Re: Application Assessment

[Glyn Geoghegan <glyng () corsaire com>]

On 8 Aug 2005, at 12:53, goenw wrote:

> Hi,
>
> anybody have experience with application assessment ? I am a  
> network guy, dont know much about the apps PT.
> 1. is there any tools that allow me to do the assessment throughly ?

If you're talking web-applications, check out www.owasp.org for a  
wealth of information on the subject.  You may also want to take a  
look at the webappsec mailing list at www.securityfocus.com.

Typically, the kind of tools you'll need are the personal-proxy  
category, allowing you to intercept and modify communications between  
the client and server - see Paros Proxy, Odysseus and Burp Proxy, for  
example.

There are fully automated tools, but in my personal experience the  
manual approach has worked more effectively.

Fat client/binary assessment is a slightly different (and arguably  
more complex) beast, and probably off-topic for this list.

> 2. should i have external party conduct this, what are the things i  
> should expect from them (success criteria) ?
> any comments are appriciated.

That depends on how confident you are with your abilities, the  
drivers for the assessment and a wealth of factors.  Normally, some  
coding or development background is essential to identify and  
understand potential vulnerabilities.

Check out www.application-testing.com for our guide on the world of  
Application Security Assessments.

--
-------------------------------------------------------
G l y n   G e o g h e g a n                   BSc, ARCS
Principal Consultant                       Corsaire Ltd
3 Tannery House, Tannery Lane
Send, Surrey, GU23 7EF, UK      UK: +44 (0)1483 226 000
http://www.corsaire.com        Fax: +44 (0)1483 226 001
-------------------------------------------------------