Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Web-App-Sec
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: Recommendations for web app test?

from [kingpang] Network Security [Permanent Link]
Subject: Re: Recommendations for web app test?
Date: 22 Oct 2004 17:31:27 -0000 
In-Reply-To: <BAY23-F110xJK5OuLID00008387@hotmail.com>

Hi App Crawler,

I think another responder Daniel did a great job giving you suggestions.

You did not mention what platform your web application is running on.  If your 
web app runs on IIS, here is another checklist the auditors may consider using:

http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnnetsec/html/CL_SecWebs.asp

In order to have a mutual understanding between you and the auditor on what to 
test, usually the auditor will create a "Threat Model".  A threat model 
identifies the assets you would like to protect, and the threats your web app 
is likely to have.  If you are interested to see what a threat model is like, 
you may visit this following link:

http://msdn.microsoft.com/security/securecode/threatmodeling/default.aspx?pull=/library/en-us/dnnetsec/html/thcmch03.asp

These are my two cents and I hope this helps you.

KingPang



Well,  we've decided that everything in our environment is pretty secure, 
except for our web applications. So, now we need to outsource the security 
assessment of our web applications. So, my question is, what should I be 
looking for? What should the auditors be looking for? How will I know that 
they are testing for what I need them to test for? What is a good price 
range, based on one e-commerce application, one employee intranet 
application, and one customer portal application? Should it be based on the 
number of forms? Or some other metric? Please advise?!?! Thanks.

_________________________________________________________________
Get ready for school! Find articles, homework help and more in the Back to 
School Guide! http://special.msn.com/network/04backtoschool.armx
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: Likelihood of brute force attacks against web apps, Dave Ferguson
Next by Date:  Re: Hacking/security in main-stream media, Mariano Cunietti
Previous by Thread:  Re: Recommendations for web app test?, Stephen de Vries
Next by Thread:  Re: Recommendations for web app test?, ban.marketing.bs
Indexes:  [Date] [Thread] [Top] [All Lists]