Penetration Testing mailing list archives

Re: Application Assessment

From: Glyn Geoghegan <glyng () corsaire com>
Date: Thu, 11 Aug 2005 11:47:58 +1000

On 8 Aug 2005, at 12:53, goenw wrote:

Hi,
anybody have experience with application assessment ? I am anetwork guy, dont know much about the apps PT.
1. is there any tools that allow me to do the assessment throughly ?

If you're talking web-applications, check out www.owasp.org for awealth of information on the subject. You may also want to take alook at the webappsec mailing list at www.securityfocus.com.

Typically, the kind of tools you'll need are the personal-proxycategory, allowing you to intercept and modify communications betweenthe client and server - see Paros Proxy, Odysseus and Burp Proxy, forexample.

There are fully automated tools, but in my personal experience themanual approach has worked more effectively.

Fat client/binary assessment is a slightly different (and arguablymore complex) beast, and probably off-topic for this list.

2. should i have external party conduct this, what are the things ishould expect from them (success criteria) ?
any comments are appriciated.

That depends on how confident you are with your abilities, thedrivers for the assessment and a wealth of factors. Normally, somecoding or development background is essential to identify andunderstand potential vulnerabilities.

Check out www.application-testing.com for our guide on the world ofApplication Security Assessments.


--
-------------------------------------------------------
G l y n   G e o g h e g a n                   BSc, ARCS
Principal Consultant                       Corsaire Ltd
3 Tannery House, Tannery Lane
Send, Surrey, GU23 7EF, UK      UK: +44 (0)1483 226 000
http://www.corsaire.com        Fax: +44 (0)1483 226 001
-------------------------------------------------------



------------------------------------------------------------------------------
FREE WHITE PAPER - Wireless LAN Security: What Hackers Know That You Don't

Learn the hacker's secrets that compromise wireless LANs. Secure your
WLAN by understanding these threats, available hacking tools and proven
countermeasures. Defend your WLAN against man-in-the-Middle attacks and
session hijacking, denial-of-service, rogue access points, identity
thefts and MAC spoofing. Request your complimentary white paper at:

http://www.securityfocus.com/sponsor/AirDefense_pen-test_050801
-------------------------------------------------------------------------------

Current thread:

Application Assessment goenw (Aug 08)
- Re: Application Assessment AdamT (Aug 09)
  - Re: Application Assessment cbc (Aug 10)
  - Re: Application Assessment goenw (Aug 11)
    - Re: Application Assessment Irene Abezgauz (Aug 11)
- Re: Application Assessment Glyn Geoghegan (Aug 11)
  - Re: Application Assessment bugtraq (Aug 11)
- <Possible follow-ups>
- RE: Application Assessment Anders Thulin (Aug 09)
- RE: Application Assessment Ory Segal (Aug 11)
  - RE: Application Assessment Mark Curphey (Aug 12)
- RE: Application Assessment Juan Carlos Reyes Muñoz (Aug 12)
- Re: RE: Application Assessment RUI PEREIRA - WCG (Aug 12)
  - Re: RE: Application Assessment Kyle Starkey (Aug 12)
- RE: Application Assessment Ashley Vandiver (Aug 12)
- RE: Application Assessment Brokken, Allen P. (Aug 12)
- RE: Application Assessment Brokken, Allen P. (Aug 12)

(Thread continues...)