WebApp Sec mailing list archives
RE: Application Security Assessment Methods
From: "Mehler, Robert" <rmehler () bruteforcesecurity com>
Date: Mon, 13 Oct 2003 08:26:00 -0400
Quite a good site, I would also recommend that people take a close look at www.webcohort.com. The co-founder of Checkpoint (Shlomo Kramer) started this new application and data base security software company and his team have massive in depth experience in app. Pen testing and have posted a few white papers on performing activities like blind SQL injection tests. Robert J. Mehler CIO 203-523-0474 x308 main 203-523-0479 fax 917-495-7030 cell rmehler () bruteforcesecurity com http://www.bruteforcesecurity.com This communication, including attachments, is for the exclusive use of addressee and may contain proprietary, confidential or privileged information. If you are not the intended recipient, any use, copying, disclosure, dissemination or distribution is strictly prohibited. If you are not the intended recipient, please notify the sender immediately by return email and delete this communication and destroy all copies. -----Original Message----- From: Brian G. [mailto:brian () fireflydigitalmedia com] Sent: Sunday, October 12, 2003 8:30 PM To: appsec () technicalinfo net Cc: webappsec () securityfocus com; pen-test () securityfocus com Subject: Re: Application Security Assessment Methods I just checked out www.technicalinfo.net . The site is full of great information, and I am convinced Mr. Gunter is quite an expert. Thanks for the awesome contribution! Brian Quoting appsec () technicalinfo net: Hi there, A lot of people appear to be asking for a detailed methodology on how to conduct a successful application security assessment. I have yet to find a good *public* methodology document that could be used for the diverse types of applications I come up against. To this end, I have written a brief paper to aid other consultants and security professionals to better assess the security of an application - without the overhead of a complex methodology. The paper can be found at http://www.technicalinfo.net/papers/AssessmentQuestions.html
From the paper: "Application security assessment is a unique area of
assessment and penetration testing. Unlike infrastructure based assessments, the methodology utilised by a security professional for identifying security vulnerabilities and significant issues is highly dependant upon the type of application being assessed. Instead of focusing on an all-encompassing application security assessment methodology, many consultants may find it more practical to cycle through a check-list of questions. The emphasis of the questions is not so much on how to test the application, but more as to what the consultant should be looking for." I hope someone out there also finds it useful to them. At this is the initial draft of the paper/questions, I would welcome replies to this email containing application based assessment questions that you feel are not covered in the present document and should be included in the next version. Cheers, Gunter Technical Info -- http://www.technicalinfo.net/ -- Brian G. Firefly Digital Media 866-FFDIGTL 866-333-4485
Current thread:
- Application Security Assessment Methods appsec (Oct 12)
- Re: Application Security Assessment Methods Brian G. (Oct 12)
- <Possible follow-ups>
- RE: Application Security Assessment Methods Mehler, Robert (Oct 13)