Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Web-App-Sec
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: Application Assessment

from [goenw] Network Security [Permanent Link]
Subject: Re: Application Assessment
Date: Thu, 18 Aug 2005 09:01:42 +0700 
Guys,

Thanks alot for all the advises given. Really appriciate it. Now I got clearer path to continue :).
For those who offer profesional help, I'll arrange for further arrangement after justification and direction has been made.
Right now is still in very early stages of planning.

Thanks and Regards,
goenw

Michael Gargiullo wrote:

<SNIP>

If you go with a vendor, ask for a demo, preferrably a demo scan of
one of  your own servers. Then, you can choose the product/service
that gives you the best, most useful, results.

<SNIP>

Tom gave some great tips. The company I'm with specializes in security
auditing. The amount of time that goes into an application assessment
can vary greatly.

It's also wise to take a multi-pronged approach. Think about it like
this, why break into your application, when I can break your database
server or web server in a quarter of the time? 

A sample vulnerability scan of your servers is quick and easy for a
company to do.  A thorough test of your application is not.  Automated
tools will only go so far, as no computer can think like a human, or
have the ingenuity of a determined attacker.

To better gauge a security company, ask for a few sample reports. See
how they operate, check out their methodology. Ask hard questions, and
expect real answers.

I hope this helps more then it hinders you in your search.

Oh...  Also check out F5's Application Firewall...  truly a cool device
designed to scan your app for vulnerabilities, then protect against
malicious people.

-Mike





[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  RE: MD5 Password encoding (was: Defeating Citi-Bank Virtual Keyboard Protection), Bond Masuda
Next by Date:  Re: MD5 Password encoding, "straight" vs "salted" hashes, Noam Eppel
Previous by Thread:  RE: Application Assessment, Michael Gargiullo
Next by Thread:  RE: RE: Application Assessment, Ory Segal
Indexes:  [Date] [Thread] [Top] [All Lists]