October 13th, 2003, 01:00 AM
Application Security Assessment Methods
The pen-test mailing list @ securityfocus has been recently buzzing with a plethora of information regarding web-application penetration testing.
A lot of people apparently are interested in the methodology on how to "to conduct
a successful application security assessment."
A brief paper has been prepared to "better assess the security of an application - without the overhead of a complex methodology."
Its a good read for consultants, security professionals, and fellow AO'ers. Take a look at it when you have the time (its very comprehensive)
It\'s 106 miles to Chicago, we\'ve got a full tank of gas, half a pack of cigarettes, it\'s dark and we\'re wearing sunglasses.
October 13th, 2003, 04:44 AM
October 13th, 2003, 05:09 AM
*grumble* these kinds of things really bug me.
On the one hand, it does what it sets out to do very well. If you are wishing to review web application security it is an excellent resources. However, the very fact that is is good is what makes it so terrible! Have I confused you yet?
This makes people think that with such an extensive resource that application security is a viable route to take when high security is concerned and this is an utter falsehood. You can have applications that are riddled with bugs and exploits that will still be more secure than highly hardened apps if you follow one simple principal. Limit what the appication can do.
Each level of a system should be secured by the level above it and this security should be monodirectional. For example, the web server can effect the security of the web app, but not the other way around.
The web server secures the web app. The web server compartment secures the web server. The operating system secures the web server compartment. The security kernel secures the operating system.
This is a correct security model, leaving only transactions and covert channels to worry about.
I have attached a document that discusses how this type of model would have prevent apache.org from being owned in an attack a few years back.
The sad thing is that most of you will not have the chance to work with such systems so for you, the topic link is an excellent resource. I just figured some of you might want to look beyond.