Here are some general guidelines taken from my own internal testing process. I have sanitized them just a bit but this should get you going (hopefully).

1) Define application components - Example: Web front end IIS6.0, PHP enabled middleware, Oracle9is backend server farm.

2) Define the scope of use. Who will use this app? Is this an internet accessible application? What kind of data is accessible?

3) Map the mechanics of the application. User inputs, server data returned, etc..

4) Using the above information, develop and attack vector list (tainted input attacks, literal parsing of commands, etc.)

5) Have several team members (if available) design attack vectors independently. Meet and consolidate all ideas. This can include enumeration of step 1 without actually finding out. In other words, you may want to see if someone can map out your setup. This would be a bad thing given the right circumstances.

6) Carry out testing.

7) Produce a management report with a technical add on. All bases are covered this way.

8) Determine if fixes are required or additional external testing is required.

9) Repeat the process if necessary.

--TH13