(310) 696-4500    

• company
• |
• services
• |
• solutions
• |
• training
• |
• partners
• |
• contact

Web Application Assessment Frequently Asked Questions For Executives

A web application assessment can dramatically improve the security of your organization by exposing vulnerabilities that put you and your customers at risk. We have created the following Frequently Asked Questions to address questions commonly asked by executives.

1. How do I know if I need a web application assessment?
2. What does a web application assessment involve?
3. Which type of web application assessment is right for me (Blackbox/Greybox)?
4. What do I get from a web application assessment?
5. An outside development firm created my web application, should I still worry about security?
6. My outside development firm says that they have experience performing security assessments and the security of my application is completely under control, are they correct?
7. We (or a security company) perform vulnerability scanning against our infrastructure, doesn’t that check for web application flaws?

How do I know if I need a web application assessment?

Web application assessments are geared towards dynamic websites. Simply put, your website is dynamic if your website does not always react the same way with every visit—depending on certain conditions, things on your website may change. Commonly, one way to potentially identify a dynamic website is to find places where user input is received, such as the form field depicted below.

   

Also, be sure to listen for technology keywords that are used in environments where web applications are used, such as Software-as-a-Service, Databases, Application Servers, Active Server Pages (ASP), PHP, and Cold Fusion.

What does a web application assessment involve?

We perform two main types of assessments against web applications: blackbox assessments, and greybox assessments. Blackbox Assessments mimic the perspective of an attacker with little to no knowledge of your environment. Greybox Assessments involve taking an attacker’s perspective and manually reviewing the code to gain a more comprehensive perspective.

Which type of web application assessment is right for me (Blackbox/Greybox)?

The answer to this question depends on several factors such as previous assessment experience, the language the application was written in, the current security level of your environment and, of course, available budget. With that being said, most organizations begin with a blackbox assessment to gain a baseline understanding of their security level.

What do I get from a web application assessment?

At the end of a web application assessment, you receive a report that communicates the risk that was discovered in your language, with simple summaries and actionable management recommendations. In addition, you also receive an in-depth technical report that your staff can act on instantly to begin reducing your risk.

An outside development firm created my web application, should I still worry about security?

Absolutely. Based on our experience, some of the most flawed applications we have assessed were created by professional development firms. While they may be excellent at capturing and implementing your business requirements, security requirements are often an afterthought—if thought about at all.

My outside development firm says that they have experience performing security assessments and the security of my application is completely under control, are they correct?

While performing a security assessment and not finding any flaws would frankly be a first for us, we will play along. Even if the development firm—that does not specialize solely in information security—has enumerated the potential threats against your application and business, clearly defined the risk levels involved, developed clear risk mitigation plans, performed both automated and manual testing against your application for dozens of potential flaw types and delivered a clear and concise report to management (you), it is still against best practices to have the same professionals who created your web application review it for flaws. Think of it like reviewing your own material that you’ve written; a second set of eyes will help to find the critical issues that were passed over by the author.

We (or a security company) perform vulnerability scanning against our infrastructure, doesn’t that check for web application flaws?

No. Vulnerability scanning is usually a network-level activity, where things like patch levels, misconfigurations, default usernames and passwords and unnecessary services are identified. Most tools have no idea what your application looks like and are unprepared to assess the security of it. With that being said, there are commercial vulnerability assessment tools for web applications, but they are independent of network vulnerability testing. If it is still not clear which is being performed in your organization, we would be happy to take a look at the report output and tell you if you are properly addressing web application assessment.