Software Testing Tools
VerifiedAdded on 2022/11/28
|9
|2207
|213
AI Summary
This document provides detailed information about software testing tools, including ZAP and Test Anywhere. It discusses the advantages of manual and automated testing, the features of ZAP, and the differences between ZAP and Test Anywhere. It also explores the importance of security testing and achieving the highest EAL level.
Contribute Materials
Your contribution can guide someone’s learning journey. Share your
documents today.
Running head: SECURITY TESTING
SOFTWARE TESTING TOOLS
Name of Student:
Name of University:
Author note:
SOFTWARE TESTING TOOLS
Name of Student:
Name of University:
Author note:
Secure Best Marks with AI Grader
Need help grading? Try our AI Grader for instant feedback on your assignments.
1SOFTWARE TESTING TOOLS
Table of Contents
Answer to question 1..................................................................................................................2
Answer to question 2..................................................................................................................2
Answer to question 3..................................................................................................................3
Answer to question 4..................................................................................................................3
Answer to question 5..................................................................................................................4
Answer to question 6..................................................................................................................5
Answer to question 7..................................................................................................................6
Answer to question 8..................................................................................................................6
Answer to question 9..................................................................................................................7
Answer to question 10................................................................................................................7
Table of Contents
Answer to question 1..................................................................................................................2
Answer to question 2..................................................................................................................2
Answer to question 3..................................................................................................................3
Answer to question 4..................................................................................................................3
Answer to question 5..................................................................................................................4
Answer to question 6..................................................................................................................5
Answer to question 7..................................................................................................................6
Answer to question 8..................................................................................................................6
Answer to question 9..................................................................................................................7
Answer to question 10................................................................................................................7
2SOFTWARE TESTING TOOLS
Answer to question 1
While testing any website it is very easy for the tester to tell about the website, which
the tester wants to test in a Quick Start option. Simply, the tester need to enter the URL of the
web page in the Quick Start option of ZAP (psiinon, 2019). Rest of the work is done
automatically. While examining the website “The Bodgelt Store”, the tester simply entered
the URL of the website in the Quick Star option and the testing is done automatically. The
procedure for scanning website is very easy by this process. The tester does not need
anything manually, just after entering the URL of the website the Quick Start option does the
works automatically.
Answer to question 2
After the use of ZAP it is needed to use ThreadFix for importing the scan results and
also for tracking the results that are scanned over the time. This is an automatic merging of
results helps in saving the time of the analysts, who can focus on activities of higher value.
Besides this the ThreadFix Orchestration helps the security analysts for store scanning the
configurations and also schedules the regular scans for various applications after they are
evolved (psiinon, 2019). The analyst does not need to run the scan manually and even loads
the scan results that are updated for the review of the ThreadFix. In the tutorial for using the
ThreadFix done by the analyst of webinar on ZAP concluded that by using the ThreadFix it
will be easier to import the results of the scan and also for tracking the results of the scan
over the time.
Answer to question 3
The proxy project of OWASP ZED Attack have a line from where the ZAP tool can
be downloaded. There is another trail version which can also be downloaded. If the original
version of ZAP tool is downloaded (OWASP, 2019). The first thing that is needed to be done
Answer to question 1
While testing any website it is very easy for the tester to tell about the website, which
the tester wants to test in a Quick Start option. Simply, the tester need to enter the URL of the
web page in the Quick Start option of ZAP (psiinon, 2019). Rest of the work is done
automatically. While examining the website “The Bodgelt Store”, the tester simply entered
the URL of the website in the Quick Star option and the testing is done automatically. The
procedure for scanning website is very easy by this process. The tester does not need
anything manually, just after entering the URL of the website the Quick Start option does the
works automatically.
Answer to question 2
After the use of ZAP it is needed to use ThreadFix for importing the scan results and
also for tracking the results that are scanned over the time. This is an automatic merging of
results helps in saving the time of the analysts, who can focus on activities of higher value.
Besides this the ThreadFix Orchestration helps the security analysts for store scanning the
configurations and also schedules the regular scans for various applications after they are
evolved (psiinon, 2019). The analyst does not need to run the scan manually and even loads
the scan results that are updated for the review of the ThreadFix. In the tutorial for using the
ThreadFix done by the analyst of webinar on ZAP concluded that by using the ThreadFix it
will be easier to import the results of the scan and also for tracking the results of the scan
over the time.
