Penetration Testing mailing list archives
RE: Application Assessment
From: Tom Stracener <strace () gmail com>
Date: Fri, 12 Aug 2005 16:04:55 -0500
goenw, Congratulations on your new job responsibilities. Hope they are going to give you a raise. :-) If you get into a position where you are evaluating commerical products, I would also encourage you to also take a look at Cenzic's Hailstorm. Its a feature rich web application security scanner with very low false positives. Now to your questions. . .
1. is there any tools that allow me to do the assessment throughly ?
It really depends on what you what you are looking for. If you're unsure of what you're looking for, a good place to begin educating yourself is here: http://www.owasp.org You should probably just read the entire owasp website as a primer. Its lighter reading than unix man pages. :-) Also, once you get a grasp of the general web application problem areas check out the owasp web app penetration testing checklist. Educate yourself as much as possible so you can make an informed decision about what you want and what you need.
2. should i have external party conduct this, what are the things i should expect from them (success criteria) ?
After reading the Owasp penetration testing checklist, you could ask the company to explain their web penetration testing methodology to you and then compare the differences. Ideally, get a copy for your own reference.But don't just compare lists. Think about the types of applications you have and pick a company (or individual) that has relevant experience. If you go with a vendor, ask for a demo, preferrably a demo scan of one of your own servers. Then, you can choose the product/service that gives you the best, most useful, results. Remember, there's always here: http://www.parosproxy.org/download.shtml And here: http://www.frsirt.com/exploits/ Best of Luck, -Tom ------------------------------------------------------------------------------ FREE WHITE PAPER - Wireless LAN Security: What Hackers Know That You Don't Learn the hacker's secrets that compromise wireless LANs. Secure your WLAN by understanding these threats, available hacking tools and proven countermeasures. Defend your WLAN against man-in-the-Middle attacks and session hijacking, denial-of-service, rogue access points, identity thefts and MAC spoofing. Request your complimentary white paper at: http://www.securityfocus.com/sponsor/AirDefense_pen-test_050801 -------------------------------------------------------------------------------
Current thread:
- Re: Application Assessment, (continued)
- Re: Application Assessment bugtraq (Aug 11)
- RE: Application Assessment Anders Thulin (Aug 09)
- RE: Application Assessment Ory Segal (Aug 11)
- RE: Application Assessment Mark Curphey (Aug 12)
- RE: Application Assessment Juan Carlos Reyes Muñoz (Aug 12)
- Re: RE: Application Assessment RUI PEREIRA - WCG (Aug 12)
- Re: RE: Application Assessment Kyle Starkey (Aug 12)
- RE: Application Assessment Ashley Vandiver (Aug 12)
- RE: Application Assessment Brokken, Allen P. (Aug 12)
- RE: Application Assessment Brokken, Allen P. (Aug 12)
- RE: Application Assessment Tom Stracener (Aug 12)
- Re: RE: Application Assessment secureuniverse (Aug 12)
- Re: Application Assessment Pete Herzog (Aug 13)
- RE: Application Assessment Michael Gargiullo (Aug 12)
- Re: Application Assessment goenw (Aug 17)
- RE: RE: Application Assessment Ory Segal (Aug 13)