Home > Security Channel Tips > Application Security > Application security assessments, part 2: A repeatable methodology
Security Channel Tips:
EMAIL THIS
 TIPS & NEWSLETTERS TOPICS 

APPLICATION SECURITY

Application security assessments, part 2: A repeatable methodology


Adam Rice
10.03.2006
Rating: --- (out of 5)


Digg This!    StumbleUpon Toolbar StumbleUpon    Bookmark with Delicious Del.icio.us   


In my previous article, Application security assessment, part 1: An opportunity for VARs and consultants, I explain the value of providing Web application security assessments for your customers. So how do you conduct an application security assessment? The key is to establish and follow a repeatable methodology, such as the following.

Begin by creating a project plan with your customer that details both tasks to be performed and their timing. Include customer-authorized test windows, proposed on-site dates if required, as well as projected dates for major project milestones. Also identify, with the customer's help, critical documents and artifacts that you will use to plan and conduct scanning and testing. Requested information may include:

Conduct the application security assessment remotely, beginning with application functional security testing. Test the customer Web application up to an agreed upon number of unique user roles, looking for functional security flaws that may expose the customer to risk.

Next, assess the effectiveness of the application-layer security controls by attempting to gain unauthorized access to the application. Try to bypass authent


Digg This!    StumbleUpon Toolbar StumbleUpon    Bookmark with Delicious Del.icio.us   


RELATED CONTENT
Application Security
Web application firewall market is hot for resellers, service providers
Outlook Web Access security: Helping channel customers stay safe
Application firewalls create opportunities for VARs and integrators
Why you need Web application security expertise
Email filtering: Choosing a content filtering tool for your customer
Use hosted email filtering for virus protection
Content filtering: An integrated approach
How to use an ISA Server as an SMTP filter
Antivirus trends and strategies
Web application penetration testing: Best practices

Information Security Threats
UTM appliances bundle security, give VARs multiple revenue streams
Remote vulnerability scanning: Process, roles and responsibilities
Data breach prevention techniques: Helping customers avoid data breaches
Full disk encryption: A hot opportunity for VARs
Top security tips for solutions providers
Common injection attacks
Checklist: Five steps to assessing a customer's antivirus protection
Polymorphic malware attacks and in-line scanning
Use hosted email filtering for virus protection
Re-route virus traffic to the bit bucket

Web Server and Web Application Security
Web application firewall market is hot for resellers, service providers
Portcullis Systems adds HP security products to Microsoft customers
Netgear primes VARs for SMB email and Web security appliance sales
Why you need Web application security expertise
Despite GreenBorder acquisition, Google security plan remains unclear
Filter URLs to reduce information security threats
Web application penetration testing: Best practices
How to manage your customer's secure Web server
Web applications: Insecurity for the masses
Application security assessments, part 1: An opportunity for VARs and consultants

RELATED RESOURCES
2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems
Search Bitpipe.com for the latest white papers and business webcasts
Whatis.com, the online computer dictionary


ication, authorization, input validation and other controls, using the following hacking techniques:

When you have completed the application security assessment, analyze the results for false-positives to ensure their accuracy. Also analyze each finding for severity and criticality.

Finally, deliver a concise Report of Findings and Recommendations detailing weaknesses identified within the customer's Web application. Where appropriate, provide recommendations for correcting security exposures.

About the author
Adam Rice is a Manager at VeriSign's Global Security Consulting. VeriSign's Global Security Consulting Services help Fortune 500 companies understand corporate security requirements, navigate the maze of diverse regulations, identify security vulnerabilities, defend against and respond to attacks, reduce risk, and meet the security compliance requirements of your business and industry.

Adam has authored several white papers and technical articles on security professional services and emerging threats to the Internet community. He has an extensive background working in security professional services product development and business delivery.


Rate this Tip
To rate tips, you must be a member of SearchSecurityChannel.com.
Register now to start rating these tips. Log in if you are already a member.




DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.

HomeNewsTopicsITKnowledge ExchangeTipsMultimediaWhite PapersBlogsEvents
About Us  |  Contact Us  |  For Advertisers  |  For Business Partners  |  Site Index  |  RSS
SEARCH 
TechTarget provides technology professionals with the information they need to perform their jobs - from developing strategy, to making cost-effective purchase decisions and managing their organizations' technology projects - with its network of technology-specific websites, events and online magazines.

TechTarget Corporate Web Site  |  Media Kits  |  Site Map




All Rights Reserved, Copyright 2006 - 2009, TechTarget | Read our Privacy Policy
  TechTarget - The IT Media ROI Experts