Re: Web application security assessment

[Chris Bennett <bennetc () LCC EDU>]

We did an assessment of our Oracle portal/collaboration suite with some
portal code reviews a few years back.  The company that we worked with
was Integrigy.  Steven Kost is a very smart fellow that helped a lot
with our security.  Our approach was to give him access to the system
and let him review our work to assess the system.  He did software
source code reviews in addition to looking at system setups.  This was
part of a larger review of the Oracle 11i Applications and a security
program review that was done by Neohapsis and so the costing will not be
relevant.

Gary Flynn wrote:
> Hi,
>
> We're getting ready to expose our new Oracle/Campus EAI based
> portal to the Internet. Due to the newness of the environment
> and its potential integration with critical campus information
> and infrastructure resources, we're considering the procurement
> of an independent security assessment of the applications,
> architecture, implementation, and integration methods.
>
> We've been considering a pen-test engagement. We don't want
> to go through the discovery and reconnaissance phase. We want
> to fully disclose the architecture and let the vendor spend
> their time assessing it rather than discovering it. We
> certainly want more than automated vulnerability scanning.
>
> Has anyone been in a similar situation? What did you do?
> Who did you hire? What were the approximate costs?

--
Chris Bennett, GSNA, GSEC
Director of Information Security
Lansing Community College
517-483-5264