Educause Security Discussion mailing list archives
Re: Web application security assessment
From: "St Clair, Jim" <Jim.StClair () GT COM>
Date: Wed, 25 Apr 2007 10:42:16 -0400
Gary, I would recommend you check out the Open Web Application Security Project - www.owasp.org. They are in my opinion the leading initiative to develop new processes for web application security and basically THE forum to collaborate. Of note, they have a version 2 of their OWASP testing project, which is intended to be the definitive evaluation and penetration test resource for web apps. They meet in Arlington, which I realize is a healthy drive from Harrisonburg, but may be something you want to pursue. You could get a lot of good feedback on tools and techniques. Additionally, I am available to discuss more off-line, if you desire. We are in the Harrisonburg area often. James A.St.Clair, CISM Sr. Manager Global Public Sector Grant Thornton LLP (703) 637-3078 (office) (703) 727-6332 (mobile) (703) 837-4455 (fax) -----Original Message----- From: Gary Flynn [mailto:flynngn () JMU EDU] Sent: Wednesday, April 25, 2007 9:23 AM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Web application security assessment Hi, We're getting ready to expose our new Oracle/Campus EAI based portal to the Internet. Due to the newness of the environment and its potential integration with critical campus information and infrastructure resources, we're considering the procurement of an independent security assessment of the applications, architecture, implementation, and integration methods. We've been considering a pen-test engagement. We don't want to go through the discovery and reconnaissance phase. We want to fully disclose the architecture and let the vendor spend their time assessing it rather than discovering it. We certainly want more than automated vulnerability scanning. Has anyone been in a similar situation? What did you do? Who did you hire? What were the approximate costs? -- Gary Flynn Security Engineer James Madison University www.jmu.edu/computing/security -------------------------------------------------------- In accordance with applicable professional regulations, please understand that, unless expressly stated otherwise, any written advice contained in, forwarded with, or attached to this e-mail is not intended or written by Grant Thornton LLP to be used, and cannot be used, by any person for the purpose of avoiding any penalties that may be imposed under the Internal Revenue Code. -------------------------------------------------------- This e-mail is intended solely for the person or entity to which it is addressed and may contain confidential and/or privileged information. Any review, dissemination, copying, printing or other use of this e-mail by persons or entities other than the addressee is prohibited. If you have received this e-mail in error, please contact the sender immediately and delete the material from any computer.
Current thread:
- Web application security assessment Gary Flynn (Apr 25)
- <Possible follow-ups>
- Re: Web application security assessment Chris Bennett (Apr 25)
- Re: Web application security assessment St Clair, Jim (Apr 25)