WebApp Sec mailing list archives
Re: Application Assessment
From: Glyn Geoghegan <glyng () corsaire com>
Date: Thu, 11 Aug 2005 11:47:58 +1000
On 8 Aug 2005, at 12:53, goenw wrote:
Hi,anybody have experience with application assessment ? I am a network guy, dont know much about the apps PT.1. is there any tools that allow me to do the assessment throughly ?
If you're talking web-applications, check out www.owasp.org for a wealth of information on the subject. You may also want to take a look at the webappsec mailing list at www.securityfocus.com.
Typically, the kind of tools you'll need are the personal-proxy category, allowing you to intercept and modify communications between the client and server - see Paros Proxy, Odysseus and Burp Proxy, for example.
There are fully automated tools, but in my personal experience the manual approach has worked more effectively.
Fat client/binary assessment is a slightly different (and arguably more complex) beast, and probably off-topic for this list.
2. should i have external party conduct this, what are the things i should expect from them (success criteria) ?any comments are appriciated.
That depends on how confident you are with your abilities, the drivers for the assessment and a wealth of factors. Normally, some coding or development background is essential to identify and understand potential vulnerabilities.
Check out www.application-testing.com for our guide on the world of Application Security Assessments.
-- ------------------------------------------------------- G l y n G e o g h e g a n BSc, ARCS Principal Consultant Corsaire Ltd 3 Tannery House, Tannery Lane Send, Surrey, GU23 7EF, UK UK: +44 (0)1483 226 000 http://www.corsaire.com Fax: +44 (0)1483 226 001 -------------------------------------------------------
Current thread:
- Re: Application Assessment Glyn Geoghegan (Aug 11)
- Re: Application Assessment bugtraq (Aug 11)
- <Possible follow-ups>
- RE: Application Assessment Ory Segal (Aug 11)
- RE: Application Assessment Mark Curphey (Aug 11)
- Re: Application Assessment Jeremiah Grossman (Aug 11)
- RE: Application Assessment Mark Curphey (Aug 11)
- Re: Application Assessment Jeremiah Grossman (Aug 11)
- Re: Application Assessment Amit Klein (AKsecurity) (Aug 12)
- RE: Application Assessment Mark Curphey (Aug 11)