Re: Web application security assessment

["St Clair, Jim" <Jim.StClair () GT COM>]

Gary, I would recommend you check out the Open Web Application Security
Project - www.owasp.org. 

They are in my opinion the leading initiative to develop new processes
for web application security and basically THE forum to collaborate. Of
note, they have a version 2 of their OWASP testing project, which is
intended to be the definitive evaluation and penetration test resource
for web apps.

They meet in Arlington, which I realize is a healthy drive from
Harrisonburg, but may be something you want to pursue. You could get a
lot of good feedback on tools and techniques.

Additionally, I am available to discuss more off-line, if you desire. We
are in the Harrisonburg area often.

James A.St.Clair, CISM
Sr. Manager
Global Public Sector
Grant Thornton LLP
(703) 637-3078 (office)
(703) 727-6332 (mobile)
(703) 837-4455 (fax)


-----Original Message-----
From: Gary Flynn [mailto:flynngn () JMU EDU] 
Sent: Wednesday, April 25, 2007 9:23 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Web application security assessment


Hi,

We're getting ready to expose our new Oracle/Campus EAI based
portal to the Internet. Due to the newness of the environment
and its potential integration with critical campus information
and infrastructure resources, we're considering the procurement
of an independent security assessment of the applications,
architecture, implementation, and integration methods.

We've been considering a pen-test engagement. We don't want
to go through the discovery and reconnaissance phase. We want
to fully disclose the architecture and let the vendor spend
their time assessing it rather than discovering it. We
certainly want more than automated vulnerability scanning.

Has anyone been in a similar situation? What did you do?
Who did you hire? What were the approximate costs?

-- 
Gary Flynn
Security Engineer
James Madison University
www.jmu.edu/computing/security
 

--------------------------------------------------------


In accordance with applicable professional regulations, please understand that, unless expressly stated otherwise, any 
written advice contained in, forwarded with, or attached to this e-mail is not intended or written by Grant Thornton 
LLP to be used, and cannot be used, by any person for the purpose of avoiding any penalties that may be imposed under 
the Internal Revenue Code. 

--------------------------------------------------------

 This e-mail is intended solely for the person or entity to which it is addressed and may contain confidential and/or 
privileged information.  Any review, dissemination, copying, printing or other use of this e-mail by persons or 
entities other than the addressee is prohibited.  If you have received this e-mail in error, please contact the sender 
immediately and delete the material from any computer.