Answer to question 3
The proxy project of OWASP ZED Attack have a line from where the ZAP tool can
be downloaded. There is another trail version which can also be downloaded. If the original
version of ZAP tool is downloaded (OWASP, 2019). The first thing that is needed to be done
3SOFTWARE TESTING TOOLS
is to install the ZAP in the system. The tools require Java 8+ for running the tool in the
system. The Java 8+ is already installed in Mac OS, but for other OS including the windows,
Linux and also for the versions of cross-platforms Java 8+ must be installed. After this when
the installation is done, it is required to accept certain terms and conditions after which ZAP
will automatically finish the installation. Then ZAP will start automatically. After the ZAP
starts they will be asking for persisting a session of ZAP. This is optional, if anyone does not
persist the ZAP session the tutorial database will automatically be removed from the tool.
After this session, it is needed to click on the start button to successfully start the tool. As this
is an open source tool anyone can easily use the tools after following the process. In case of
the trail download also the same process is to be followed.
Answer to question 4
The main features that are available on ZAP includes:
Intercepting Proxy- Zap include the feature of intercepting proxy which is a great tool
for the security for the beginners and also for the veterans.
Active Scanners and Passive Scanners- Active scan helps in finding the potential
vulnerabilities with the use of the known attacks for the targets that are selected
(denimgroup, 2019). While the passive scan is used to add the tags automatically and
for raising the alerts in case of the potential issues.
Spider- Spider helps in exploring site. They are not used for scanning.
Report Generation- This is a feature in ZAP that generates the report.
Brute Force- This is a type of attack which manifest in various ways. This configure
the values, requests the server by using the values after which analyses the response.
Fuzzing- A technique for submitting various invalid data towards a target.
Extensibility- ZAP also provides a platform of extensibility.
is to install the ZAP in the system. The tools require Java 8+ for running the tool in the
system. The Java 8+ is already installed in Mac OS, but for other OS including the windows,
Linux and also for the versions of cross-platforms Java 8+ must be installed. After this when
the installation is done, it is required to accept certain terms and conditions after which ZAP
will automatically finish the installation. Then ZAP will start automatically. After the ZAP
starts they will be asking for persisting a session of ZAP. This is optional, if anyone does not
persist the ZAP session the tutorial database will automatically be removed from the tool.
After this session, it is needed to click on the start button to successfully start the tool. As this
is an open source tool anyone can easily use the tools after following the process. In case of
the trail download also the same process is to be followed.
Answer to question 4
The main features that are available on ZAP includes:
Intercepting Proxy- Zap include the feature of intercepting proxy which is a great tool
for the security for the beginners and also for the veterans.
Active Scanners and Passive Scanners- Active scan helps in finding the potential
vulnerabilities with the use of the known attacks for the targets that are selected
(denimgroup, 2019). While the passive scan is used to add the tags automatically and
for raising the alerts in case of the potential issues.
Spider- Spider helps in exploring site. They are not used for scanning.
Report Generation- This is a feature in ZAP that generates the report.
Brute Force- This is a type of attack which manifest in various ways. This configure
the values, requests the server by using the values after which analyses the response.
Fuzzing- A technique for submitting various invalid data towards a target.
Extensibility- ZAP also provides a platform of extensibility.
Secure Best Marks with AI Grader
Need help grading? Try our AI Grader for instant feedback on your assignments.
4SOFTWARE TESTING TOOLS
The additional features of ZAP includes:
Auto tagging
Port scanner
Parameter analysis
Support of smart card
Session comparison
Invoke external apps
API + Headless mode
Dynamic SSL Certificates
Anti CSRF token handling
Answer to question 5
There are 4 steps for penetration with the use of ZAP:
1. Planning phase:
The scope and the strategy for the assignment is to be determined
The security policies and the standards that is already existing are used.
2. Discovery phase:
Collects the information
The ports are scanned and probed
Vulnerabilities are checked
3. Attack Phase:
Exploits for different vulnerabilities are to be found.
4. Reporting phase:
Detailed findings must be there in a report
The additional features of ZAP includes:
Auto tagging
Port scanner
Parameter analysis
Support of smart card
Session comparison
Invoke external apps
API + Headless mode
Dynamic SSL Certificates
Anti CSRF token handling
Answer to question 5
There are 4 steps for penetration with the use of ZAP:
1. Planning phase:
The scope and the strategy for the assignment is to be determined
The security policies and the standards that is already existing are used.
