WebApp Sec mailing list archives
Re: Recommendations for web app test?
From: Tom Stracener <strace () gmail com>
Date: 26 Oct 2004 21:39:16 -0000
In-Reply-To: <BAY23-F110xJK5OuLID00008387 () hotmail com> Starting with the basics.
What should you be looking for:
http://www.owasp.org/documentation/topten/introduction.html That's a start. Bear in mind that the security field has always had its list fascination, but these are just the shiny red buttons that hackers love to push. There's a lot more to web app security than being list minded about your application or its environment.
What should the auditors be looking for?
Well, thats the point. It depends on how customer portal and e-commerce app fit within your network and application architecture, how they are designed to be used, and the types of functionality you provide. Plus, all this does connect to your pretty secure network and its database(s). So once again, there is no exaustive checklist. You should be concerned with scenarios of misuse and abuse, as well as the red flag OWASP issues.
How will I know that they are testing for what I need them to test for?
You probably won't. So if you go with a company with a proven track record.
What is a good price range? [...]
There's no point in me estimating costs, because you're likely to get different figures. Bear in mind there is no quick fix, and the value of manual app security assessment depreciates quickly if your environment is changing (and it is, constantly). No matter how well crafted a "threat model" is, it is a time dependent snapshot of risk: if you roll out new servers, change patch level, export additional services, change your architecture, or release new versions of your applications, the information becomes dated. Solution: get another audit. The way out of this cycle is to hire someone specialized in application security and perform a regular automated and manual audits yourself, using the right tools. My recomendations: 1. Consider investing in an application security person, and don't rely on manual pen-testing alone. 2. Consider the available commercial applications, preferrably an application that lets you create custom policies and rules specific to your environment. The ability to perform regular assessments in house is key to your long term security. There are some great open source tools for this purpose too, but they do require expertise to utilize. For commercail apps, check out: SPI Dynamic's Web Inspect Watchfire/Sanctum's Appscan Cenzic's Hailstorm. 3. Talk to nCircle about your network. They provide 24/7 vulnerability management for your infrastructure at a reasonable cost of deployment. This comment you made about your network being "pretty secure" troubled me. --Tom
Well, we've decided that everything in our environment is pretty secure, except for our web applications. So, now we need to outsource the security assessment of our web applications. So, my question is, what should I be looking for? What should the auditors be looking for? How will I know that they are testing for what I need them to test for? What is a good price range, based on one e-commerce application, one employee intranet application, and one customer portal application? Should it be based on the number of forms? Or some other metric? Please advise?!?! Thanks. _________________________________________________________________ Get ready for school! Find articles, homework help and more in the Back to School Guide! http://special.msn.com/network/04backtoschool.armx
Current thread:
- Recommendations for web app test? App Crawler (Oct 21)
- Re: Recommendations for web app test? Daniel (Oct 21)
- Re: Recommendations for web app test? Cesar (Oct 22)
- Re: Recommendations for web app test? subscriber (Oct 24)
- Re: Recommendations for web app test? Stephen de Vries (Oct 22)
- <Possible follow-ups>
- Re: Recommendations for web app test? kingpang (Oct 22)
- Re: Recommendations for web app test? ban.marketing.bs (Oct 24)
- Re: Recommendations for web app test? Tom Stracener (Oct 28)
- Re: Recommendations for web app test? Daniel (Oct 21)