Re: Recommendations for web app test?

[<kingpang () gmail com>]

In-Reply-To: <BAY23-F110xJK5OuLID00008387 () hotmail com>

Hi App Crawler,

I think another responder Daniel did a great job giving you suggestions.

You did not mention what platform your web application is running on.  If your web app runs on IIS, here is another 
checklist the auditors may consider using:

http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnnetsec/html/CL_SecWebs.asp

In order to have a mutual understanding between you and the auditor on what to test, usually the auditor will create a 
"Threat Model".  A threat model identifies the assets you would like to protect, and the threats your web app is likely 
to have.  If you are interested to see what a threat model is like, you may visit this following link:

http://msdn.microsoft.com/security/securecode/threatmodeling/default.aspx?pull=/library/en-us/dnnetsec/html/thcmch03.asp

These are my two cents and I hope this helps you.

KingPang


> Well,  we've decided that everything in our environment is pretty secure, 
> except for our web applications. So, now we need to outsource the security 
> assessment of our web applications. So, my question is, what should I be 
> looking for? What should the auditors be looking for? How will I know that 
> they are testing for what I need them to test for? What is a good price 
> range, based on one e-commerce application, one employee intranet 
> application, and one customer portal application? Should it be based on the 
> number of forms? Or some other metric? Please advise?!?! Thanks.
>
> _________________________________________________________________
> Get ready for school! Find articles, homework help and more in the Back to 
> School Guide! http://special.msn.com/network/04backtoschool.armx