test tool
vendors, clients get to work with trained and certified test professionals at
Gallop. If you have an application which needs to be security-tested, leverage the
benefits of our pre-built security test framework which accelerates your test
cycle while assuring quality. Drop us a line and we would be glad to assist.
No comments:
Post a Comment