[Owasp-singapore] Question on Application Security Assessment
spawn of soul calibur
ruel555 at hotmail.com
Sun Apr 12 23:36:10 EDT 2009
Need some help from the experts as Im relatively new to Application Security. Im also relatively new member of OWASP Singapore and Security Meet Up group. Though not active as I would like to but following the discussion in the mail group intently.
Anyway, I need some input from the experts here on doing security assessment of an existing application. I have created a framework which mainly comes from OWASP testing guide version 3. See below. Any comments/feedback or suggestions? Please HELP!!!! As I want to make this assessment a success. Not to mention that this could mean a make or break for my career in the company.
Documentation review (support documentation, design or blueprint, architecture, code) - Gathering all available documentation and ensuring that they have been updated. This is to ensure that support of the application can be done even without the principal support or developer. Moreover, reviewing all artifacts/documentation we will be able to visually identify potential vulnerabilities or attack vectors.
Technology review (all technologies used including linkages being used to other systems, versions of technology) - Identifying the technologies used (e.g. language, version, etc). This is to ensure that the application is able to adapt changes to technologies, etc.
Security Requirements - The security requirements will help in identifying and eliminating potential application vulnerabilities and security flaws. They are designed to address known application vulnerabilities. The security requirements will also form the basis of the security test plan.
Threat Modelling (identification of threat vectors) - This is used to identify the threat vectors of an application. Meaning, the reasons for attack and the methods that an attacker would use to identify vulnerabilities or threat in the system.
Code/Funtionality walkthrough - Walkthrough of the main code elements/functionality. This will help all stakeholders understand the main code elements and identify areas where extra security should be implemented. This will also show if there are unnecessary code elements which should and can be removed from the code. The purpose is not to perform a code review, but to understand at a high level the flow, the layout, and the structure of the code that makes up the application.
Formal Security Testing
Develop Security Test script (based on security requirements) - Developing a test plan based on the identified security requirements
Security Testing - Validating that the security requirements has been implemented appropriately.
Penetration Testing - This is a method of evaluating the security of an application by simulating an attack. The process involves an analysis of the application for any weaknesses, technical flaws, or vulnerabilities. Will be focusing on testing the OWASP Top 10 Vulnerabilities.
NEW! Get Windows Live FREE.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Owasp-singapore