Application Security Assessment Methods

[<appsec () technicalinfo net>]

Hi there,

A lot of people appear to be asking for a detailed methodology on how to conduct a successful application security 
assessment.  I have yet to find a good *public* methodology document that could be used for the diverse types of 
applications I come up against.  To this end, I have written a brief paper to aid other consultants and security 
professionals to better assess the security of an application - without the overhead of a complex methodology.  

The paper can be found at http://www.technicalinfo.net/papers/AssessmentQuestions.html

> From the paper:  "Application security assessment is a unique area of assessment and penetration testing.  Unlike 
> infrastructure based assessments, the methodology utilised by a security professional for identifying security 
> vulnerabilities and significant issues is highly dependant upon the type of application being assessed.  Instead of 
> focusing on an all-encompassing application security assessment methodology, many consultants may find it more 
> practical to cycle through a check-list of questions.  The emphasis of the questions is not so much on how to test the 
> application, but more as to what the consultant should be looking for."

I hope someone out there also finds it useful to them.

At this is the initial draft of the paper/questions, I would welcome replies to this email containing application based 
assessment questions that you feel are not covered in the present document and should be included in the next version.

Cheers,

Gunter


Technical Info -- http://www.technicalinfo.net/