WebApp Sec mailing list archives

RE: Application Security Assessment Methods


From: "Mehler, Robert" <rmehler () bruteforcesecurity com>
Date: Mon, 13 Oct 2003 08:26:00 -0400

Quite a good site, I would also recommend that people take a close look
at 

www.webcohort.com.

The co-founder of Checkpoint (Shlomo Kramer) started this new
application and data base security software company and his team have
massive in depth experience in app. Pen testing and have posted a few
white papers on performing activities like blind SQL injection tests.


Robert J. Mehler
CIO

203-523-0474 x308 main
203-523-0479 fax
917-495-7030 cell
rmehler () bruteforcesecurity com
http://www.bruteforcesecurity.com
 
This communication, including attachments, is for the exclusive use of
addressee and may contain proprietary, confidential or privileged
information. If you are not the intended recipient, any use, copying,
disclosure, dissemination or distribution is strictly prohibited. If you
are not the intended recipient, please notify the sender immediately by
return email and delete this communication and destroy all copies.

-----Original Message-----
From: Brian G. [mailto:brian () fireflydigitalmedia com] 
Sent: Sunday, October 12, 2003 8:30 PM
To: appsec () technicalinfo net
Cc: webappsec () securityfocus com; pen-test () securityfocus com
Subject: Re: Application Security Assessment Methods

I just checked out www.technicalinfo.net . The site is full of great 
information, and I am convinced Mr. Gunter is quite an expert. 
Thanks for the awesome contribution!
Brian 


Quoting appsec () technicalinfo net:

 Hi there,
 
 A lot of people appear to be asking for a detailed methodology on how
to
 conduct a successful application security assessment.  I have yet to
find a
 good *public* methodology document that could be used for the diverse
types of
 applications I come up against.  To this end, I have written a brief
paper to
 aid other consultants and security professionals to better assess the
security
 of an application - without the overhead of a complex methodology.  
 
 The paper can be found at
 http://www.technicalinfo.net/papers/AssessmentQuestions.html
 
From the paper:  "Application security assessment is a unique area of
 assessment and penetration testing.  Unlike infrastructure based
assessments,
 the methodology utilised by a security professional for identifying
security
 vulnerabilities and significant issues is highly dependant upon the
type of
 application being assessed.  Instead of focusing on an all-encompassing
 application security assessment methodology, many consultants may find
it more
 practical to cycle through a check-list of questions.  The emphasis of
the
 questions is not so much on how to test the application, but more as to
what
 the consultant should be looking for."
 
 I hope someone out there also finds it useful to them.
 
 At this is the initial draft of the paper/questions, I would welcome
replies
 to this email containing application based assessment questions that
you feel
 are not covered in the present document and should be included in the
next
 version.
 
 Cheers,
 
 Gunter
 
 
 Technical Info -- http://www.technicalinfo.net/
 
 
 
 
 
 


-- 
Brian G.
Firefly Digital Media
866-FFDIGTL
866-333-4485


Current thread: