Home page logo

pauldotcom logo PaulDotCom mailing list archives

Security Due Diligence - Web Based Applications
From: patrick.yager at mac.com (Yager Patrick)
Date: Sun, 14 Jun 2009 21:38:51 -0500

I would like some feedback about what you do to review security of  
purchased, web-based applications prior to putting into production.   
Applications would handle confidential data with input from customers  
(some free form fields and other drop down menus) and may be connected  
to back end databases.  What types of reviews do you do of the vendor,  
application, and architecture?  How about once you have purchased the  
application and have it working in a test environment?  Do you perform  
fuzzing and other penetration tests to determine if the vendor's  
security assurances and designs are correct and accurate?  Do you ask  
the vendor to provide documentation relating to independent code  
reviews?  (Assume that the source code is proprietary and not  
available).  Are these standard procedures that you follow for all  
applications (as in company documented procedures), or do you perform  
ad-hoc, free form testing (if any at all)?

Once the application is installed in production, how often do you  
perform additional or follow up tests?  Who is responsible for these  

  By Date           By Thread  

Current thread:
  • Security Due Diligence - Web Based Applications Yager Patrick (Jun 15)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]