Re: Complex applications security testing framework

[Marat VYSHEGORODTSEV <marat.vyshegorodtsev () gmail com>]

Hello, chr1x!

Thank you for your reply.

Sure, SANS Top25 is not a good example, but CWE classification at
least gives us some structure.

Fuzzing is only one method among others (e.g. code review, developers
interviewing, security logic testing, etc.) used in vulnerability
discovery and usually is applied when source code is not available.
How do I have to test, for example, simple FTP server (with source
code available) to provide comprehensive result? Is there, like, any
public "checklist" where I can fill ticks in?

Again, for web applications it's all clear: OWASP Testing Guide, OWASP
Top10, etc.
For some particular applications there are industry standards - e.g.
J2ME app implementing MMA auth in cell phone falls under "MasterCard
Best Practice for MMA applications". But AFAIK there is no common and
comprehensive framework for application testing.

Maybe I'm missing smth, but ISSAF is all about penetration tests, not
application assessment. It contains only one small section called
"APPLICATION SECURITY EVALUATION CHECKLIST" and I can hardly call it
"comprehensive". Compare it, for example, with PCI PA-DSS [0].

[0] https://www.pcisecuritystandards.org/security_standards/pci_pa_dss.shtml

2009/11/29 chr1x <chr1x () sectester net>:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Hello Marat,
>
>
> Looking around the links that you posted, in this case, talking about
> the SANS Top25, mostly of those are related to Web, at least, the
> concept, for example: CWE-285: Improper Access Control
> (Authorization). I'm not sure exactly what you mean by assessing
> complex apps in a non-scripting language. I figured out that some apps
> that applies to your question it's more focused on RE / Vulnerability
> discovery tasks, like for example an ftp server in which you could
> perform security assessment with Fuzzing apps like TAOF (The Art of
> Fuzzing) which looks for Stack/Heap/String/Integer overflows, at the
> end in this case, you are doing "security" based testing.
>
> I know that one of the best testing guidelines for non-web apps is the
> ISSAF [www.oissg.org/issaf] which I highly recommend you to take a look.
>
> Hope I cleared your doubt.
>
> chr1x  **
>
> - --
> - ---
> [CubilFelino Security Research Lab - http://chr1x.sectester.net ]
> "The computer security is an art form. It's the ultimate martial art."
>
>
> Marat VYSHEGORODTSEV escribió:
> > Hello, web security researchers!
> >
> > There is well known methodology for auditing security of web
> > applications called OWASP Testing Guide [0], but it describes testing
> > procedures for only web applications, not for, like, complex
> > applications (for example, containing application servers, application
> > gateways and so on) usually written in C#, C++, Delphi or any other
> > non-scripting language. Would you, folks, recommend such a framework
> > for testing complex not-web-only-applications?
> >
> > I know only one approach from SANS [1] (Top25, CWE classification and
> > risk assessment), but it doesn't provide comprehensive methodology
> > like OWASP does. Basically I want to fill a gap between risk and
> > vulnerability assessment jobs and I'm looking for generally recognized
> > approach.
> >
> > [0] http://www.owasp.org/index.php/Category:OWASP_Testing_Project
> > [1] http://www.sans.org/top25-programming-errors/
> >
> > Sincerely, Marat Vyshegorodtsev
> > Assessment specialist
> >
> >
> >
> > This list is sponsored by Cenzic
> > --------------------------------------
> > Let Us Hack You. Before Hackers Do!
> > It's Finally Here - The Cenzic Website HealthCheck. FREE.
> > Request Yours Now!
> > http://www.cenzic.com/2009HClaunch_Securityfocus
> > --------------------------------------
>
>
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.9 (MingW32)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
>
> iQEcBAEBAgAGBQJLEp0IAAoJEENUkd83ZfT49lgH/1TcCdJEzeAjhRcRXrV233gT
> 139XqC5sJw/n4FtVLvxBGtCPO4ZZlo5MHET+fumyVJ6plhHX/H81LTl+XJGh8h+s
> 8bN4lwL9zNGUayG2Rfjveme8Kj8uo3PLfQeyFyIsQKCqckw8oxepNTJKmDgKAJT+
> n2gxprxzGPOX8joW0h9asoXLE1sa9ad5whThukcgRYU8FTMyYoA4q3Nlg02MUNwH
> oEgX2qSamrL4Uo091yztg3ug4NUd4Ox/1YymgvStpn4zB5aZbwbaQNnkBxf/Zcgl
> Po0PdcMYLBj5CTIOsXQ0PO/AWpvKwjpEcW2JYZxhaCsnxcKn6QvSgSCZV17PK3s=
> =lKzV
> -----END PGP SIGNATURE-----



-- 
Marat Vyshegorodtsev



This list is sponsored by Cenzic
--------------------------------------
Let Us Hack You. Before Hackers Do!
It's Finally Here - The Cenzic Website HealthCheck. FREE.
Request Yours Now!
http://www.cenzic.com/2009HClaunch_Securityfocus
--------------------------------------