Educause Security Discussion mailing list archives
Re: Web application security assessment
From: Chris Bennett <bennetc () LCC EDU>
Date: Wed, 25 Apr 2007 10:17:36 -0400
We did an assessment of our Oracle portal/collaboration suite with some portal code reviews a few years back. The company that we worked with was Integrigy. Steven Kost is a very smart fellow that helped a lot with our security. Our approach was to give him access to the system and let him review our work to assess the system. He did software source code reviews in addition to looking at system setups. This was part of a larger review of the Oracle 11i Applications and a security program review that was done by Neohapsis and so the costing will not be relevant. Gary Flynn wrote:
Hi, We're getting ready to expose our new Oracle/Campus EAI based portal to the Internet. Due to the newness of the environment and its potential integration with critical campus information and infrastructure resources, we're considering the procurement of an independent security assessment of the applications, architecture, implementation, and integration methods. We've been considering a pen-test engagement. We don't want to go through the discovery and reconnaissance phase. We want to fully disclose the architecture and let the vendor spend their time assessing it rather than discovering it. We certainly want more than automated vulnerability scanning. Has anyone been in a similar situation? What did you do? Who did you hire? What were the approximate costs?
-- Chris Bennett, GSNA, GSEC Director of Information Security Lansing Community College 517-483-5264
Current thread:
- Web application security assessment Gary Flynn (Apr 25)
- <Possible follow-ups>
- Re: Web application security assessment Chris Bennett (Apr 25)
- Re: Web application security assessment St Clair, Jim (Apr 25)