Home page logo
/

pen-test logo Penetration Testing mailing list archives

RE: Application Assessment
From: Tom Stracener <strace () gmail com>
Date: Fri, 12 Aug 2005 16:04:55 -0500

goenw,

Congratulations on your new job responsibilities. Hope they are going 
to give you a raise. :-) 

If you get into a position where you are evaluating commerical
products, I would also encourage you to also take a look at Cenzic's
Hailstorm. Its a feature rich web application security scanner with
very low false positives.

Now to your questions. . .

1. is there any tools that allow me to do the assessment throughly ?

It really depends on what you what you are looking for. If you're
unsure of what you're looking for, a good place to begin educating
yourself is here:

http://www.owasp.org 

You should probably just read the entire owasp website as a primer. Its lighter 
reading than unix man pages. :-) Also, once you get a grasp of the
general web application problem areas check out the owasp web app
penetration testing checklist. Educate yourself as much as possible so
you can make an informed decision about what you want and what you
need.


2. should i have external party conduct this, 
what are the things i should expect from them 
(success criteria) ? 

After reading the Owasp penetration testing checklist, you could ask
the company to explain their web penetration testing methodology to
you and then compare the differences. Ideally, get a copy for your own
reference.But don't just compare lists. Think about the types of
applications you  have and pick a company (or individual) that has
relevant experience.

If you go with a vendor, ask for a demo, preferrably a demo scan of
one of  your own servers. Then, you can choose the product/service
that gives you the best, most useful, results.

Remember, there's always 

here:

http://www.parosproxy.org/download.shtml

And here:

http://www.frsirt.com/exploits/

Best of Luck,


-Tom

------------------------------------------------------------------------------
FREE WHITE PAPER - Wireless LAN Security: What Hackers Know That You Don't

Learn the hacker's secrets that compromise wireless LANs. Secure your
WLAN by understanding these threats, available hacking tools and proven
countermeasures. Defend your WLAN against man-in-the-Middle attacks and
session hijacking, denial-of-service, rogue access points, identity
thefts and MAC spoofing. Request your complimentary white paper at:

http://www.securityfocus.com/sponsor/AirDefense_pen-test_050801
-------------------------------------------------------------------------------


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault