Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email firstname.lastname@example.org
Re: Recommendations for web app test?
From: Tom Stracener (stracegmail.com)
Date: Tue Oct 26 2004 - 16:39:16 CDT
Starting with the basics.
>What should you be looking for:
That's a start. Bear in mind that the security field has always had its list fascination, but these are just the shiny red buttons that hackers love to push. There's a lot more to web app security than being list minded about your application or its environment.
>What should the auditors be looking for?
Well, thats the point. It depends on how customer portal and e-commerce app fit within your network and application architecture, how they are designed to be used, and the types of functionality you provide. Plus, all this does connect to your pretty secure network and its database(s).
So once again, there is no exaustive checklist. You should be concerned with scenarios of misuse and abuse, as well as the red flag OWASP issues.
>How will I know that they are testing for what I need them to test for?
You probably won't. So if you go with a company with a proven track record.
>What is a good price range? [...]
There's no point in me estimating costs, because you're likely to get different figures. Bear in mind there is no quick fix, and the value of manual app security assessment depreciates quickly if your environment is changing (and it is, constantly). No matter how well crafted a "threat model" is, it is a time dependent snapshot of risk: if you roll out new servers, change patch level, export additional services, change your architecture, or release new versions of your applications, the information becomes dated. Solution: get another audit. The way out of this cycle is to hire someone specialized in application security and perform a regular automated and manual audits yourself, using the right tools.
1. Consider investing in an application security person, and don't rely on manual pen-testing alone.
2. Consider the available commercial applications, preferrably an application that lets you create custom policies and rules specific to your environment. The ability to perform regular assessments in house is key to your long term security. There are some great open source tools for this purpose too, but they do require expertise to utilize.
For commercail apps, check out:
SPI Dynamic's Web Inspect
3. Talk to nCircle about your network. They provide 24/7 vulnerability management for your infrastructure at a reasonable cost of deployment.
This comment you made about your network being "pretty secure" troubled me.
>Well, we've decided that everything in our environment is pretty secure,
>except for our web applications. So, now we need to outsource the security
>assessment of our web applications. So, my question is, what should I be
>looking for? What should the auditors be looking for? How will I know that
>they are testing for what I need them to test for? What is a good price
>range, based on one e-commerce application, one employee intranet
>application, and one customer portal application? Should it be based on the
>number of forms? Or some other metric? Please advise?!?! Thanks.
>Get ready for school! Find articles, homework help and more in the Back to
>School Guide! http://special.msn.com/network/04backtoschool.armx