WebApp Sec mailing list archives
RE: Application Assessment
From: "Ory Segal" <osegal () watchfire com>
Date: Thu, 11 Aug 2005 13:16:29 +0300
Hi, You should also check: http://www.webappsec.org (Web Application Security Consortium) With regards to utilities, you can download the free Watchfire Powertools (HTTP Proxy, HTTP request editor, etc.), here's the link: http://www.watchfire.com/securityzone/download/default.aspx At the same link, you can also download eval versions of Watchfire's AppScan product (An automated application security scanner). You can also find basic and advanced whitepapers on the subject at: http://www.watchfire.com/news/whitepapers.aspx -Ory -----Original Message----- From: Glyn Geoghegan [mailto:glyng () corsaire com] Sent: Thursday, August 11, 2005 4:48 AM To: goenw Cc: pen-test () securityfocus com; Webappsec Subject: Re: Application Assessment On 8 Aug 2005, at 12:53, goenw wrote:
Hi, anybody have experience with application assessment ? I am a network guy, dont know much about the apps PT. 1. is there any tools that allow me to do the assessment throughly ?
If you're talking web-applications, check out www.owasp.org for a wealth of information on the subject. You may also want to take a look at the webappsec mailing list at www.securityfocus.com. Typically, the kind of tools you'll need are the personal-proxy category, allowing you to intercept and modify communications between the client and server - see Paros Proxy, Odysseus and Burp Proxy, for example. There are fully automated tools, but in my personal experience the manual approach has worked more effectively. Fat client/binary assessment is a slightly different (and arguably more complex) beast, and probably off-topic for this list.
2. should i have external party conduct this, what are the things i should expect from them (success criteria) ? any comments are appriciated.
That depends on how confident you are with your abilities, the drivers for the assessment and a wealth of factors. Normally, some coding or development background is essential to identify and understand potential vulnerabilities. Check out www.application-testing.com for our guide on the world of Application Security Assessments. -- ------------------------------------------------------- G l y n G e o g h e g a n BSc, ARCS Principal Consultant Corsaire Ltd 3 Tannery House, Tannery Lane Send, Surrey, GU23 7EF, UK UK: +44 (0)1483 226 000 http://www.corsaire.com Fax: +44 (0)1483 226 001 -------------------------------------------------------
Current thread:
- Re: Application Assessment Glyn Geoghegan (Aug 11)
- Re: Application Assessment bugtraq (Aug 11)
- <Possible follow-ups>
- RE: Application Assessment Ory Segal (Aug 11)
- RE: Application Assessment Mark Curphey (Aug 11)
- Re: Application Assessment Jeremiah Grossman (Aug 11)
- RE: Application Assessment Mark Curphey (Aug 11)
- Re: Application Assessment Jeremiah Grossman (Aug 11)
- Re: Application Assessment Amit Klein (AKsecurity) (Aug 12)
- RE: Application Assessment Mark Curphey (Aug 11)