Re: Application Security Assessment Methods

["Brian G." <brian () fireflydigitalmedia com>]

I just checked out www.technicalinfo.net . The site is full of great 
information, and I am convinced Mr. Gunter is quite an expert. 
Thanks for the awesome contribution!
Brian 


Quoting appsec () technicalinfo net:

 Hi there,
 
 A lot of people appear to be asking for a detailed methodology on how to
 conduct a successful application security assessment.  I have yet to find a
 good *public* methodology document that could be used for the diverse types of
 applications I come up against.  To this end, I have written a brief paper to
 aid other consultants and security professionals to better assess the security
 of an application - without the overhead of a complex methodology.  
 
 The paper can be found at
 http://www.technicalinfo.net/papers/AssessmentQuestions.html
 
> From the paper:  "Application security assessment is a unique area of
 assessment and penetration testing.  Unlike infrastructure based assessments,
 the methodology utilised by a security professional for identifying security
 vulnerabilities and significant issues is highly dependant upon the type of
 application being assessed.  Instead of focusing on an all-encompassing
 application security assessment methodology, many consultants may find it more
 practical to cycle through a check-list of questions.  The emphasis of the
 questions is not so much on how to test the application, but more as to what
 the consultant should be looking for."
 
 I hope someone out there also finds it useful to them.
 
 At this is the initial draft of the paper/questions, I would welcome replies
 to this email containing application based assessment questions that you feel
 are not covered in the present document and should be included in the next
 version.
 
 Cheers,
 
 Gunter
 
 
 Technical Info -- http://www.technicalinfo.net/
 
 
 
 
 
 


-- 
Brian G.
Firefly Digital Media
866-FFDIGTL
866-333-4485