[Owasp-singapore] [security-77] Question on Application Security Assessment

Wong Onn Chee ocwong at usa.net
Mon Apr 13 02:39:04 EDT 2009


Hi Ruel,

Can I assume that this is a web-based application?
Cos OWASP Testing Guide will be more applicable to web-based
applications than client-side applications.

Just want to highlight that without knowing the context and type of
application, the best that we, in the community, can do is to make
general comments, without any specific applicability. We also understand
that you can't disclose too much, hence do take what you hear from us
with a huge tablespoon of salt. ;-)

At the end of the day, you have to decide what is applicable and what is
not for your company.
That's the hallmark of a good infosec pro.

Just my 0.02.


Ruel Montallana wrote:
> Hi Frenky,
>  
> Thanks for the response. I actually created this framework with the
> intention of assessing a very important application in our company
> which will be deployed globally. Before its deployed globally, my boss
> wanted to assess the application. It was not my intention to use this
> framework for assessing all the applications or future applications.
>  
> Regards,
> Ruel
>  
> > Subject: Re: [security-77] Question on Application Security Assessment
> > From: tjioefrenky at gmail.com
> > To: security-77 at meetup.com
> > Date: Mon, 13 Apr 2009 00:15:19 -0400
> >
> > Sir
> >
> > I do have some comments to make. But before that, I need to know your
> > purpose / aim.
> >
> > Are you a policy/procedure writer aiming for the best motherhood
> statements?
> >
> > If you are the drafter + executor, then there are some practical
> > aspects that you need to look into.
> >
> > Regards,
> >
> > 2009/4/13 Ruel Montallana <ruel555 at hotmail.com>:
> > > Hi All,
> > >
> > >
> > >
> > > Need some help from the experts as Im relatively new to Application
> > > Security. Im also relatively new member of OWASP Singapore and
> Security Meet
> > > Up group. Though not active as I would like to but following the
> discussion
> > > in the mail group intently.
> > >
> > >
> > >
> > > Anyway, I need some input from the experts here on doing security
> assessment
> > > of an existing application. I have created a framework which
> mainly comes
> > > from OWASP testing guide version 3. See below. Any
> comments/feedback or
> > > suggestions? Please HELP!!!! As I want to make this assessment a
> success.
> > >  Not to mention that this could mean a make or break for my career
> in the
> > > company.
> > >
> > >
> > >
> > > Regards,
> > >
> > > Ruel Montallana
> > >
> > >
> > >
> > >
> > >
> > > Information Gathering
> > >
> > > Documentation review (support documentation, design or blueprint,
> > > architecture, code) -  Gathering all available documentation and
> ensuring
> > > that they have been updated. This is to ensure that support of the
> > > application can be done even without the principal support or
> developer.
> > > Moreover, reviewing all artifacts/documentation we will be able to
> visually
> > > identify potential vulnerabilities or attack vectors.
> > >
> > >
> > >
> > > Technology review (all technologies used including linkages being
> used to
> > > other systems, versions of technology) -  Identifying the
> technologies used
> > > (e.g. language, version, etc). This is to ensure that the
> application is
> > > able to adapt changes to technologies, etc.
> > >
> > >
> > >
> > > Security Requirements -  The security requirements will help in
> identifying
> > > and eliminating potential application vulnerabilities and security
> flaws.
> > > They are designed to address known application vulnerabilities.
> The security
> > > requirements will also form the basis of the security test plan.
> > >
> > >
> > >
> > > Threat Modelling (identification of threat vectors) -  This is used to
> > > identify the threat vectors of an application. Meaning, the
> reasons for
> > > attack and the methods that an attacker would use to identify
> > > vulnerabilities or threat in the system.
> > >
> > >
> > >
> > > Code/Funtionality walkthrough -  Walkthrough of the main code
> > > elements/functionality. This will help all stakeholders understand
> the main
> > > code elements and identify areas where extra security should be
> implemented.
> > > This will also show if there are unnecessary code elements which
> should and
> > > can be removed from the code.  The purpose is not to perform a
> code review,
> > > but to understand at a high level the flow, the layout, and the
> structure of
> > > the code that makes up the application.
> > >
> > >
> > >
> > > Formal Security Testing
> > >
> > > Develop Security Test script (based on security requirements)
> - Developing a
> > > test plan based on the identified security requirements
> > >
> > >
> > >
> > > Security Testing - Validating that the security requirements has been
> > > implemented appropriately.
> > >
> > >
> > >
> > > Penetration Testing -  This is a method of evaluating the security
> of an
> > > application by simulating an attack. The process involves an
> analysis of the
> > > application for any weaknesses, technical flaws, or
> vulnerabilities. Will be
> > > focusing on testing the OWASP Top 10 Vulnerabilities.
> > >
> > >
> > >
> > >
> > >
> > >
> > >
> > >
> > > ________________________________
> > > Make the most of what you can do on your PC and the Web, just the
> way you
> > > want. Windows Live
> > >
> > >
> > >
> > > --
> > > Please Note: If you hit "REPLY", your message will be sent to
> everyone on
> > > this mailing list (security-77 at meetup.com)
> > > This message was sent by Ruel Montallana (ruel555 at hotmail.com)
> from The
> > > Singapore Security Meetup Group.
> > > To learn more about Ruel Montallana, visit his/her member profile
> > > To unsubscribe or to update your mailing list settings, click here
> > >
> > > Meetup Support: support at meetup.com
> > > 632 Broadway, New York, NY 10012 USA
> >
> >
> >
> > --
> > Please Note: If you hit "REPLY", your message will be sent to
> everyone on this mailing list (security-77 at meetup.com)
> > http://security.meetup.com/77/
> > This message was sent by Frenky Tjioe (tjioefrenky at gmail.com) from
> The Singapore Security Meetup Group.
> > To learn more about Frenky Tjioe, visit his/her member profile:
> http://security.meetup.com/77/members/7761652/
> > To unsubscribe or to update your mailing list settings, click here:
> http://www.meetup.com/account/comm/
> > Meetup Support: support at meetup.com
> > 632 Broadway, New York, NY 10012 USA
> >
>
> ------------------------------------------------------------------------
> check out the rest of the Windows Live�. More than mail�Windows Live�
> goes way beyond your inbox. More than messages
> <http://www.microsoft.com/windows/windowslive/>
>
>
>
> --
> Please Note: If you hit "*REPLY*", your message will be sent to
> *everyone* on this mailing list (security-77 at meetup.com
> <mailto:security-77 at meetup.com>)
> This message was sent by Ruel Montallana (ruel555 at hotmail.com) from
> The Singapore Security Meetup Group <http://security.meetup.com/77/>.
> To learn more about Ruel Montallana, visit his/her member profile
> <http://security.meetup.com/77/members/8824329/>
> To unsubscribe or to update your mailing list settings, click here
> <http://www.meetup.com/account/comm/>
>
> Meetup Support: support at meetup.com
> 632 Broadway, New York, NY 10012 USA 



More information about the Owasp-singapore mailing list