RE: Application Assessment

[Tom Stracener <strace () gmail com>]

goenw,

Congratulations on your new job responsibilities. Hope they are going 
to give you a raise. :-) 

If you get into a position where you are evaluating commerical
products, I would also encourage you to also take a look at Cenzic's
Hailstorm. Its a feature rich web application security scanner with
very low false positives.

Now to your questions. . .

> 1. is there any tools that allow me to do the assessment throughly ?

It really depends on what you what you are looking for. If you're
unsure of what you're looking for, a good place to begin educating
yourself is here:

http://www.owasp.org 

You should probably just read the entire owasp website as a primer. Its lighter 
reading than unix man pages. :-) Also, once you get a grasp of the
general web application problem areas check out the owasp web app
penetration testing checklist. Educate yourself as much as possible so
you can make an informed decision about what you want and what you
need.


> 2. should i have external party conduct this, 
> what are the things i should expect from them 
> (success criteria) ? 

After reading the Owasp penetration testing checklist, you could ask
the company to explain their web penetration testing methodology to
you and then compare the differences. Ideally, get a copy for your own
reference.But don't just compare lists. Think about the types of
applications you  have and pick a company (or individual) that has
relevant experience.

If you go with a vendor, ask for a demo, preferrably a demo scan of
one of  your own servers. Then, you can choose the product/service
that gives you the best, most useful, results.

Remember, there's always 

here:

http://www.parosproxy.org/download.shtml

And here:

http://www.frsirt.com/exploits/

Best of Luck,


-Tom