Re: Recommendations for web app test?

[Tom Stracener <strace () gmail com>]

In-Reply-To: <BAY23-F110xJK5OuLID00008387 () hotmail com>

Starting with the basics.

> What should you be looking for:

http://www.owasp.org/documentation/topten/introduction.html

That's a start. Bear in mind that the security field has always had its list fascination, but these are just the shiny 
red buttons that hackers love to push. There's a lot more to web app security than being list minded about your 
application or its environment. 

> What should the auditors be looking for?

Well, thats the point. It depends on how customer portal and e-commerce app fit within your network and application 
architecture, how they are designed to be used, and the types of functionality you provide. Plus, all this does connect 
to your pretty secure network and its database(s).
So once again, there is no exaustive checklist. You should be concerned with scenarios of misuse and abuse, as well as 
the red flag OWASP issues.

> How will I know that they are testing for what I need them to test for?

You probably won't. So if you go with a company with a proven track record. 


> What is a good price range? [...]

There's no point in me estimating costs, because you're likely to get different figures. Bear in mind there is no quick 
fix, and the value of manual app security assessment depreciates quickly if your environment is changing (and it is, 
constantly). No matter how well crafted a "threat model" is, it is a time dependent snapshot of risk: if you roll out 
new servers, change patch level, export additional services, change your architecture, or release new versions of your 
applications, the information becomes dated. Solution: get another audit. The way out of this cycle is to hire someone 
specialized in application security and perform a regular automated and manual audits yourself, using the right tools.

My recomendations:

1. Consider investing in an application security person, and don't rely on manual pen-testing alone.

2. Consider the available commercial applications, preferrably an application that lets you create custom policies and 
rules specific to your environment. The ability to perform regular assessments in house is key to your long term 
security. There are some great open source tools for this purpose too, but they do require expertise to utilize.

For commercail apps, check out:

SPI Dynamic's Web Inspect
Watchfire/Sanctum's Appscan
Cenzic's Hailstorm.


3. Talk to nCircle about your network. They provide 24/7 vulnerability management for your infrastructure at a 
reasonable cost of deployment. 
This comment you made about your network being "pretty secure" troubled me.

--Tom


> Well,  we've decided that everything in our environment is pretty secure, 
> except for our web applications. So, now we need to outsource the security 
> assessment of our web applications. So, my question is, what should I be 
> looking for? What should the auditors be looking for? How will I know that 
> they are testing for what I need them to test for? What is a good price 
> range, based on one e-commerce application, one employee intranet 
> application, and one customer portal application? Should it be based on the 
> number of forms? Or some other metric? Please advise?!?! Thanks.
>
> _________________________________________________________________
> Get ready for school! Find articles, homework help and more in the Back to 
> School Guide! http://special.msn.com/network/04backtoschool.armx