RE: Carrying out an application security assessment for a Visual Basic application

[Tony UcedaVélez <tonyuv () versprite com>]

It really depends on the nature of the application and what it is intended
to do.  Devoid of that information, my general recommendations are to see
how it is handling the following:

- authentication
- encryption
- storing/ caching of data across objects
- input validation
- error handling
- process management (all under one process? sub-processes?)
- code management (versioning, check-in/check-out procedures)
- coding environment assessment (for testing/ development/migration from)
- adding VB libraries (if and when necessary versus adding a whole list of
libraries for no added functionality)
- data integrity validation functions

Again, these are just simple starting points for performing a general app
assessment devoid of any tools and checking things manually.  Sharing with
the group what the app does may reveal more targeted recommendations.

Best wishes,


Tony UcedaVélez, CISM, CISA, GIAC
President
VerSprite, LLC
(office) 678.938.3434
(email) tonyuv () versprite com
(web)   www.versprite.com

-----Original Message-----
From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On
Behalf Of Pranav Lal
Sent: Monday, March 26, 2007 6:47 AM
To: security-basics () securityfocus com
Subject: Carrying out an application security assessment for a Visual Basic
application

Hi all,

I need to do a security assessment of an application that is written
in Visual Basic. I am not too sure of the version. It is probably
version 6. The back end is Oracle.

What do I look at? I will ve able to get access to the  source code. I
used to code in VB quite some time back so I should be able to
understand what is happening. However, from the application security
point of view, I need to know what to check.

Any one any pointers?
Pranav