In-Reply-To: <BAY23-F110xJK5OuLID00008387@hotmail.com>
Starting with the basics.
What should you be looking for:
http://www.owasp.org/documentation/topten/introduction.html
That's a start. Bear in mind that the security field has always had its list
fascination, but these are just the shiny red buttons that hackers love to
push. There's a lot more to web app security than being list minded about your
application or its environment.
What should the auditors be looking for?
Well, thats the point. It depends on how customer portal and e-commerce app fit
within your network and application architecture, how they are designed to be
used, and the types of functionality you provide. Plus, all this does connect
to your pretty secure network and its database(s).
So once again, there is no exaustive checklist. You should be concerned with
scenarios of misuse and abuse, as well as the red flag OWASP issues.
How will I know that they are testing for what I need them to test for?
You probably won't. So if you go with a company with a proven track record.
What is a good price range? [...]
There's no point in me estimating costs, because you're likely to get different
figures. Bear in mind there is no quick fix, and the value of manual app
security assessment depreciates quickly if your environment is changing (and it
is, constantly). No matter how well crafted a "threat model" is, it is a time
dependent snapshot of risk: if you roll out new servers, change patch level,
export additional services, change your architecture, or release new versions
of your applications, the information becomes dated. Solution: get another
audit. The way out of this cycle is to hire someone specialized in application
security and perform a regular automated and manual audits yourself, using the
right tools.
My recomendations:
1. Consider investing in an application security person, and don't rely on
manual pen-testing alone.
2. Consider the available commercial applications, preferrably an application
that lets you create custom policies and rules specific to your environment.
The ability to perform regular assessments in house is key to your long term
security. There are some great open source tools for this purpose too, but they
do require expertise to utilize.
For commercail apps, check out:
SPI Dynamic's Web Inspect
Watchfire/Sanctum's Appscan
Cenzic's Hailstorm.
3. Talk to nCircle about your network. They provide 24/7 vulnerability
management for your infrastructure at a reasonable cost of deployment.
This comment you made about your network being "pretty secure" troubled me.
--Tom
Well, we've decided that everything in our environment is pretty secure,
except for our web applications. So, now we need to outsource the security
assessment of our web applications. So, my question is, what should I be
looking for? What should the auditors be looking for? How will I know that
they are testing for what I need them to test for? What is a good price
range, based on one e-commerce application, one employee intranet
application, and one customer portal application? Should it be based on the
number of forms? Or some other metric? Please advise?!?! Thanks.
_________________________________________________________________
Get ready for school! Find articles, homework help and more in the Back to
School Guide! http://special.msn.com/network/04backtoschool.armx
