
	Home > Security Channel Tips > Application Security > Application security assessments, part 2: A repeatable methodology

Security Channel Tips:

EMAIL THIS

TIPS & NEWSLETTERS TOPICS

APPLICATION SECURITY

Application security assessments, part 2: A repeatable methodology

Adam Rice
10.03.2006
Rating: --- (out of 5)

Digg This!

StumbleUpon

Del.icio.us

In my previous article, Application security assessment, part 1: An opportunity for VARs and consultants, I explain the value of providing Web application security assessments for your customers. So how do you conduct an application security assessment? The key is to establish and follow a repeatable methodology, such as the following.

Begin by creating a project plan with your customer that details both tasks to be performed and their timing. Include customer-authorized test windows, proposed on-site dates if required, as well as projected dates for major project milestones. Also identify, with the customer's help, critical documents and artifacts that you will use to plan and conduct scanning and testing. Requested information may include:

Conduct the application security assessment remotely, beginning with application functional security testing. Test the customer Web application up to an agreed upon number of unique user roles, looking for functional security flaws that may expose the customer to risk.

Next, assess the effectiveness of the application-layer security controls by attempting to gain unauthorized access to the application. Try to bypass authent

Digg This!

StumbleUpon

Del.icio.us

RELATED CONTENT

	Application Security
	Web application firewall market is hot for resellers, service providers
	Outlook Web Access security: Helping channel customers stay safe
	Application firewalls create opportunities for VARs and integrators
	Why you need Web application security expertise
	Email filtering: Choosing a content filtering tool for your customer
	Use hosted email filtering for virus protection
	Content filtering: An integrated approach
	How to use an ISA Server as an SMTP filter
	Antivirus trends and strategies
	Web application penetration testing: Best practices

Information Security Threats

UTM appliances bundle security, give VARs multiple revenue streams

Remote vulnerability scanning: Process, roles and responsibilities

Data breach prevention techniques: Helping customers avoid data breaches

Full disk encryption: A hot opportunity for VARs

Top security tips for solutions providers

Common injection attacks

Checklist: Five steps to assessing a customer's antivirus protection

Polymorphic malware attacks and in-line scanning

Use hosted email filtering for virus protection

Re-route virus traffic to the bit bucket

Web Server and Web Application Security

Web application firewall market is hot for resellers, service providers

Portcullis Systems adds HP security products to Microsoft customers

Netgear primes VARs for SMB email and Web security appliance sales

Why you need Web application security expertise

Despite GreenBorder acquisition, Google security plan remains unclear

Filter URLs to reduce information security threats

Web application penetration testing: Best practices

How to manage your customer's secure Web server

Web applications: Insecurity for the masses

Application security assessments, part 1: An opportunity for VARs and consultants

RELATED RESOURCES

2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems

Search Bitpipe.com for the latest white papers and business webcasts

Whatis.com, the online computer dictionary

ication, authorization, input validation and other controls, using the following hacking techniques:

When you have completed the application security assessment, analyze the results for false-positives to ensure their accuracy. Also analyze each finding for severity and criticality.

Finally, deliver a concise Report of Findings and Recommendations detailing weaknesses identified within the customer's Web application. Where appropriate, provide recommendations for correcting security exposures.

About the author
Adam Rice is a Manager at VeriSign's Global Security Consulting. VeriSign's Global Security Consulting Services help Fortune 500 companies understand corporate security requirements, navigate the maze of diverse regulations, identify security vulnerabilities, defend against and respond to attacks, reduce risk, and meet the security compliance requirements of your business and industry.

Adam has authored several white papers and technical articles on security professional services and emerging threats to the Internet community. He has an extensive background working in security professional services product development and business delivery.

Rate this Tip
To rate tips, you must be a member of SearchSecurityChannel.com. Register now to start rating these tips. Log in if you are already a member.

DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.

SEARCH

TechTarget provides technology professionals with the information they need to perform their jobs - from developing strategy, to making cost-effective purchase decisions and managing their organizations' technology projects - with its network of technology-specific websites, events and online magazines.


TechTarget Corporate Web Site \| Media Kits \| Site Map All Rights Reserved, Copyright 2006 - 2009, TechTarget \| Read our Privacy Policy