Hi there,
A lot of people appear to be asking for a detailed methodology on how to conduct a successful application security assessment. I have yet to find a good *public* methodology document that could be used for the diverse types of applications I come up against. To this end, I have written a brief paper to aid other consultants and security professionals to better assess the security of an application - without the overhead of a complex methodology.
The paper can be found at http://www.technicalinfo.net/papers/AssessmentQuestions.html
>From the paper: "Application security assessment is a unique area of assessment and penetration testing. Unlike infrastructure based assessments, the methodology utilised by a security professional for identifying security vulnerabilities and significant issues is highly dependant upon the type of application being assessed. Instead of focusing on an all-encompassing application security assessment methodology, many consultants may find it more practical to cycle through a check-list of questions. The emphasis of the questions is not so much on how to test the application, but more as to what the consultant should be looking for."
I hope someone out there also finds it useful to them.
At this is the initial draft of the paper/questions, I would welcome replies to this email containing application based assessment questions that you feel are not covered in the present document and should be included in the next version.
Cheers,
Gunter
Technical Info -- http://www.technicalinfo.net/
Received on Oct 12 2003
Intro
