Penetration Testing mailing list archives
Re: Application Assessment
From: Irene Abezgauz <irene.abezgauz () gmail com>
Date: Thu, 11 Aug 2005 17:06:39 +0200
goenw, You are approaching it from the point of view of a network guy. Since you said you are a network guy new to this - it's completely natural and ok. The problem is that application testing is somewhat different from network testing. The regular break-ins are not buffer overflows and DoS, they are more along the lines of application flow bypassing, tampering with parameters, script injections, identification of weak testing mechanisms, you get my drift. You start from a user perspective, which means completely blackboxed - in any case I am not sure just how source-code could help you here since you come from an IT background and not a programming background. I think using an external party could be a good solution for this problem, as it is quite difficult to deliver a high-quality application pentest if you have no previous knowledge of how applications work and what you should be looking for. Irene Abezgauz Application Security Consultant Hacktics Ltd. Mobile: +972-54-6545405 Web: www.hacktics.com On 8/11/05, goenw <goenw.mailinglist () gmail com> wrote:
Guys, Thanks a lot for your reply, just return from my trip. here is more details regarding the assessment. 1. there is a list of application listed to be assess which include a standalone win32 executable, but mainly more to web application. 2. the assessment will be from user perspective (no source code) 3. the assessment is a security assessment to find out about the regular type of break-ins (buffer-overflow, dos, etc) 4. anybody have experience with external party, which are able to share the experience (scope of work, test case, etc) Thanks and Regards, goenw AdamT wrote:On 8/8/05, goenw <goenw.mailinglist () gmail com> wrote:Hi, anybody have experience with application assessment ? I am a network guy, dont know much about the apps PT. 1. is there any tools that allow me to do the assessment throughly ? 2. should i have external party conduct this, what are the things i should expect from them (success criteria) ? any comments are appriciated.Can you be more specific about the application that you're testing? eg - is it a standalone win32 executable, or perhaps a web application? Will you be testing the infrastructure on which it runs also? Does the application rely on input from either the user, other processes, drivers or other hosts on a network? Big question - will you have access to the source code? All of it? Example - not much use having access to the source of application.exe if you don't get the source to applib1.dll If you're looking to get an external party in, you need to think about what levels of assurance you need for this particular application. If it's a branded screen-saver that you want to distribute as a PR exercise, your needs (and testing methods) will be very different from testing a custom web banking application.------------------------------------------------------------------------------ FREE WHITE PAPER - Wireless LAN Security: What Hackers Know That You Don't Learn the hacker's secrets that compromise wireless LANs. Secure your WLAN by understanding these threats, available hacking tools and proven countermeasures. Defend your WLAN against man-in-the-Middle attacks and session hijacking, denial-of-service, rogue access points, identity thefts and MAC spoofing. Request your complimentary white paper at: http://www.securityfocus.com/sponsor/AirDefense_pen-test_050801 -------------------------------------------------------------------------------
------------------------------------------------------------------------------ FREE WHITE PAPER - Wireless LAN Security: What Hackers Know That You Don't Learn the hacker's secrets that compromise wireless LANs. Secure your WLAN by understanding these threats, available hacking tools and proven countermeasures. Defend your WLAN against man-in-the-Middle attacks and session hijacking, denial-of-service, rogue access points, identity thefts and MAC spoofing. Request your complimentary white paper at: http://www.securityfocus.com/sponsor/AirDefense_pen-test_050801 -------------------------------------------------------------------------------
Current thread:
- Application Assessment goenw (Aug 08)
- Re: Application Assessment AdamT (Aug 09)
- Re: Application Assessment cbc (Aug 10)
- Re: Application Assessment goenw (Aug 11)
- Re: Application Assessment Irene Abezgauz (Aug 11)
- Re: Application Assessment Glyn Geoghegan (Aug 11)
- Re: Application Assessment bugtraq (Aug 11)
- <Possible follow-ups>
- RE: Application Assessment Anders Thulin (Aug 09)
- RE: Application Assessment Ory Segal (Aug 11)
- RE: Application Assessment Mark Curphey (Aug 12)
- RE: Application Assessment Juan Carlos Reyes Muñoz (Aug 12)
- Re: RE: Application Assessment RUI PEREIRA - WCG (Aug 12)
- Re: RE: Application Assessment Kyle Starkey (Aug 12)
- RE: Application Assessment Ashley Vandiver (Aug 12)
- RE: Application Assessment Brokken, Allen P. (Aug 12)
(Thread continues...)
- Re: Application Assessment AdamT (Aug 09)