WebApp Sec mailing list archives
Re: Complex applications security testing framework
From: chr1x <chr1x () sectester net>
Date: Sun, 29 Nov 2009 10:10:49 -0600
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hello Marat, Looking around the links that you posted, in this case, talking about the SANS Top25, mostly of those are related to Web, at least, the concept, for example: CWE-285: Improper Access Control (Authorization). I'm not sure exactly what you mean by assessing complex apps in a non-scripting language. I figured out that some apps that applies to your question it's more focused on RE / Vulnerability discovery tasks, like for example an ftp server in which you could perform security assessment with Fuzzing apps like TAOF (The Art of Fuzzing) which looks for Stack/Heap/String/Integer overflows, at the end in this case, you are doing "security" based testing. I know that one of the best testing guidelines for non-web apps is the ISSAF [www.oissg.org/issaf] which I highly recommend you to take a look. Hope I cleared your doubt. chr1x ** - -- - --- [CubilFelino Security Research Lab - http://chr1x.sectester.net ] "The computer security is an art form. It's the ultimate martial art." Marat VYSHEGORODTSEV escribió:
Hello, web security researchers! There is well known methodology for auditing security of web applications called OWASP Testing Guide [0], but it describes testing procedures for only web applications, not for, like, complex applications (for example, containing application servers, application gateways and so on) usually written in C#, C++, Delphi or any other non-scripting language. Would you, folks, recommend such a framework for testing complex not-web-only-applications? I know only one approach from SANS [1] (Top25, CWE classification and risk assessment), but it doesn't provide comprehensive methodology like OWASP does. Basically I want to fill a gap between risk and vulnerability assessment jobs and I'm looking for generally recognized approach. [0] http://www.owasp.org/index.php/Category:OWASP_Testing_Project [1] http://www.sans.org/top25-programming-errors/ Sincerely, Marat Vyshegorodtsev Assessment specialist This list is sponsored by Cenzic -------------------------------------- Let Us Hack You. Before Hackers Do! It's Finally Here - The Cenzic Website HealthCheck. FREE. Request Yours Now! http://www.cenzic.com/2009HClaunch_Securityfocus --------------------------------------
-----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQEcBAEBAgAGBQJLEp0IAAoJEENUkd83ZfT49lgH/1TcCdJEzeAjhRcRXrV233gT 139XqC5sJw/n4FtVLvxBGtCPO4ZZlo5MHET+fumyVJ6plhHX/H81LTl+XJGh8h+s 8bN4lwL9zNGUayG2Rfjveme8Kj8uo3PLfQeyFyIsQKCqckw8oxepNTJKmDgKAJT+ n2gxprxzGPOX8joW0h9asoXLE1sa9ad5whThukcgRYU8FTMyYoA4q3Nlg02MUNwH oEgX2qSamrL4Uo091yztg3ug4NUd4Ox/1YymgvStpn4zB5aZbwbaQNnkBxf/Zcgl Po0PdcMYLBj5CTIOsXQ0PO/AWpvKwjpEcW2JYZxhaCsnxcKn6QvSgSCZV17PK3s= =lKzV -----END PGP SIGNATURE----- This list is sponsored by Cenzic -------------------------------------- Let Us Hack You. Before Hackers Do! It's Finally Here - The Cenzic Website HealthCheck. FREE. Request Yours Now! http://www.cenzic.com/2009HClaunch_Securityfocus --------------------------------------
Current thread:
- Complex applications security testing framework Marat VYSHEGORODTSEV (Nov 29)
- Re: Complex applications security testing framework chr1x (Nov 29)
- Re: Complex applications security testing framework Marat VYSHEGORODTSEV (Nov 29)
- Re: Complex applications security testing framework chr1x (Nov 29)