2. Discovery phase:
Collects the information
The ports are scanned and probed
Vulnerabilities are checked
3. Attack Phase:
Exploits for different vulnerabilities are to be found.
4. Reporting phase:
Detailed findings must be there in a report
5SOFTWARE TESTING TOOLS
Risks due to the vulnerabilities are to be found and what are the impacts due
this are also found.
Recommendations and also solutions if there is any such.
Answer to question 6
Manual penetration is a type of testing that is usually done directly by the human
beings. Any expert tests directly in this case. While in case of automated penetration the
testing is done automatically with the use of automated tools. There are certain advantages of
using the automated tools rather than the manual tools, as the automated tools are faster and
efficient, the results are always fixed but it varies in case of manual testing. Besides all this
advantages to the automatic testing there are certain advantages for the manual testing as well
(Fortify Unplugged, 2019). The manual tester can think as similar to a hacker and analyse
better, while this is impossible in case of their automated testing. According to the requests
the manual tester can do multiple testing as required but it cannot be done by automatic
testing (Pandey, 2018). Manual testing is reliable but the automatic technique is not. This it
can be seen that using of automated testing is not always perfect.
Answer to question 7
Zap and Test anywhere are the two different automated testing tool. The basic
differences between them are:
Platforms-
ZAP supports on various platforms including Windows, MAC, SaaS, iOS, Android.
Test anywhere supports only in SaaS.
Support-
ZAP provides 24/7 Live support.
Risks due to the vulnerabilities are to be found and what are the impacts due
this are also found.
Recommendations and also solutions if there is any such.
Answer to question 6
Manual penetration is a type of testing that is usually done directly by the human
beings. Any expert tests directly in this case. While in case of automated penetration the
testing is done automatically with the use of automated tools. There are certain advantages of
using the automated tools rather than the manual tools, as the automated tools are faster and
efficient, the results are always fixed but it varies in case of manual testing. Besides all this
advantages to the automatic testing there are certain advantages for the manual testing as well
(Fortify Unplugged, 2019). The manual tester can think as similar to a hacker and analyse
better, while this is impossible in case of their automated testing. According to the requests
the manual tester can do multiple testing as required but it cannot be done by automatic
testing (Pandey, 2018). Manual testing is reliable but the automatic technique is not. This it
can be seen that using of automated testing is not always perfect.
Answer to question 7
Zap and Test anywhere are the two different automated testing tool. The basic
differences between them are:
Platforms-
ZAP supports on various platforms including Windows, MAC, SaaS, iOS, Android.
Test anywhere supports only in SaaS.
Support-
ZAP provides 24/7 Live support.
6SOFTWARE TESTING TOOLS
Test anywhere provides online support.
Training-
ZAP gives training of documentation, Webinars, Live Online, In Person.
Test anywhere provides In person training.
Automated Testing Feature
ZAP provides various testing features including Hierarchical View, Move and Copy,
Parameterized Testing, Security Testing, Unicode Compliance, Review of Test Script,
Requirement-Based Testing, Parallel execution is also supported.
Test anywhere does not provide any automated testing feature.
Answer to question 8
Failure of the Ariane 5 software caused a disaster. The problem was mainly due to
large amount of variable which could not fit into the 16-bit variable (Najera-Gutierrez &
Ansari, 2018). It caused the processor into an operand error and thus the BH variable is
populated by diagnostic value. While the Fortify on demand tests gives complete security
assurance of software with fast results including good quality, support from technical team
(De Florio, 2016). This support helps to find any bug in a software and finds a solution for
that bug.
If Fortify on Demand was used in the Ariane 5 software, this could have averted the
disaster. This is because the bug that was present in the software could have been fixed if it
was noticed before implementing the software practically (Kothari et al., 2017). Thus it
would have been easily noticed by the Fortify on Demand to find out the bug present in the
ADA code of the Ariane 5 software, and they also have fixed the bug. Thus this would help
in stopping the disaster.
Test anywhere provides online support.
Training-
ZAP gives training of documentation, Webinars, Live Online, In Person.
Test anywhere provides In person training.
Automated Testing Feature
ZAP provides various testing features including Hierarchical View, Move and Copy,
Parameterized Testing, Security Testing, Unicode Compliance, Review of Test Script,
Requirement-Based Testing, Parallel execution is also supported.
Test anywhere does not provide any automated testing feature.
