WebApp Sec mailing list archives
Re: Recommendations for web app test?
From: <kingpang () gmail com>
Date: 22 Oct 2004 17:31:27 -0000
In-Reply-To: <BAY23-F110xJK5OuLID00008387 () hotmail com> Hi App Crawler, I think another responder Daniel did a great job giving you suggestions. You did not mention what platform your web application is running on. If your web app runs on IIS, here is another checklist the auditors may consider using: http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnnetsec/html/CL_SecWebs.asp In order to have a mutual understanding between you and the auditor on what to test, usually the auditor will create a "Threat Model". A threat model identifies the assets you would like to protect, and the threats your web app is likely to have. If you are interested to see what a threat model is like, you may visit this following link: http://msdn.microsoft.com/security/securecode/threatmodeling/default.aspx?pull=/library/en-us/dnnetsec/html/thcmch03.asp These are my two cents and I hope this helps you. KingPang
Well, we've decided that everything in our environment is pretty secure, except for our web applications. So, now we need to outsource the security assessment of our web applications. So, my question is, what should I be looking for? What should the auditors be looking for? How will I know that they are testing for what I need them to test for? What is a good price range, based on one e-commerce application, one employee intranet application, and one customer portal application? Should it be based on the number of forms? Or some other metric? Please advise?!?! Thanks. _________________________________________________________________ Get ready for school! Find articles, homework help and more in the Back to School Guide! http://special.msn.com/network/04backtoschool.armx
Current thread:
- Recommendations for web app test? App Crawler (Oct 21)
- Re: Recommendations for web app test? Daniel (Oct 21)
- Re: Recommendations for web app test? Cesar (Oct 22)
- Re: Recommendations for web app test? subscriber (Oct 24)
- Re: Recommendations for web app test? Stephen de Vries (Oct 22)
- <Possible follow-ups>
- Re: Recommendations for web app test? kingpang (Oct 22)
- Re: Recommendations for web app test? ban.marketing.bs (Oct 24)
- Re: Recommendations for web app test? Tom Stracener (Oct 28)
- Re: Recommendations for web app test? Daniel (Oct 21)