[Owasp-singapore] Question on Application Security Assessment

Stephen Craig Evans stephencraig.evans at gmail.com
Mon Apr 13 01:41:50 EDT 2009


Hi Ruel,

I would remove "Develop Security Test script (based on security
requirements)"; developing a test plan is OK but I've never developed
any scripts in the 5+ years that I have been doing this stuff.

Your list is very comprehensive but what you will actually do is
dependent on what the development team has done and can provide you.
Rarely do security requirements exist but you can make a check list
via interviews and from company security policies, guidelines, and
procedures (if they exist).

At the very least, a pentest is done. If you have a checklist of
security requirements, then a pentest becomes a security assessment
(the 2 terms are used almost interchangeably in APAC, along with "risk
assessment" which you want to avoid like the plague :-)

Of course, if the code is available then do a code review if time permits.

Threat modeling is something every good pentester does mentally for
preparation, but be careful about committing to a written threat model
- it's very time-consuming.

To sum it up, it all depends on the time you have and what your
company wants to do. If you have a year or more, take a look at the
OWASP SAMM project (software maturity model) headed up by Pravir
Chandra.

Hope this helps,
Stephen

-- 
http://www.linkedin.com/in/stephencraigevans
2009/4/13 spawn of soul calibur <ruel555 at hotmail.com>:
> Hi All,
>
>
>
> Need some help from the experts as Im relatively new to Application
> Security. Im also relatively new member of OWASP Singapore and Security Meet
> Up group. Though not active as I would like to but following the discussion
> in the mail group intently.
>
>
>
> Anyway, I need some input from the experts here on doing security assessment
> of an existing application. I have created a framework which mainly comes
> from OWASP testing guide version 3. See below. Any comments/feedback or
> suggestions? Please HELP!!!! As I want to make this assessment a success.
>  Not to mention that this could mean a make or break for my career in the
> company.
>
>
>
> Regards,
>
> Ruel Montallana
>
>
>
>
>
> Information Gathering
>
> Documentation review (support documentation, design or blueprint,
> architecture, code) -  Gathering all available documentation and ensuring
> that they have been updated. This is to ensure that support of the
> application can be done even without the principal support or developer.
> Moreover, reviewing all artifacts/documentation we will be able to visually
> identify potential vulnerabilities or attack vectors.
>
>
>
> Technology review (all technologies used including linkages being used to
> other systems, versions of technology) -  Identifying the technologies used
> (e.g. language, version, etc). This is to ensure that the application is
> able to adapt changes to technologies, etc.
>
>
>
> Security Requirements -  The security requirements will help in identifying
> and eliminating potential application vulnerabilities and security flaws.
> They are designed to address known application vulnerabilities. The security
> requirements will also form the basis of the security test plan.
>
>
>
> Threat Modelling (identification of threat vectors) -  This is used to
> identify the threat vectors of an application. Meaning, the reasons for
> attack and the methods that an attacker would use to identify
> vulnerabilities or threat in the system.
>
>
>
> Code/Funtionality walkthrough -  Walkthrough of the main code
> elements/functionality. This will help all stakeholders understand the main
> code elements and identify areas where extra security should be implemented.
> This will also show if there are unnecessary code elements which should and
> can be removed from the code.  The purpose is not to perform a code review,
> but to understand at a high level the flow, the layout, and the structure of
> the code that makes up the application.
>
>
>
> Formal Security Testing
>
> Develop Security Test script (based on security requirements) - Developing a
> test plan based on the identified security requirements
>
>
>
> Security Testing - Validating that the security requirements has been
> implemented appropriately.
>
>
>
> Penetration Testing -  This is a method of evaluating the security of an
> application by simulating an attack. The process involves an analysis of the
> application for any weaknesses, technical flaws, or vulnerabilities. Will be
> focusing on testing the OWASP Top 10 Vulnerabilities.
>
>
>
>
>
>
>
>
> ________________________________
> Make the most of what you can do on your PC and the Web, just the way you
> want. Windows Live
> _______________________________________________
> Owasp-singapore mailing list
> Owasp-singapore at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-singapore
>
>


More information about the Owasp-singapore mailing list