Complex applications security testing framework

[Marat VYSHEGORODTSEV <marat.vyshegorodtsev () gmail com>]

Hello, web security researchers!

There is well known methodology for auditing security of web
applications called OWASP Testing Guide [0], but it describes testing
procedures for only web applications, not for, like, complex
applications (for example, containing application servers, application
gateways and so on) usually written in C#, C++, Delphi or any other
non-scripting language. Would you, folks, recommend such a framework
for testing complex not-web-only-applications?

I know only one approach from SANS [1] (Top25, CWE classification and
risk assessment), but it doesn't provide comprehensive methodology
like OWASP does. Basically I want to fill a gap between risk and
vulnerability assessment jobs and I'm looking for generally recognized
approach.

[0] http://www.owasp.org/index.php/Category:OWASP_Testing_Project
[1] http://www.sans.org/top25-programming-errors/

Sincerely, Marat Vyshegorodtsev
Assessment specialist



This list is sponsored by Cenzic
--------------------------------------
Let Us Hack You. Before Hackers Do!
It's Finally Here - The Cenzic Website HealthCheck. FREE.
Request Yours Now! 
http://www.cenzic.com/2009HClaunch_Securityfocus
--------------------------------------