Application Assessment

Application security assessment is a unique area of assessment and penetration testing. Unlike infrastructure based assessments, the methodology used by a security professional for identifying security vulnerabilities and significant issues is highly dependant upon the type of application being assessed.

Although several high-level methodologies do exist (and some guides can indeed be quite comprehensive), they are often not generic or versatile enough to cope with the wide variety of custom applications commonly encountered. Many methodologies used by professional security assessment organizations are in fact highly guarded.

In general, the applications are normally subjected to the following groups of tests:

• Inspection of application validation and bounds checking for both accidental and mischievous input.
• Manipulation of client-side code and locally stored information such as session information and configuration files.
• Examination of application-to-application interaction between system components such as the web service and back-end data sources.
• Discovery of opportunities that could be utilised by an attacker to escalate their permissions
• Examination of event logging functionality.
• Examination of authentication methods in use for their robustness and resilience to various subversion techniques.

Regardless of whether it is a web-enabled client-server application or a tiered compiled application, the methodology actually implemented by the security consultant to assess the security of all client-side functionality will also be subject to the consultants own experience and skill set.