[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [WEB SECURITY] WEB applications testing methodology

From: Mat Caughron <mat@xxxxxxxxxxxxxxxxx>
Subject: Re: [WEB SECURITY] WEB applications testing methodology
Date: Tue, 15 Jan 2008 18:07:05 -0600

Hi Luis:

Your comment "something beyond penetration testing" piqued my interest.

In the information security industry (if there is such a thing), it is my experience that marketing efforts have blurred the lines so that you really need to read the fine print if you've got an information risk assessment, system security evaluation, penetration test, posture assessment, vulnerability scan, automated source review etc. in front of you.

The NSA has a framework that nicely defines the processes involved with assessment and evaluation work as well as red-team work (see outline below) from: http://www.nsa.gov/ia/industry/education/info_assess.cfm?MenuID=10.2.4.2

In my experience the NSA courses are useful background but can also be a way to separate the hobbyists from the serious application security people. If you're looking for specific technical expertise, you might be better served by seeking that particular technical talent, for example an Oracle security expert or a Python coder or whatever fits your situation.

Mat Caughron, CISSP  NSA-IAM/IEM
(408) 910-1266


Vulnerability Discovery Triad:

    * ASSESSMENTS (Level I)
          o Cooperative High Level Overview
          o Information/Mission Criticality Analysis
          o Includes Policy, Procedures, and Information Flow
          o No hands-on testing.

    * EVALUATIONS (Level II)
          o Hands-on process
          o Cooperative Testing
          o Diagnostic Tools
          o Penetration Tools
          o Specific Technical Expertise.

    * RED TEAM (Level III)
          o Non-Cooperative
          o External Penetration Tests
          o Simulation of Appropriate Adversary.

INFOSEC Assessment Three-Phase Process

    * Phase I (Off Site)
          o Categorize and Define Value of Information
          o Identify Systems and Boundaries
          o Collect System and Security Documents
          o Generate Assessment Plan
          o Team Assignment and Coordination

* Phase II (On site . The Assessment) o Analysis of INFOSEC Posture (18 Baseline INFOSEC Categories/steps) o Level 1 + - Document Review + - Interviews + - System Demonstrations o Level 1+ + Non-Intrusive Scans o Exit Brief: Strengths and Weaknesses

    * Phase III (Off-Site)
          o Generate Analysis and Report
          o Completed 45-60 days after Phase II
          o Proprietary to customer.

On Tue, 15 Jan 2008, Luis Matus wrote:

Hello, I would like to know if there is a WEB applications testing
methodology that you would suggest.

I have found an interesting article in penetration testing for Web
applications at:http://www.securityfocus.com/infocus/1704 , but I am
looking for something beyond pennetration testing.

----------------------------------------------------------------------------
Join us on IRC: irc.freenode.net #webappsec

Have a question? Search The Web Security Mailing List Archives:
http://www.webappsec.org/lists/websecurity/

Subscribe via RSS:
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]


----------------------------------------------------------------------------
Join us on IRC: irc.freenode.net #webappsec

Have a question? Search The Web Security Mailing List Archives: http://www.webappsec.org/lists/websecurity/

Subscribe via RSS: http://www.webappsec.org/rss/websecurity.rss [RSS Feed]

References:
- [WEB SECURITY] WEB applications testing methodology
  - From: Luis Matus

Prev by Date: [WEB SECURITY] WEB applications testing methodology
Next by Date: Re: [WEB SECURITY] WEB applications testing methodology
Previous by thread: [WEB SECURITY] WEB applications testing methodology
Next by thread: Re: [WEB SECURITY] WEB applications testing methodology
Index(es):
- Date
- Thread

Brought to you by http://www.webappsec.org
Search this site