I just checked out www.technicalinfo.net . The site is full of great
information, and I am convinced Mr. Gunter is quite an expert.
Thanks for the awesome contribution!
Brian
Quoting appsec_at_technicalinfo.net:
Hi there,
A lot of people appear to be asking for a detailed methodology on how to
conduct a successful application security assessment. I have yet to find a
good *public* methodology document that could be used for the diverse types of
applications I come up against. To this end, I have written a brief paper to
aid other consultants and security professionals to better assess the security
of an application - without the overhead of a complex methodology.
The paper can be found at
http://www.technicalinfo.net/papers/AssessmentQuestions.html
>From the paper: "Application security assessment is a unique area of
assessment and penetration testing. Unlike infrastructure based assessments,
the methodology utilised by a security professional for identifying security
vulnerabilities and significant issues is highly dependant upon the type of
application being assessed. Instead of focusing on an all-encompassing
application security assessment methodology, many consultants may find it more
practical to cycle through a check-list of questions. The emphasis of the
questions is not so much on how to test the application, but more as to what
the consultant should be looking for."
I hope someone out there also finds it useful to them.
At this is the initial draft of the paper/questions, I would welcome replies
to this email containing application based assessment questions that you feel
are not covered in the present document and should be included in the next
version.
Cheers,
Gunter
Technical Info -- http://www.technicalinfo.net/
--
Brian G.
Firefly Digital Media
866-FFDIGTL
866-333-4485
Received on Oct 13 2003
Intro
