RE: Application Assessment

From: Anders Thulin (Anders.Thulin@tietoenator.com)
Date: Tue Aug 09 2005 - 01:57:21 EDT

• Next message: John Alexander: "Re: Port scanner for Windows CE"
• Previous message: Kutbuddin Trunkwala: "en-testing tools supported on Symbian seriese 80"
• Maybe in reply to: goenw: "Application Assessment"
• Next in thread: AdamT: "Re: Application Assessment"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

From: goenw [mailto:goenw.mailinglist@gmail.com]
>anybody have experience with application assessment ? [...]

  Assessment of what? I assume security -- i.e. resistance to effects from
unwanted events, rather than just intrusions.

  Depends on how you're allowed to do it. A threat analysis follwed up by
checking up the identified risks (and others that come to mind) is one way.
Just make sure you have application and platform experts on the analysis team.

>1. is there any tools that allow me to do the assessment throughly ?

  Not that I know of. Parts, such as protocol testing, yes. But you also
need to assess configuration file security, security log contents, management,
etc.

  For instance, if you're assessing a POP server, part of the job can be trying to
upset the server by feeding it bad input, or trying to brute force accounts.
Can the server be DoSed? For that you can find tools. Another part is checking
the logs to see if these attempts were discovered -- if not, if they could have
been by sharper configuration. And if they are discovered, are there any
mechanisms or routines that ensures that someone actually gets a report of
break-in attempts, or do the log files just sit around, collecting dust?

  Updates and upgrades are other parts: are they easy or difficult to do?
Do they upset anything? And indirectly, if you have a test environment for
pre-deployment testing, if that is secure enough in itself.

  By now you see why the threat analysis is necessary: you need to get a list
of all unwanted events associated with the application in any way, extract
those that are relevant for your particular job, and decide if they can be
tested or not.

  But perhaps the scope of the assessment is smaller than that.

Anders Thulin anders.thulin@tietoenator.com 040-661 50 63
TietoEnator Telecom & Media AB, Box 85, SE-201 20 Malmö

------------------------------------------------------------------------------
FREE WHITE PAPER - Wireless LAN Security: What Hackers Know That You Don't

Learn the hacker's secrets that compromise wireless LANs. Secure your
WLAN by understanding these threats, available hacking tools and proven
countermeasures. Defend your WLAN against man-in-the-Middle attacks and
session hijacking, denial-of-service, rogue access points, identity
thefts and MAC spoofing. Request your complimentary white paper at:

http://www.securityfocus.com/sponsor/AirDefense_pen-test_050801
-------------------------------------------------------------------------------

• Next message: John Alexander: "Re: Port scanner for Windows CE"
• Previous message: Kutbuddin Trunkwala: "en-testing tools supported on Symbian seriese 80"
• Maybe in reply to: goenw: "Application Assessment"
• Next in thread: AdamT: "Re: Application Assessment"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:54:43 EDT