Application Security testing focuses on identifying application and configuration vulnerabilities that could lead to security issues. The goal of the review is to identify as many potential security vulnerabilities as possible.
Planning consist of a kickoff meeting via a conference call with the client to go over the process. General rules of the engagement will be discussed and the process for the application assessment will be finalized. The project plan for the engagement, including key milestone dates, will be finalized.
Independent research: Independent research will be done to acquire information about the application, primarily on the Internet. The research resulted in obtaining an overview of the functionality of the application and any associated vulnerabilities.
Manual and Automated Testing: The testing of the server and application will consist of using automated commercial application assessment tools as well as other freeware tools. The testing methods will include looking for known vulnerabilities in the Web application as well as using simulated attacks (excluding Denial of Service attacks) to find weaknesses. Some of the discovered vulnerabilities will be analyzed further using manual procedures.
Vulnerability Research & Analysis
Using the information gathered by the automated and manual testing, vulnerabilities will be researched using commercial databases and Internet sites containing relevant vulnerability data.
A remediation assessment of the application will be conducted after the recommendations from the original assessment are implemented. The remediation test phase will be conducted with an emphasis on determining if the original vulnerabilities have been eliminated.