Educause Security Discussion mailing list archives
Application security / penetration testing vendor search
From: Dan Roberts <ddrobert () KENT EDU>
Date: Thu, 19 Jan 2006 22:50:32 -0500
I'm looking for anyone who wouldn't mind sharing some highlights from their experiences in picking or using a vendor to perform vulerability assessments and penetration testing on web applications. We've traditionally been good at securing our operating systems and networks.. but frankly, the writing has been on the wall for quite some time now that patches and firewalls are not adequate protection when public facing web applications are riddled with things such as SQL injection vulnerabilities and poor authentication schemes. Recently, we've been given the opportunity to redesign a lot of our application development processes.. and you can be sure there will be a lot of attention paid to life cycle management, code audits, and vulnerability assessments. The first task at hand is to shore up what we already own. The challenge we face is conducting a baseline security review across our roughly 40 web applications in very short order. This is not something we intend to develop in-house expertise in; but we can't learn and perform all in the short window we've been given. Enter the need for a vendor to outsource this task to. The penetration testing should be thorough -- performed by an analyst who can dig deeper into suspect problem areas, and shed real light on the situation. That is, if the vendor intends to simply run off-the-shelf software and print the results for us, I think we're rather capable of doing that ourselves. It should also be focused on application specific security flaws.. we're quite handy with Nessus and Nmap type tools, and don't need anyone to confirm for us that port 80 is open. I'm interested in specific vendor recommendations, questions you would have asked had you known in advance what a mess you were getting yourself into, and input on the effectiveness and efficiency of an pen-test type assessment from the outside versus a source code audit. Thank you in advance, Dan Roberts Office of Security and Compliance Information Services Division Kent State University 330-672-5373 ddrobert () kent edu
Current thread:
- Application security / penetration testing vendor search Dan Roberts (Jan 19)
- <Possible follow-ups>
- Re: Application security / penetration testing vendor search Sarah Stevens (Jan 23)