WebApp Sec mailing list archives
Re: Application Security Assessment Methods
From: "Brian G." <brian () fireflydigitalmedia com>
Date: Sun, 12 Oct 2003 20:29:37 -0400
I just checked out www.technicalinfo.net . The site is full of great information, and I am convinced Mr. Gunter is quite an expert. Thanks for the awesome contribution! Brian Quoting appsec () technicalinfo net: Hi there, A lot of people appear to be asking for a detailed methodology on how to conduct a successful application security assessment. I have yet to find a good *public* methodology document that could be used for the diverse types of applications I come up against. To this end, I have written a brief paper to aid other consultants and security professionals to better assess the security of an application - without the overhead of a complex methodology. The paper can be found at http://www.technicalinfo.net/papers/AssessmentQuestions.html
From the paper: "Application security assessment is a unique area of
assessment and penetration testing. Unlike infrastructure based assessments, the methodology utilised by a security professional for identifying security vulnerabilities and significant issues is highly dependant upon the type of application being assessed. Instead of focusing on an all-encompassing application security assessment methodology, many consultants may find it more practical to cycle through a check-list of questions. The emphasis of the questions is not so much on how to test the application, but more as to what the consultant should be looking for." I hope someone out there also finds it useful to them. At this is the initial draft of the paper/questions, I would welcome replies to this email containing application based assessment questions that you feel are not covered in the present document and should be included in the next version. Cheers, Gunter Technical Info -- http://www.technicalinfo.net/ -- Brian G. Firefly Digital Media 866-FFDIGTL 866-333-4485
Current thread:
- Application Security Assessment Methods appsec (Oct 12)
- Re: Application Security Assessment Methods Brian G. (Oct 12)
- <Possible follow-ups>
- RE: Application Security Assessment Methods Mehler, Robert (Oct 13)