Application Assessment
Application security assessment is a unique area of assessment and penetration testing. Unlike infrastructure-based assessments, the methodology used by a security professional to identify security vulnerabilities and significant issues is highly dependent upon the type of application being assessed.
Although several high-level methodologies exist (and some guides can be pretty comprehensive), they are often not generic or versatile enough to cope with the wide variety of custom applications commonly encountered. Many methodologies used by professional security assessment organizations are, in fact, highly guarded.
The applications are generally subjected to the following groups of tests:
- Inspection of application validation and bounds checking for both accidental and mischievous input.
- Manipulation of client-side code and locally stored information such as session information and configuration files.
- Examination of application-to-application interaction between system components such as the web service and back-end data sources.
- Discovery of opportunities that an attacker could utilize to escalate their permissions
- Examination of event logging functionality.
- Examination of authentication methods in use for their robustness and resilience to various subversion techniques.
Whether it is a web-enabled client-server application or a tiered compiled application, the methodology actually implemented by the security consultant to assess the security of all client-side functionality will also be subject to the consultant's own experience and skill set.