Web application security assessment

[Gary Flynn <flynngn () JMU EDU>]

Hi,

We're getting ready to expose our new Oracle/Campus EAI based
portal to the Internet. Due to the newness of the environment
and its potential integration with critical campus information
and infrastructure resources, we're considering the procurement
of an independent security assessment of the applications,
architecture, implementation, and integration methods.

We've been considering a pen-test engagement. We don't want
to go through the discovery and reconnaissance phase. We want
to fully disclose the architecture and let the vendor spend
their time assessing it rather than discovering it. We
certainly want more than automated vulnerability scanning.

Has anyone been in a similar situation? What did you do?
Who did you hire? What were the approximate costs?

--
Gary Flynn
Security Engineer
James Madison University
www.jmu.edu/computing/security

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature