Educause Security Discussion mailing list archives

Previous By Date Next
Previous By Thread Next

Application security / penetration testing vendor search

From: Dan Roberts <ddrobert () KENT EDU>
Date: Thu, 19 Jan 2006 22:50:32 -0500
I'm looking for anyone who wouldn't mind sharing some highlights from their
experiences in picking or using a vendor to perform vulerability
assessments and penetration testing on web applications.

We've traditionally been good at securing our operating systems and
networks.. but frankly, the writing has been on the wall for quite some
time now that patches and firewalls are not adequate protection when public
facing web applications are riddled with things such as SQL injection
vulnerabilities and poor authentication schemes.

Recently, we've been given the opportunity to redesign a lot of our
application development processes.. and you can be sure there will be a lot
of attention paid to life cycle management, code audits, and vulnerability
assessments.  The first task at hand is to shore up what we already own.
The challenge we face is conducting a baseline security review across our
roughly 40 web applications in very short order.  This is not something we
intend to develop in-house expertise in; but we can't learn and perform all
in the short window we've been given.

Enter the need for a vendor to outsource this task to.  The penetration
testing should be thorough -- performed by an analyst who can dig deeper
into suspect problem areas, and shed real light on the situation.  That is,
if the vendor intends to simply run off-the-shelf software and print the
results for us, I think we're rather capable of doing that ourselves.  It
should also be focused on application specific security flaws.. we're quite
handy with Nessus and Nmap type tools, and don't need anyone to confirm for
us that port 80 is open.

I'm interested in specific vendor recommendations, questions you would have
asked had you known in advance what a mess you were getting yourself into,
and input on the effectiveness and efficiency of an pen-test type
assessment from the outside versus a source code audit.

Thank you in advance,

Dan Roberts
Office of Security and Compliance
Information Services Division
Kent State University

330-672-5373
ddrobert () kent edu
Previous By Date Next
Previous By Thread Next

Current thread: