Re: Complex applications security testing framework

[chr1x <chr1x () sectester net>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
 
Hello Marat,


Looking around the links that you posted, in this case, talking about
the SANS Top25, mostly of those are related to Web, at least, the
concept, for example: CWE-285: Improper Access Control
(Authorization). I'm not sure exactly what you mean by assessing
complex apps in a non-scripting language. I figured out that some apps
that applies to your question it's more focused on RE / Vulnerability
discovery tasks, like for example an ftp server in which you could
perform security assessment with Fuzzing apps like TAOF (The Art of
Fuzzing) which looks for Stack/Heap/String/Integer overflows, at the
end in this case, you are doing "security" based testing.

I know that one of the best testing guidelines for non-web apps is the
ISSAF [www.oissg.org/issaf] which I highly recommend you to take a look.

Hope I cleared your doubt.

chr1x  **

- --
- ---
[CubilFelino Security Research Lab - http://chr1x.sectester.net ]
"The computer security is an art form. It's the ultimate martial art."


Marat VYSHEGORODTSEV escribió:
> Hello, web security researchers!
>
> There is well known methodology for auditing security of web
> applications called OWASP Testing Guide [0], but it describes testing
> procedures for only web applications, not for, like, complex
> applications (for example, containing application servers, application
> gateways and so on) usually written in C#, C++, Delphi or any other
> non-scripting language. Would you, folks, recommend such a framework
> for testing complex not-web-only-applications?
>
> I know only one approach from SANS [1] (Top25, CWE classification and
> risk assessment), but it doesn't provide comprehensive methodology
> like OWASP does. Basically I want to fill a gap between risk and
> vulnerability assessment jobs and I'm looking for generally recognized
> approach.
>
> [0] http://www.owasp.org/index.php/Category:OWASP_Testing_Project
> [1] http://www.sans.org/top25-programming-errors/
>
> Sincerely, Marat Vyshegorodtsev
> Assessment specialist
>
>
>
> This list is sponsored by Cenzic
> --------------------------------------
> Let Us Hack You. Before Hackers Do!
> It's Finally Here - The Cenzic Website HealthCheck. FREE.
> Request Yours Now!
> http://www.cenzic.com/2009HClaunch_Securityfocus
> --------------------------------------



-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
 
iQEcBAEBAgAGBQJLEp0IAAoJEENUkd83ZfT49lgH/1TcCdJEzeAjhRcRXrV233gT
139XqC5sJw/n4FtVLvxBGtCPO4ZZlo5MHET+fumyVJ6plhHX/H81LTl+XJGh8h+s
8bN4lwL9zNGUayG2Rfjveme8Kj8uo3PLfQeyFyIsQKCqckw8oxepNTJKmDgKAJT+
n2gxprxzGPOX8joW0h9asoXLE1sa9ad5whThukcgRYU8FTMyYoA4q3Nlg02MUNwH
oEgX2qSamrL4Uo091yztg3ug4NUd4Ox/1YymgvStpn4zB5aZbwbaQNnkBxf/Zcgl
Po0PdcMYLBj5CTIOsXQ0PO/AWpvKwjpEcW2JYZxhaCsnxcKn6QvSgSCZV17PK3s=
=lKzV
-----END PGP SIGNATURE-----




This list is sponsored by Cenzic
--------------------------------------
Let Us Hack You. Before Hackers Do!
It's Finally Here - The Cenzic Website HealthCheck. FREE.
Request Yours Now! 
http://www.cenzic.com/2009HClaunch_Securityfocus
--------------------------------------