Penetration Testing mailing list archives
RE: Application Assessment
From: "Anders Thulin" <Anders.Thulin () tietoenator com>
Date: Tue, 9 Aug 2005 07:57:21 +0200
From: goenw [mailto:goenw.mailinglist () gmail com]
anybody have experience with application assessment ? [...]
Assessment of what? I assume security -- i.e. resistance to effects from unwanted events, rather than just intrusions. Depends on how you're allowed to do it. A threat analysis follwed up by checking up the identified risks (and others that come to mind) is one way. Just make sure you have application and platform experts on the analysis team.
1. is there any tools that allow me to do the assessment throughly ?
Not that I know of. Parts, such as protocol testing, yes. But you also need to assess configuration file security, security log contents, management, etc. For instance, if you're assessing a POP server, part of the job can be trying to upset the server by feeding it bad input, or trying to brute force accounts. Can the server be DoSed? For that you can find tools. Another part is checking the logs to see if these attempts were discovered -- if not, if they could have been by sharper configuration. And if they are discovered, are there any mechanisms or routines that ensures that someone actually gets a report of break-in attempts, or do the log files just sit around, collecting dust? Updates and upgrades are other parts: are they easy or difficult to do? Do they upset anything? And indirectly, if you have a test environment for pre-deployment testing, if that is secure enough in itself. By now you see why the threat analysis is necessary: you need to get a list of all unwanted events associated with the application in any way, extract those that are relevant for your particular job, and decide if they can be tested or not. But perhaps the scope of the assessment is smaller than that. Anders Thulin anders.thulin () tietoenator com 040-661 50 63 TietoEnator Telecom & Media AB, Box 85, SE-201 20 Malmö ------------------------------------------------------------------------------ FREE WHITE PAPER - Wireless LAN Security: What Hackers Know That You Don't Learn the hacker's secrets that compromise wireless LANs. Secure your WLAN by understanding these threats, available hacking tools and proven countermeasures. Defend your WLAN against man-in-the-Middle attacks and session hijacking, denial-of-service, rogue access points, identity thefts and MAC spoofing. Request your complimentary white paper at: http://www.securityfocus.com/sponsor/AirDefense_pen-test_050801 -------------------------------------------------------------------------------
Current thread:
- Application Assessment goenw (Aug 08)
- Re: Application Assessment AdamT (Aug 09)
- Re: Application Assessment cbc (Aug 10)
- Re: Application Assessment goenw (Aug 11)
- Re: Application Assessment Irene Abezgauz (Aug 11)
- Re: Application Assessment Glyn Geoghegan (Aug 11)
- Re: Application Assessment bugtraq (Aug 11)
- <Possible follow-ups>
- RE: Application Assessment Anders Thulin (Aug 09)
- RE: Application Assessment Ory Segal (Aug 11)
- RE: Application Assessment Mark Curphey (Aug 12)
- RE: Application Assessment Juan Carlos Reyes Muñoz (Aug 12)
- Re: RE: Application Assessment RUI PEREIRA - WCG (Aug 12)
- Re: RE: Application Assessment Kyle Starkey (Aug 12)
- RE: Application Assessment Ashley Vandiver (Aug 12)
- RE: Application Assessment Brokken, Allen P. (Aug 12)
- RE: Application Assessment Brokken, Allen P. (Aug 12)
- RE: Application Assessment Tom Stracener (Aug 12)
- Re: RE: Application Assessment secureuniverse (Aug 12)
(Thread continues...)
- Re: Application Assessment AdamT (Aug 09)