Answer to question 8
Failure of the Ariane 5 software caused a disaster. The problem was mainly due to
large amount of variable which could not fit into the 16-bit variable (Najera-Gutierrez &
Ansari, 2018). It caused the processor into an operand error and thus the BH variable is
populated by diagnostic value. While the Fortify on demand tests gives complete security
assurance of software with fast results including good quality, support from technical team
(De Florio, 2016). This support helps to find any bug in a software and finds a solution for
that bug.
If Fortify on Demand was used in the Ariane 5 software, this could have averted the
disaster. This is because the bug that was present in the software could have been fixed if it
was noticed before implementing the software practically (Kothari et al., 2017). Thus it
would have been easily noticed by the Fortify on Demand to find out the bug present in the
ADA code of the Ariane 5 software, and they also have fixed the bug. Thus this would help
in stopping the disaster.
Paraphrase This Document
Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser
7SOFTWARE TESTING TOOLS
Answer to question 9
For achieving the highest EAL level, the system must have assurance requirements.
The requirements include pen-test, functional test, analysing design and documentation of
design. It cost huge amount of money and is also time consuming. This checks that the
feature of the product is fulfilling the security requirements or not (Sekhar et al., 2018). When
a product is built with SDLC, the product defect present in the product are reported, fixed,
retested and also tracked. The process is done till the standard quality is defined. After testing
the product with Testing Anywhere, it fails to attain the highest EAL level. This is because
Testing Anywhere works only on SaaS platform, which can only be accessed online but can’t
be installed in particular computers (Panthi & Bhattarai, 2016). Thus all the requirements of
highest EAL level is not fulfilled by making the product and testing it by SDLC using Testing
Anywhere. This does not checks weather the features of the product is fulfilling the security
requirements or not.
Answer to question 10
When security testing of a product is done it clarifies weather the product is having all
the security features or not. If the product fails to have any security requirements then the
features of the product is clarified to fulfil the security requirements. Thus security testing
can successfully keep the security features of a product. After giving the security rating for a
particular product it shows how safe is the product. It helps the security testing to keep a track
that weather the product is needed to be checked or not, If it is requires to be checked and fix
the security requirement, it can be done very easily. On the other hand EAL also gives a
grade for a particular product which shows the security feature for a particular product
(Hashii et al., 2016). The EAL simply clarifies weather the features are fulfilling the
requirements or not. Thus the security testing of a product and also the “security rating” of a
product attains the EAL level.
Answer to question 9
For achieving the highest EAL level, the system must have assurance requirements.
The requirements include pen-test, functional test, analysing design and documentation of
design. It cost huge amount of money and is also time consuming. This checks that the
feature of the product is fulfilling the security requirements or not (Sekhar et al., 2018). When
a product is built with SDLC, the product defect present in the product are reported, fixed,
retested and also tracked. The process is done till the standard quality is defined. After testing
the product with Testing Anywhere, it fails to attain the highest EAL level. This is because
Testing Anywhere works only on SaaS platform, which can only be accessed online but can’t
be installed in particular computers (Panthi & Bhattarai, 2016). Thus all the requirements of
highest EAL level is not fulfilled by making the product and testing it by SDLC using Testing
Anywhere. This does not checks weather the features of the product is fulfilling the security
requirements or not.
Answer to question 10
When security testing of a product is done it clarifies weather the product is having all
the security features or not. If the product fails to have any security requirements then the
features of the product is clarified to fulfil the security requirements. Thus security testing
can successfully keep the security features of a product. After giving the security rating for a
particular product it shows how safe is the product. It helps the security testing to keep a track
that weather the product is needed to be checked or not, If it is requires to be checked and fix
the security requirement, it can be done very easily. On the other hand EAL also gives a
grade for a particular product which shows the security feature for a particular product
(Hashii et al., 2016). The EAL simply clarifies weather the features are fulfilling the
requirements or not. Thus the security testing of a product and also the “security rating” of a
product attains the EAL level.
8SOFTWARE TESTING TOOLS
Reference:
De Florio, V. (2016). Software Assumptions Failure Tolerance: Role, Strategies, and
Visions. arXiv preprint arXiv:1605.02040.
denimgroup. (2019). Running a Web Security Testing Program with OWASP ZAP and
ThreadFix. Retrieved from https://www.youtube.com/watch?v=pPU2XTFyRmU
Fortify Unplugged. (2019). Fortify Unplugged. Retrieved from
https://www.youtube.com/channel/UCUDKcm1wIfE6EWk_SyK0D4w
Hashii, B. D., Scott, M. O., Silverman, D. R., Wixtrom, L., Tester, J., & Brown, S. A.
(2016). U.S. Patent No. 9,489,534. Washington, DC: U.S. Patent and Trademark
Office.
Kothari, S., Awadhutkar, P., Tamrawi, A., & Mathews, J. (2017, December). Modeling
lessons from verifying large software systems for safety and security. In Proceedings
of the 2017 Winter Simulation Conference (p. 109). IEEE Press.
Najera-Gutierrez, G., & Ansari, J. A. (2018). Web Penetration Testing with Kali Linux:
Explore the methods and tools of ethical hacking with Kali Linux. Packt Publishing
Ltd.
OWASP Zed Attack Proxy Project - OWASP. (2019). Retrieved from
https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project
Pandey, K. (2018). A Bug Tracking Tool for Efficient Penetration Testing. International
Journal of Education and Management Engineering, 8(3), 14.
Panthi, B., & Bhattarai, N. (2016). Residential Sector Energy Demand and Analysis of
Resunga Municipality, Gulmi, Nepal. In Proceedings of IOE Graduate
Conference (pp. 355-359).
psiinon. (2019). OWASP Zed Attack Proxy - Overview. Retrieved from
https://www.youtube.com/watch?time_continue=4&v=eH0RBI0nmww
psiinon. (2019). The OWASP ZAP HUD - Usable Security Tooling. Retrieved from
https://www.youtube.com/watch?v=ztfgip-UhWw
Sekhar, C. C., UdayKumar, J., Kumar, B. K., & Sekhar, C. (2018). Effective use of Big Data
Analytics in Crop planning to increase Agriculture Production in India.
Reference:
De Florio, V. (2016). Software Assumptions Failure Tolerance: Role, Strategies, and
Visions. arXiv preprint arXiv:1605.02040.
denimgroup. (2019). Running a Web Security Testing Program with OWASP ZAP and
ThreadFix. Retrieved from https://www.youtube.com/watch?v=pPU2XTFyRmU
Fortify Unplugged. (2019). Fortify Unplugged. Retrieved from
https://www.youtube.com/channel/UCUDKcm1wIfE6EWk_SyK0D4w
Hashii, B. D., Scott, M. O., Silverman, D. R., Wixtrom, L., Tester, J., & Brown, S. A.
(2016). U.S. Patent No. 9,489,534. Washington, DC: U.S. Patent and Trademark
Office.
Kothari, S., Awadhutkar, P., Tamrawi, A., & Mathews, J. (2017, December). Modeling
lessons from verifying large software systems for safety and security. In Proceedings
of the 2017 Winter Simulation Conference (p. 109). IEEE Press.
Najera-Gutierrez, G., & Ansari, J. A. (2018). Web Penetration Testing with Kali Linux:
Explore the methods and tools of ethical hacking with Kali Linux. Packt Publishing
Ltd.
OWASP Zed Attack Proxy Project - OWASP. (2019). Retrieved from
https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project
Pandey, K. (2018). A Bug Tracking Tool for Efficient Penetration Testing. International
Journal of Education and Management Engineering, 8(3), 14.
Panthi, B., & Bhattarai, N. (2016). Residential Sector Energy Demand and Analysis of
Resunga Municipality, Gulmi, Nepal. In Proceedings of IOE Graduate
Conference (pp. 355-359).
psiinon. (2019). OWASP Zed Attack Proxy - Overview. Retrieved from
https://www.youtube.com/watch?time_continue=4&v=eH0RBI0nmww
psiinon. (2019). The OWASP ZAP HUD - Usable Security Tooling. Retrieved from
https://www.youtube.com/watch?v=ztfgip-UhWw
Sekhar, C. C., UdayKumar, J., Kumar, B. K., & Sekhar, C. (2018). Effective use of Big Data
Analytics in Crop planning to increase Agriculture Production in India.
1 out of 9
![[object Object]](/_next/image/?url=%2F_next%2Fstatic%2Fmedia%2Flogo.6d15ce61.png&w=640&q=75){kind=small}
Your All-in-One AI-Powered Toolkit for Academic Success.
+13062052269
info@desklib.com
Available 24*7 on WhatsApp / Email
![[object Object]](/_next/static/media/star-bottom.7253800d.svg)
Unlock your academic potential
© 2024 | Zucol Services PVT LTD | All rights reserved.