RE: Application Assessment

From: Tom Stracener (strace@gmail.com)
Date: Fri Aug 12 2005 - 17:04:55 EDT


goenw,

Congratulations on your new job responsibilities. Hope they are going
to give you a raise. :-)

If you get into a position where you are evaluating commerical
products, I would also encourage you to also take a look at Cenzic's
Hailstorm. Its a feature rich web application security scanner with
very low false positives.

Now to your questions. . .

>1. is there any tools that allow me to do the assessment throughly ?

It really depends on what you what you are looking for. If you're
unsure of what you're looking for, a good place to begin educating
yourself is here:

http://www.owasp.org

You should probably just read the entire owasp website as a primer. Its lighter
reading than unix man pages. :-) Also, once you get a grasp of the
general web application problem areas check out the owasp web app
penetration testing checklist. Educate yourself as much as possible so
you can make an informed decision about what you want and what you
need.

>2. should i have external party conduct this,
> what are the things i should expect from them
> (success criteria) ?

After reading the Owasp penetration testing checklist, you could ask
the company to explain their web penetration testing methodology to
you and then compare the differences. Ideally, get a copy for your own
reference.But don't just compare lists. Think about the types of
applications you have and pick a company (or individual) that has
relevant experience.

If you go with a vendor, ask for a demo, preferrably a demo scan of
one of your own servers. Then, you can choose the product/service
that gives you the best, most useful, results.

Remember, there's always

here:

http://www.parosproxy.org/download.shtml

And here:

http://www.frsirt.com/exploits/

Best of Luck,

-Tom

------------------------------------------------------------------------------
FREE WHITE PAPER - Wireless LAN Security: What Hackers Know That You Don't

Learn the hacker's secrets that compromise wireless LANs. Secure your
WLAN by understanding these threats, available hacking tools and proven
countermeasures. Defend your WLAN against man-in-the-Middle attacks and
session hijacking, denial-of-service, rogue access points, identity
thefts and MAC spoofing. Request your complimentary white paper at:

http://www.securityfocus.com/sponsor/AirDefense_pen-test_050801
-------------------------------------------------------------------------------



This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:54:44 EDT