WebApp Sec mailing list archives
RE: Application Assessment
From: Tom Stracener <strace () gmail com>
Date: Fri, 12 Aug 2005 16:04:55 -0500
goenw, Congratulations on your new job responsibilities. Hope they are going to give you a raise. :-) If you get into a position where you are evaluating commerical products, I would also encourage you to also take a look at Cenzic's Hailstorm. Its a feature rich web application security scanner with very low false positives. Now to your questions. . .
1. is there any tools that allow me to do the assessment throughly ?
It really depends on what you what you are looking for. If you're unsure of what you're looking for, a good place to begin educating yourself is here: http://www.owasp.org You should probably just read the entire owasp website as a primer. Its lighter reading than unix man pages. :-) Also, once you get a grasp of the general web application problem areas check out the owasp web app penetration testing checklist. Educate yourself as much as possible so you can make an informed decision about what you want and what you need.
2. should i have external party conduct this, what are the things i should expect from them (success criteria) ?
After reading the Owasp penetration testing checklist, you could ask the company to explain their web penetration testing methodology to you and then compare the differences. Ideally, get a copy for your own reference.But don't just compare lists. Think about the types of applications you have and pick a company (or individual) that has relevant experience. If you go with a vendor, ask for a demo, preferrably a demo scan of one of your own servers. Then, you can choose the product/service that gives you the best, most useful, results. Remember, there's always here: http://www.parosproxy.org/download.shtml And here: http://www.frsirt.com/exploits/ Best of Luck, -Tom
Current thread:
- RE: Application Assessment, (continued)
- RE: Application Assessment Mark Curphey (Aug 11)
- Re: Application Assessment Jeremiah Grossman (Aug 11)
- Re: Application Assessment Amit Klein (AKsecurity) (Aug 12)
- Re: RE: Application Assessment Kyle Starkey (Aug 12)
- Re: Application Assessment Pete Herzog (Aug 13)
- Re: Application Assessment goenw (Aug 17)
- On Application Scanners (Was: Application Assessment) Mark Curphey (Aug 14)